Install Rsyslog and LogAnalyzer on Centos 6

16/07/2013 5 Comments Reading Time: 3 minutes

syslog01

Rsyslog and LogAnalyzerare tools that help administrators to collect the systems log in a centralized place and facilitates the data analysis.

In large networks the number of devices installed provides tons of logs that make impossible to have a good overview of the overall network status without having a centralized log collector system.

 

Prerequisites

 

Install Rsyslog

First install LAMP environment and Rsyslog packages using the yum command.

# yum install httpd php mysql php-mysql mysql-server rsyslog rsyslog-mysql wget

Prior importing the db schema into MySQL you can customize the database name (Syslog by default) by editing the createDB.sql file.

# vi /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

syslog02

Once editing has been completed, import the db schema into MySQL. In the example, the procedure creates a new database called rsyslogdb.

# mysql -u root -p < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

syslog03

Grant the privileges to the account rsyslog.

# mysql -u root -p

mysql> GRANT ALL PRIVILEGES ON rsyslogdb.* TO rsyslog@localhost IDENTIFIED BY 'passwd00';
mysql> flush privileges;
mysql> exit

syslog04
Edit the configuration file /etc/rsyslog.conf and enable the listed parameters.

$ModLoad imuxsock

$ModLoad imklog
#$ModLoad immark
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$ModLoad ommysql

# vi /etc/rsyslog.conf

syslog05

Add also the following lines:

$AllowedSender UDP, 127.0.0.1, 192.168.10.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.10.0/24
*.* : ommysql:127.0.0.1,rsyslogdb,rsyslog,passwd00

syslog06

Enable the service to start at system boot and start the service.

# chkconfig rsyslog on
# service rsyslog restart

syslog07

If you have a firewall, you need to open ports TCP 514 and UDP 514 to work with Rsyslog.

 

Test Rsyslog

To test if everything is working, check if messages are arriving at the syslog server.

# tail -f /var/log/messages

In addition you can check if messages are being stored in MySQL database.

# mysql -u root -p

mysql> use rsyslogdb;
mysql> select * from SystemEvents;

syslog08

If you see an empty set means it’s working.

 

Install LogAnalyzer

Using the command wget download the LogAnalyzer package.

# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.3.tar.gz

syslog09

Unpack the downloaded file and move the content to the Apache document root.

# tar -vxzf loganalyzer-3.6.3.tar.gz
# mv loganalyzer-3.6.3/src/ /var/www/html/loganalyzer
# mv loganalyzer-3.6.3/contrib/* /var/www/html/loganalyzer

syslog10

Enter the created directory and assign the correct permissions to execute the scripts.

# cd /var/www/html/loganalyzer/
# chmod 744 configure.sh secure.sh
# ./configure.sh

syslog11

 

Configure LogAnalyzer

Access the web interface typing from your browser the following address:

http://IP_address/loganalyzer

At first access you receive an error message because the application hasn’t been configured yet. Click on word here to go ahead with the configuration.

syslog13

Click Next to start the installation.

syslog14

Click Next to continue.

syslog15

Enable Enable User Database option and enter the parameters set during the database creation.

syslog16

Click Next.

syslog17

If no errors are shown click Next to continue.

syslog18

Create the Admin user typing the username and password then click Next.

syslog19

Choose as Source Type the MYSQL Native value and enter the parameter of the database previously created. Click Next. Pay attention to the field Database Tablename where the value must be:

 SystemEvents

syslog20

Click Finish to complete the installation.

syslog21

To login to LogAnalyzer you need to enter your credential then click Login.

syslog22

The Rsyslog server shows the so far collected data. You need to set the network devices to send syslog messages to the Rsyslog server just configured to populate the Events.

syslog25

 

Troubleshooting

After login you may receive the error message:

could not find the configured table, maybe misspelled or the table names are case sensitive

syslog23

This error is often due to wrong syntax in the DBTableName field. To fix it you need to edit the /var/www/html/loganalyzer/config.php file and check if the DBTableName value is written with the correct capital letters.

SystemEvents

# vi /var/www/html/loganalyzer/config.php

syslog24

Amended the DBTableName value, the system should work properly.

rsyslog loganalyzer 1

Related Posts

About The Author

Paolo Valsecchi

System Engineer, VCP-DCV, VCP-DM, vExpert, VMCE, VMCA, Veeam Vanguard. Working experience focused on VMware vSphere, Microsoft Active Directory, and backup/DR solutions.

5 Comments

  1. Amir Zargaran 06/01/2014

    dear
    i edit DBTableName Value to SystemEvents.
    but i have the error message yet!

  2. Domenicke 08/01/2014

    Hi,
    Thanks for sharing your knowledge, I already setup a server Rsyslog and with its clients. I dont have to much experience but i would love to learnt. I got a little problem my PHP Log analyzer works fine, but i want to see the errors of my PHP and the syslog detect the level of error. I did change the php.ini : error_log=syslog , and also in the client as well . but still havent see the php error logs, These error continues go to the error_log that is by default for apache. If you have any idea to help me to solve I will very very thankfully of you

  3. amr 14/12/2014

    Could not find the configured table, maybe misspelled or the tablenames are case sensitive

    • Paolo Valsecchi 15/12/2014

      The configuration table path with the release used when the post was written was located in /var/www/html/loganalyzer/config.php.

  4. Matt 12/01/2015

    Hi there,
    i have made the adjustments to the file like you suggest the config.php however it still has not changed the error
    this is mysql table view
    mysql> show tables;
    +------------------------+
    | Tables_in_Syslog |
    +------------------------+
    | SystemEvents |
    | SystemEventsProperties |
    | logcon_charts |
    | logcon_config |
    | logcon_dbmappings |
    | logcon_fields |
    | logcon_groupmembers |
    | logcon_groups |
    | logcon_savedreports |
    | logcon_searches |
    | logcon_sources |
    | logcon_users |
    | logcon_views |
    +------------------------+
    13 rows in set (0.00 sec)

    and here is the config.php file
    $CFG['DefaultSourceID'] = 'Source1';

    $CFG['Sources']['Source1']['ID'] = 'Source1';
    $CFG['Sources']['Source1']['Name'] = 'My Syslog Source';
    $CFG['Sources']['Source1']['ViewID'] = 'SYSLOG';
    $CFG['Sources']['Source1']['SourceType'] = SOURCE_DB;
    $CFG['Sources']['Source1']['DBTableType'] = 'monitorware';
    $CFG['Sources']['Source1']['DBType'] = DB_MYSQL;
    $CFG['Sources']['Source1']['DBServer'] = 'localhost';
    $CFG['Sources']['Source1']['DBName'] = 'Syslog';
    $CFG['Sources']['Source1']['DBUser'] = 'rsyslog';
    $CFG['Sources']['Source1']['DBPassword'] = 'MYSQLPASSWORD';
    $CFG['Sources']['Source1']['DBTableName'] = 'SystemEvents';
    $CFG['Sources']['Source1']['DBEnableRowCounting'] = true;