How to install RSYSLOG v8 and LogAnalyzer
Checking the system log files. System activity is recorded inside these files which indicate the source of problems that occur.
What is RSYSLOG
RSYSLOG is a super fast system to process logs and events. One of its main features is accepting inputs from various sources, transforming those inputs and outputting the results to different destinations. According to the official website (www.rsyslog.com), it can process up to 1 million messages per second.
RSYSLOG offers the below features:
- - Multi-threading
- - TCP, SSL, TLS, RELP
- - MySQL, PostgreSQL, Oracle and more
- - Filter any part of syslog message
- - Fully configurable output format
- - Suitable for enterprise-class relay chains
1- Install RSYSLOG v8 and Configure Database
- CentOS 7 uses an old version of RSYSLOG. In order to install the latest version (v8), we need to install it from the repository offered by the RSYSLOG official website.
mv rsyslog.repo /etc/yum.repos.d/rsyslog.repo
yum install rsyslog* --skip-broken
In order for the RSYSLOG service to start in case we reboot the system, issue the below command: chkconfig rsyslog on
Instead of letting RSYSLOG output the messages to static files, we will create a database for RSYSLOG using its built in database located in /usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql
But to use MySQL, we need to install the required packages to run a MySQL server: yum install mysql mysql-server
After install MySQL, we need to start the mysqld service: service mysqld start
To make this service start when the server reboots: chkconfig mysqld on
For security reasons, it is advised to change the MySQL Admin password: mysqladmin -u root password 'PasswordHere'
To test if MySQL is installed correctly, log into the database:mysql -u root -p
You should get the below output:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
Configure RSYSLOG Database:
To create the RSYSLOG using the default database scheme offered by RSYSLOG, issue the below command:mysql -u root -p < /usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql
Access the database you created with the password you assigned earlier: mysql -u root -p Syslog
For security reasons, it is advised to add a dedicated admin database user called rsyslogdbadm to access this database only with a password of your choice.
GRANT ALL ON rsyslogdb.* TO rsyslogdbadmin@localhost IDENTIFIED BY 'PasswordHere';
Now let us test login with the user we created to the Syslog database. If it works, means our database is ready: mysql -u rsyslogdbadmin -p Syslog
To configure RSYSLOG to output the messages to its database, we need to edit its configuration using rsyslog.conf located in /etc/rsyslog.conf .
Things to modify in the configuration file:
Add the MySQL Module:
# Load the MySQL Module
Uncomment the below lines:
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
Add a new forwarding rule:
# ### end of the forwarding rule ###
You can also check the #RULES# section to modify any logs you do not want to see in the RSYSLOG database.
Once you are satisfied with the changes, restart the RSYSLOG service: service rsyslog restart
To check if the RSYSLOG messages are being forwarded to MySQL database:
mysql -u rsyslogdbadmin -p Syslog
mysql> select count(*) from SystemEvents;
| count(*) |
| 2 |
2- Install LogAnalyzer v4.1.2 Web Application
Adiscon LogAnalyzer is a web inter-face to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.
In order for LogAnalyzer to function correctly, there are a number of prerequisite packages that need to be installed on our system.
Install Apache: yum install httpd
Start the Service: service httpd start
Make service automatically starts when the server reboots: chkconfig httpd on
To make sure we have installed Apache correctly, browse to http://your-server-ip/ and you should get the below page:
Install PHP: yum install php php-mysql php-gd
After installing PHP, let’s create a phpinfo page: nano /var/www/html/test.php
Download LogAnalyzer v4.1.3 : wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.3.tar.gz
Extract the downloaded tar file:tar zxvf loganalyzer-4.1.3.tar.gz
In order to access LogAnalyzer using the web interface, copy the install files into Apache:
cp -r loganalyzer-4.1.3/src/ /var/www/html/loganalyzer
cp -r loganalyzer-4.1.3/contrib/* /var/www/html/loganalyzer/
We need to allow execute permissions to the configure.sh and secure.sh files:
chmod +x configure.sh secure.sh
Run the ./configure.sh. This will create a blank config.php file with write access: ./configure.sh
Now we have to finalise the LogAnalyzer installation using the web interface. Browse to http://your-server-ip/loganalyzer and follow the instructions on the screen similar to the below: