ITCare24/7

 

 

Save

How to install RSYSLOG v8 and LogAnalyzer

LogAnalyzer v4

Checking the system log files. System activity is recorded inside these files which indicate the source of problems that occur.

What is RSYSLOG

RSYSLOG is a super fast system to process logs and events. One of its main features is accepting inputs from various sources, transforming those inputs and outputting the results to different destinations. According to the official website (www.rsyslog.com), it can process up to 1 million messages per second.

RSYSLOG offers the below features:

  • - Multi-threading
  • - TCP, SSL, TLS, RELP
  • - MySQL, PostgreSQL, Oracle and more
  • - Filter any part of syslog message
  • - Fully configurable output format
  • - Suitable for enterprise-class relay chains
  • 1- Install RSYSLOG v8 and Configure Database

  • CentOS 7 uses an old version of RSYSLOG. In order to install the latest version (v8), we need to install it from the repository offered by the RSYSLOG official website.
  • ==
    wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
    mv rsyslog.repo /etc/yum.repos.d/rsyslog.repo

    yum install rsyslog* --skip-broken
    ==
  • In order for the RSYSLOG service to start in case we reboot the system, issue the below command: chkconfig rsyslog on

    Instead of letting RSYSLOG output the messages to static files, we will create a database for RSYSLOG using its built in database located in  /usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql

    Install MySQL
    But to use MySQL, we need to install the required packages to run a MySQL server: yum install mysql mysql-server
    After install MySQL, we need to start the mysqld service: service mysqld start
    To make this service start when the server reboots: chkconfig mysqld on
    For security reasons, it is advised to change the MySQL Admin password: mysqladmin -u root password 'PasswordHere'

    To test if MySQL is installed correctly, log into the database:mysql -u root -p
    You should get the below output:
    ==
    Welcome to the MySQL monitor. Commands end with ; or \g.

    Your MySQL connection id is 4
    Server version: 5.1.73 Source distribution

    Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    mysql>
    ==
    Configure RSYSLOG Database:
    To create the RSYSLOG using the default database scheme offered by RSYSLOG, issue the below command:mysql -u root -p < /usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql
    Access the database you created with the password you assigned earlier: mysql -u root -p Syslog
    For security reasons, it is advised to add a dedicated admin database user called rsyslogdbadm to access this database only with a password of your choice.
    ==
    GRANT ALL ON rsyslogdb.* TO rsyslogdbadmin@localhost IDENTIFIED BY 'PasswordHere';
    FLUSH PRIVILEGES;
    exit
    ==

    Now let us test login with the user we created to the Syslog database. If it works, means our database is ready: mysql -u rsyslogdbadmin -p Syslog
    To configure RSYSLOG to output the messages to its database, we need to edit its configuration using rsyslog.conf located in /etc/rsyslog.conf .
    ==
    vi /etc/rsyslog.conf|
    ==
    Things to modify in the configuration file:
    Add the MySQL Module:
    ==
    # Load the MySQL Module
    module(load="ommysql")
    ==
    Uncomment the below lines:

    ==

    # Provides UDP syslog reception
    # for parameters see http://www.rsyslog.com/doc/imudp.html
    module(load="imudp") # needs to be done just once
    input(type="imudp" port="514")

    # Provides TCP syslog reception
    # for parameters see http://www.rsyslog.com/doc/imtcp.html
    module(load="imtcp") # needs to be done just once
    input(type="imtcp" port="514")
    ==
    Add a new forwarding rule:
    ==
    *.* :ommysql:127.0.0.1,Syslog,rsyslogdbadmin,PasswordHere
    # ### end of the forwarding rule ###
    ==
    You can also check the #RULES# section to modify any logs you do not want to see in the RSYSLOG database.
    Once you are satisfied with the changes, restart the RSYSLOG service: service rsyslog restart
    To check if the RSYSLOG messages are being forwarded to MySQL database:
    ==
    mysql -u rsyslogdbadmin -p Syslog 

    mysql> select count(*) from SystemEvents;

    +----------+
    | count(*) |
    +----------+
    |        2 |
    +----------+
    ==

    2- Install LogAnalyzer v4.1.2 Web Application
    Adiscon LogAnalyzer is a web inter-face to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.
    Install Prerequisites
    In order for LogAnalyzer to function correctly, there are a number of prerequisite packages that need to be installed on our system.
    Apache
    Install Apache: yum install httpd
    Start the Service: service httpd start
    Make service automatically starts when the server reboots: chkconfig httpd on
    To make sure we have installed Apache correctly, browse to http://your-server-ip/ and you should get the below page:

    Apache2 Installed
    PHP
    Install PHP: yum install php php-mysql php-gd
    After installing PHP, let’s create a phpinfo page: nano /var/www/html/test.php
    Install LogAnalyzer
    Download LogAnalyzer v4.1.3 : wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.3.tar.gz
    Extract the downloaded tar file:tar zxvf loganalyzer-4.1.3.tar.gz
    In order to access LogAnalyzer using the web interface, copy the install files into Apache:
    ==
    cp -r loganalyzer-4.1.3/src/ /var/www/html/loganalyzer
    cp -r loganalyzer-4.1.3/contrib/* /var/www/html/loganalyzer/
    ==
    We need to allow execute permissions to the configure.sh and secure.sh files:
    ==

    cd /var/www/html/loganalyzer/
    chmod +x configure.sh secure.sh
    ==
    Run the ./configure.sh. This will create a blank config.php file with write access: ./configure.sh
    Now we have to finalise the LogAnalyzer installation using the web interface. Browse to http://your-server-ip/loganalyzer and follow the instructions on the screen similar to the below:
    la0
     la1
    la2
    la3

LATEST NEWS

FOLLOW US