Setup Centralized Log Server Using Rsyslog And LogAnalyzer On CentOS, RHEL, Scientific Linux 6.5/6.4

Setup Centralized Log Server Using Rsyslog And LogAnalyzer On CentOS, RHEL, Scientific Linux 6.5/6.4

Rsyslog is an open source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features such as using TCP for transport.

It will be very helpful for Linux administrators to view and troubleshoot errors if something went wrong. In this tutorial let us see how to install and configure Rsyslog and graphical front-end for rsyslog called LogAnalyser and also how to forward logs from the client systems to the Rsyslog server.

For setting up this, I use CentOS as Rsyslog server and Ubuntu 13.04 desktop as client.

My Rsyslog server details are:

Operating system: CentOS 6.5 Minimal server
IP Address:
Hostname: server.unixmen.local

Rsyslog Client details:

Operating system: Ubuntu 13.04
IP Address:
Hostname: sk


Before installing Rsyslog and LogAnalyzer, we need a working LAMP stack. To install LAMP server, refer the following link.

Install LAMP server On RHEL/CentOS/Scientific Linux 6

Now install rsyslog

# yum install rsyslog*

Start rsyslog daemon and make it to start automatically on every reboot.

# service rsyslog status
# chkconfig rsyslog on

Import rsyslog database and tables to mysql

Edit file ‘/usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql’ file,

# vi /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

Set the database name as shown below. Here i am using ‘rsyslogdb’ as my database name.

USE rsyslogdb;

Now import the database tables into MySQL using command:

# mysql -u root -p < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

Now let us check the ‘rsyslogdb’ database is properly imported into mysql and Set ‘rsysloguser’ user privileges over database:

# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 237
Server version: 5.5.34-MariaDB MariaDB Server
Copyright (c) 2000, 2013, Oracle, Monty Program Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
| Database           |
| information_schema |
| mysql              |
| ownclouddb         |
| performance_schema |
| rsyslogdb          |
5 rows in set (0.15 sec)
MariaDB [(none)]> GRANT ALL ON rsyslogdb.* TO rsysloguser@localhost IDENTIFIED BY 'centos';
Query OK, 0 rows affected (0.09 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.12 sec)
MariaDB [(none)]> exit

Now edit the rsyslog config file,

# vi /etc/rsyslog.conf

and make the changes as shown below.

#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
# Provides UDP syslog reception
## uncomment ##
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
## Uncomment ##
$ModLoad imtcp
$InputTCPServerRun 514
## Add the following lines ##
$ModLoad ommysql
$ModLoad ommysql
*.* :ommysql:,rsyslogdb,rsysloguser,centos
$AllowedSender UDP,,
$AllowedSender TCP,,


rsyslogdb                 –  Database name

rsysloguser                – Database user

centos                   – rsyslog user password

$AllowedSender  – rsyslog accepts logs from clients on both UDP and TCP ports.

Disable all existing syslog services if any.

# service syslog stop
# chkconfig syslog off

We’re done with rsyslog. Now we have to install rsyslog graphical front-end called LogAnalyzer on our client systems.

Install LogAnalyzer

LogAnalyzer is a GUI interface to rsyslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.

Let us download and install the latest version:

# wget

Extract it using command:

# tar zxvf loganalyzer-3.6.5.tar.gz

Move the extracted package to your Apache document root folder.

# mv loganalyzer-3.6.5/src/ /var/www/html/loganalyzer
# mv loganalyzer-3.6.5/contrib/* /var/www/html/loganalyzer/

Set the file permissions to the following files and run the script.

# cd /var/www/html/loganalyzer/
# chmod +x
# ./

The ‘’ command will create a blank php file.

Adjust IPTABLES and SELINUX settings

Now let us allow syslog port 514 through iptables/router:

# vi /etc/sysconfig/iptables

Add the following line:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT

Restart iptables service:

# service iptables restart

Disable SELINUX:

Edit file /etc/sysconfig/selinux file,

# vi /etc/sysconfig/selinux

Change SELINUX=enforcing to SELINUX=disabled:


Save and close the file. Reboot your server once to take effect all the changes.

Access LoAnalyzer

Point your web browser to http://ip-address/loganalyser or http://domain-name/loganalyzer and begin LogAnalyzer installation.

You’ll be shown with an Error message that says: Critical Error occurred.

Click on link that says: ‘here’.

Adiscon LogAnalyzer :: Critical Error occured - Mozilla Firefox_001Click Next.

LogAnalyzer :: Installer Step 1 - Mozilla Firefox_002Click Next.

LogAnalyzer :: Installer Step 2 - Mozilla Firefox_005Hereafter you should pay some extra attention. Enter the correct values with correct lower or upper case.

Click “Yes” on “Enable User Database”. Enter the database user name, password and database name and click Next. Click “Yes” on “Require user to be logged in” option.

LogAnalyzer :: Installer Step 3 - Mozilla Firefox_008Click Next to create rsyslogdb tables.

LogAnalyzer :: Installer Step 4 - Mozilla Firefox_010Click Next.

LogAnalyzer :: Installer Step 5 - Mozilla Firefox_012Create a administrative user for LogAnalyzer console. In my case, i create a administrative user sk with password centos.

LogAnalyzer :: Installer Step 6 - Mozilla Firefox_013Select “MySQL Native” in the Source type drop down box and Enter the database name, database table name, database username and password. Click Next.

Warning: Double check the database name, Table names. Because they are case sensitive. Refer the screenshots. If you use “systemevents” in the tablename section instead of “SystemEvents”, you won’t be able to install loganalyzer. Also make sure the database name, database username and password are correct as exactly in the /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql file.

LogAnalyzer :: Installer Step 7 - Mozilla Firefox_015Congratulations! You’ve successfully installed LogAnalyzer. Click Finish to complete installation.

LogAnalyzer :: Installer Step 8 - Mozilla Firefox_017Log in to LogAnalyzer Dashborad

Enter the admin user account details which we created earlier.

Adiscon LogAnalyzer :: Login - Mozilla Firefox_018Now the main console screen will open with all log details.

If it shows any message like “no syslog data”, restart all services once again.

# service rsyslog restart
# service httpd restart
# service mysql restart

Refresh the page again, you’ll see the log details of your server as shown in the below screenshot.

Source 'My Syslog Source' :: Adiscon LogAnalyzer :: All Syslogmessages - Mozilla Firefox_019

Configure clients

Configuring client is very easy. All you need to do is just install rsyslog package and add the ryslog server ip address in the configuration file.

Install rsyslog package in your client systems.

For RHEl/CentOS Clients:

# yum install rsyslog -y

For Debian/Ubuntu Clients:

$ sudo apt-get install rsyslog

Open the rsyslog config file and the rsyslog server details.

# vi /etc/rsyslog.conf

Add Rsyslog server details:

*.*     @@

and start rsyslog services.

# service rsyslog start 
# chkconfig rsyslog on

Now goto rsyslog server and check for client logs.

Source 'My Syslog Source' :: Adiscon LogAnalyzer :: All Syslogmessages - Mozilla Firefox_020As you see in the above screenshot my client sk has been added and log details are shown in the LogAnalyzer admin console.

That’s it. Happy logging!

Advance New year wishes! Convey my regards to your family and friends!

Good luck!

Reference Links:

Rsyslog Home page

LogAnalyzer Home page

  • cha2ranga

    Thanks for sharing!!!. It’s working fine!!

  • SK

    Glad. it worked for you.

  • TheAce18

    This article is great. Thank you so much for making an easy to follow step by step tutorial!

  • sarfaraz

    It is giving error that it could not find the database table or mispelled please help

  • Marco Teixeira

    Great piece of work. Clear and well explained! I made it all work as you told to. Is there a way to force https instead of http ? Thank you .

  • SK

    Double check the database name and table names. They are case sensitive. Refer the screenshot step 7. look into the figure clearly and enter the database and table names correctly.

  • jefry alvonsius

    i have the same problem with sarfaraz then i try to fix the problem by edit the database source but i get other problem and warning like in the picture bellow :

  • SK

    Hi Jefrey & Sarfaraz both of you didn’t notice that you were entered a wrong table name as i did when making this article. Look into the step 7 screen-shot carefully and enter the correct table name and database name(Double check the spellings). The table name must be set as “SystemEvents” and database name must be set as “rsysdb” which we created earlier in MySQL. This article is working for me 100%.

  • jefry alvonsius

    thank you for the correction,i have check again and found the solution and now rsyslog is working 100% on my system.

  • SK

    Glad it worked for you. Stay tuned with us.

  • Jangetta

    Hey, I seem to be having trouble getting the URL download to work. It connects to the site but gives me a 404 error in the terminal and in the web browser.

  • NinNin

    SK, Thank you very much.

  • Vladimir

    Thanks for article, Senthilkumar!! I have CentOS 6.4/i386 and i have error “rsyslogd: db error (1054): Unknown column ‘SysLogTag’ in ‘field list'”. It`s catched by “#/sbin/rsyslogd -dn > rsyslogd”. Solution: add ‘SysLogTag’ to ‘rsysdb.SystemEvents’ table.

  • sysdoc

    I am getting error ” No syslog records found”
    Can you tell me how to resolve this issue.

  • lasakad

    Thanks for sharing, I have instal and config with one problem, I have more servers and network devices configured and all work fine but from one host I recive all message 2x, if I try from this host to send to my old syslog sistem it ok only one record. and on new syslog server have only from this one all message 2x. I have reinstall complet server and same problem from one host I recive 2x and any time it’s same host. If some one have samo tips for debug, Thanks

  • lasakad

    try to
    1 – find if rsyslog recive message ( tail -f /var/log/messages )
    2.- it’s username and pass for write in mysql ok
    3.- have line in rsyslog.conf
    $ModLoad imudp
    $UDPServerRun 514
    $ModLoad ommysql

    *.* :ommysql:,DBname,DBuser,DBpass


  • lasakad

    Hello Vladimir,
    you have problem in table, have you mySqlAdmin on this server ?


  • alireza seighalani

    thanks for your excellent tutorial
    i done your tutorial but it works slowly for example when you want to login it will takes a long time (for example 40seconds). is there any tuning for rsyslog or php?thanks in advance

  • Adam Interact

    Good tutorial, but I’m stuck on 403 Forbidden Access when accessing I have switched chown and chgrp to apache and added “var/www/html/loganalyzer” to httpd.conf as a directory.

    Any clue what is going on? Anything within “var/www/html/” works fine.


  • Sinisha PK

    Very thankful to share such a wonderful doc. I’m stuck at Windows client configuration Can you pls able to help me regarding this.

  • newbieathome

    Hello, my installation stops to this:
    error: ‘Access denied for user ‘root’@’localhost’ (using password: NO)’

  • Mevin

    Thank you for sharing this doc. However, when i use the table SystemEvents as all lowercases in both config.php file and in mysql rsysdb database, i do not get the message “Could not find the configured table”. The problem is that i do not see the latest logs from /var/log/messages in LogAnalyzer

  • Md. Ashikur Rahman

    when i try to access using

    Following message shows:


    You don’t have permission to access /loganalyser
    on this server.

    Apache/2.2.15 (CentOS) Server at Port 80


  • anonymous

    setenforce 0

  • Pablo

    First of all, thanks for tutorial :). I would like to ask you for a few questions about rsyslog config:

    centos – rsyslog user password: This is installed application user? root in your case?

    Second Which is the rsyslog database structure?

    CREATE DATABASE rsyslogdb;
    USE rsyslogdb;
    CREATE TABLE SystemEvents ( […]

    Kind regards and Happy New Year

  • SK

    If i understand correctly, rsysloguser is the mysql database user and its password is “centos”. Secondly, we did import the sample tables and databases from the file “/usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql” to rsyslogdb database. Hope i cleared your doubt.

  • Aby

    Disable SELinux and give a try..;

  • santhosh kumar P

    Hi SK.. Everything goes well, am struggled in 5 step of Analyser configuration part. Provided screen shot for your reference