Rsyslog and LogAnalyzerare tools that help administrators to collect the systems log in a centralized place and facilitates the data analysis.
In large networks the number of devices installed provides tons of logs that make impossible to have a good overview of the overall network status without having a centralized log collector system.
Prerequisites
- Centos 6.x minimal
- A working LAMP environment
- Rsyslog and LogAnalyzer packages
Install Rsyslog
First install LAMP environment and Rsyslog packages using the yum command.
# yum install httpd php mysql php-mysql mysql-server rsyslog rsyslog-mysql wget
Prior importing the db schema into MySQL you can customize the database name (Syslog by default) by editing the createDB.sql file.
# vi /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
Once editing has been completed, import the db schema into MySQL. In the example, the procedure creates a new database called rsyslogdb.
# mysql -u root -p < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
Grant the privileges to the account rsyslog.
# mysql -u root -p
mysql> GRANT ALL PRIVILEGES ON rsyslogdb.* TO rsyslog@localhost IDENTIFIED BY 'passwd00'; mysql> flush privileges; mysql> exit
Edit the configuration file /etc/rsyslog.conf and enable the listed parameters.
$ModLoad imuxsock
$ModLoad imklog #$ModLoad immark $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514 $ModLoad ommysql
# vi /etc/rsyslog.conf
Add also the following lines:
$AllowedSender UDP, 127.0.0.1, 192.168.10.0/24 $AllowedSender TCP, 127.0.0.1, 192.168.10.0/24 *.* : ommysql:127.0.0.1,rsyslogdb,rsyslog,passwd00
Enable the service to start at system boot and start the service.
# chkconfig rsyslog on
# service rsyslog restart
If you have a firewall, you need to open ports TCP 514 and UDP 514 to work with Rsyslog.
Test Rsyslog
To test if everything is working, check if messages are arriving at the syslog server.
# tail -f /var/log/messages
In addition you can check if messages are being stored in MySQL database.
# mysql -u root -p
mysql> use rsyslogdb; mysql> select * from SystemEvents;
If you see an empty set means it’s working.
Install LogAnalyzer
Using the command wget download the LogAnalyzer package.
# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.3.tar.gz
Unpack the downloaded file and move the content to the Apache document root.
# tar -vxzf loganalyzer-3.6.3.tar.gz
# mv loganalyzer-3.6.3/src/ /var/www/html/loganalyzer
# mv loganalyzer-3.6.3/contrib/* /var/www/html/loganalyzer
Enter the created directory and assign the correct permissions to execute the scripts.
# cd /var/www/html/loganalyzer/
# chmod 744 configure.sh secure.sh
# ./configure.sh
Configure LogAnalyzer
Access the web interface typing from your browser the following address:
http://IP_address/loganalyzer
At first access you receive an error message because the application hasn’t been configured yet. Click on word here to go ahead with the configuration.
Click Next to start the installation.
Click Next to continue.
Enable Enable User Database option and enter the parameters set during the database creation.
Click Next.
If no errors are shown click Next to continue.
Create the Admin user typing the username and password then click Next.
Choose as Source Type the MYSQL Native value and enter the parameter of the database previously created. Click Next. Pay attention to the field Database Tablename where the value must be:
SystemEvents
Click Finish to complete the installation.
To login to LogAnalyzer you need to enter your credential then click Login.
The Rsyslog server shows the so far collected data. You need to set the network devices to send syslog messages to the Rsyslog server just configured to populate the Events.
Troubleshooting
After login you may receive the error message:
could not find the configured table, maybe misspelled or the table names are case sensitive
This error is often due to wrong syntax in the DBTableName field. To fix it you need to edit the /var/www/html/loganalyzer/config.php file and check if the DBTableName value is written with the correct capital letters.
SystemEvents
# vi /var/www/html/loganalyzer/config.php
Amended the DBTableName value, the system should work properly.
dear
i edit DBTableName Value to SystemEvents.
but i have the error message yet!
Hi,
Thanks for sharing your knowledge, I already setup a server Rsyslog and with its clients. I dont have to much experience but i would love to learnt. I got a little problem my PHP Log analyzer works fine, but i want to see the errors of my PHP and the syslog detect the level of error. I did change the php.ini : error_log=syslog , and also in the client as well . but still havent see the php error logs, These error continues go to the error_log that is by default for apache. If you have any idea to help me to solve I will very very thankfully of you
Could not find the configured table, maybe misspelled or the tablenames are case sensitive
The configuration table path with the release used when the post was written was located in /var/www/html/loganalyzer/config.php.
Hi there,
i have made the adjustments to the file like you suggest the config.php however it still has not changed the error
this is mysql table view
mysql> show tables;
+------------------------+
| Tables_in_Syslog |
+------------------------+
| SystemEvents |
| SystemEventsProperties |
| logcon_charts |
| logcon_config |
| logcon_dbmappings |
| logcon_fields |
| logcon_groupmembers |
| logcon_groups |
| logcon_savedreports |
| logcon_searches |
| logcon_sources |
| logcon_users |
| logcon_views |
+------------------------+
13 rows in set (0.00 sec)
and here is the config.php file
$CFG['DefaultSourceID'] = 'Source1';
$CFG['Sources']['Source1']['ID'] = 'Source1';
$CFG['Sources']['Source1']['Name'] = 'My Syslog Source';
$CFG['Sources']['Source1']['ViewID'] = 'SYSLOG';
$CFG['Sources']['Source1']['SourceType'] = SOURCE_DB;
$CFG['Sources']['Source1']['DBTableType'] = 'monitorware';
$CFG['Sources']['Source1']['DBType'] = DB_MYSQL;
$CFG['Sources']['Source1']['DBServer'] = 'localhost';
$CFG['Sources']['Source1']['DBName'] = 'Syslog';
$CFG['Sources']['Source1']['DBUser'] = 'rsyslog';
$CFG['Sources']['Source1']['DBPassword'] = 'MYSQLPASSWORD';
$CFG['Sources']['Source1']['DBTableName'] = 'SystemEvents';
$CFG['Sources']['Source1']['DBEnableRowCounting'] = true;