Setup Centralized Log Server Using Rsyslog And LogAnalyzer On CentOS, RHEL, Scientific Linux 6.5/6.4

Rsyslog is an open source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features such as using TCP for transport.

It will be very helpful for Linux administrators to view and troubleshoot errors if something went wrong. In this tutorial let us see how to install and configure Rsyslog and graphical front-end for rsyslog called LogAnalyser and also how to forward logs from the client systems to the Rsyslog server.

For setting up this, I use CentOS as Rsyslog server and Ubuntu 13.04 desktop as client.

My Rsyslog server details are:

Operating system: CentOS 6.5 Minimal server
IP Address: 192.168.1.101/24
Hostname: server.unixmen.local

Rsyslog Client details:

Operating system: Ubuntu 13.04
IP Address: 192.168.1.100/24
Hostname: sk

Prerequisites

Before installing Rsyslog and LogAnalyzer, we need a working LAMP stack. To install LAMP server, refer the following link.

Install LAMP server On RHEL/CentOS/Scientific Linux 6

Now install rsyslog

# yum install rsyslog*

Start rsyslog daemon and make it to start automatically on every reboot.

# service rsyslog status
# chkconfig rsyslog on

Import rsyslog database and tables to mysql

Edit file ‘/usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql’ file,

# vi /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

Set the database name as shown below. Here i am using ‘rsyslogdb’ as my database name.

CREATE DATABASE rsyslogdb;
USE rsyslogdb;
CREATE TABLE SystemEvents
(
[...]

Now import the database tables into MySQL using command:

# mysql -u root -p < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

Now let us check the ‘rsyslogdb’ database is properly imported into mysql and Set ‘rsysloguser’ user privileges over database:

# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 237
Server version: 5.5.34-MariaDB MariaDB Server

Copyright (c) 2000, 2013, Oracle, Monty Program Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| ownclouddb         |
| performance_schema |
| rsyslogdb          |
+--------------------+
5 rows in set (0.15 sec)

MariaDB [(none)]> GRANT ALL ON rsyslogdb.* TO rsysloguser@localhost IDENTIFIED BY 'centos';
Query OK, 0 rows affected (0.09 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.12 sec)

MariaDB [(none)]> exit
Bye

Now edit the rsyslog config file,

# vi /etc/rsyslog.conf

and make the changes as shown below.

#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
# Provides UDP syslog reception

## uncomment ##
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
## Uncomment ##
$ModLoad imtcp
$InputTCPServerRun 514

## Add the following lines ##
$ModLoad ommysql
$ModLoad ommysql
*.* :ommysql:127.0.0.1,rsyslogdb,rsysloguser,centos
$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24

Where,

rsyslogdb                 –  Database name

rsysloguser                – Database user

centos                   – rsyslog user password

$AllowedSender  – rsyslog accepts logs from clients on both UDP and TCP ports.

Disable all existing syslog services if any.

# service syslog stop
# chkconfig syslog off

We’re done with rsyslog. Now we have to install rsyslog graphical front-end called LogAnalyzer on our client systems.

Install LogAnalyzer

LogAnalyzer is a GUI interface to rsyslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.

Let us download and install the latest version:

# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.g

Extract it using command:

# tar zxvf loganalyzer-3.6.5.tar.gz

Move the extracted package to your Apache document root folder.

# mv loganalyzer-3.6.5/src/ /var/www/html/loganalyzer
# mv loganalyzer-3.6.5/contrib/* /var/www/html/loganalyzer/

Set the file permissions to the following files and run the configure.sh script.

# cd /var/www/html/loganalyzer/
# chmod +x configure.sh secure.sh
# ./configure.sh

The ‘configure.sh’ command will create a blank php file.

Adjust IPTABLES and SELINUX settings

Now let us allow syslog port 514 through iptables/router:

# vi /etc/sysconfig/iptables

Add the following line:

[...]
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
[...]

Restart iptables service:

# service iptables restart

Disable SELINUX:

Edit file /etc/sysconfig/selinux file,

# vi /etc/sysconfig/selinux

Change SELINUX=enforcing to SELINUX=disabled:

SELINUX=disabled

Save and close the file. Reboot your server once to take effect all the changes.

Access LoAnalyzer

Point your web browser to http://ip-address/loganalyser or http://domain-name/loganalyzer and begin LogAnalyzer installation.

You’ll be shown with an Error message that says: Critical Error occurred.

Click on link that says: ‘here’.

Adiscon LogAnalyzer :: Critical Error occured - Mozilla Firefox_001Click Next.

LogAnalyzer :: Installer Step 1 - Mozilla Firefox_002Click Next.

LogAnalyzer :: Installer Step 2 - Mozilla Firefox_005Hereafter you should pay some extra attention. Enter the correct values with correct lower or upper case.

Click “Yes” on “Enable User Database”. Enter the database user name, password and database name and click Next. Click “Yes” on “Require user to be logged in” option.

LogAnalyzer :: Installer Step 3 - Mozilla Firefox_008Click Next to create rsyslogdb tables.

LogAnalyzer :: Installer Step 4 - Mozilla Firefox_010Click Next.

LogAnalyzer :: Installer Step 5 - Mozilla Firefox_012Create a administrative user for LogAnalyzer console. In my case, i create a administrative user sk with password centos.

LogAnalyzer :: Installer Step 6 - Mozilla Firefox_013Select “MySQL Native” in the Source type drop down box and Enter the database name, database table name, database username and password. Click Next.

Warning: Double check the database name, Table names. Because they are case sensitive. Refer the screenshots. If you use “systemevents” in the tablename section instead of “SystemEvents”, you won’t be able to install loganalyzer. Also make sure the database name, database username and password are correct as exactly in the /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql file.

LogAnalyzer :: Installer Step 7 - Mozilla Firefox_015Congratulations! You’ve successfully installed LogAnalyzer. Click Finish to complete installation.

LogAnalyzer :: Installer Step 8 - Mozilla Firefox_017Log in to LogAnalyzer Dashborad

Enter the admin user account details which we created earlier.

Adiscon LogAnalyzer :: Login - Mozilla Firefox_018Now the main console screen will open with all log details.

If it shows any message like “no syslog data”, restart all services once again.

# service rsyslog restart
# service httpd restart
# service mysql restart

Refresh the page again, you’ll see the log details of your server as shown in the below screenshot.

Source 'My Syslog Source' :: Adiscon LogAnalyzer :: All Syslogmessages - Mozilla Firefox_019

Configure clients

Configuring client is very easy. All you need to do is just install rsyslog package and add the ryslog server ip address in the configuration file.

Install rsyslog package in your client systems.

For RHEl/CentOS Clients:

# yum install rsyslog -y

For Debian/Ubuntu Clients:

$ sudo apt-get install rsyslog

Open the rsyslog config file and the rsyslog server details.

# vi /etc/rsyslog.conf

Add Rsyslog server details:

*.*     @@192.168.1.101

and start rsyslog services.

# service rsyslog start 
# chkconfig rsyslog on

Now goto rsyslog server and check for client logs.

Source 'My Syslog Source' :: Adiscon LogAnalyzer :: All Syslogmessages - Mozilla Firefox_020As you see in the above screenshot my client sk has been added and log details are shown in the LogAnalyzer admin console.

That’s it. Happy logging!

Advance New year wishes! Convey my regards to your family and friends!

Good luck!

Reference Links:

Rsyslog Home page

LogAnalyzer Home page