HOW TO INSTALL RSYSLOG V8 AND LOGANALYZER V4 ON CENTOS 7

As a System Administrator, logging everything that happens on your systems is an important task for analysis of any unknown issues that occur on your machines. Diagnosis of any system problem starts with checking the system log files. System activity is recorded inside these files which indicate the source of problems that occur.

What is RSYSLOG

RSYSLOG is a super fast system to process logs and events. One of its main features is accepting inputs from various sources, transforming those inputs and outputting the results to different destinations. According to the official website (www.rsyslog.com), it can process up to 1 million messages per second.

RSYSLOG offers the below features:

  • Multi-threading
  • TCP, SSL, TLS, RELP
  • MySQL, PostgreSQL, Oracle and more
  • Filter any part of syslog message
  • Fully configurable output format
  • Suitable for enterprise-class relay chains

1- Install RSYSLOG v8 and Configure Database

CentOS 7 uses an old version of RSYSLOG. In order to install the latest version (v8), we need to install it from the repository offered by the RSYSLOG official website.

12345wget http://rpms.adiscon.com/v8-stable/rsyslog.repo mv rsyslog.repo /etc/yum.repos.d/rsyslog.repo yum install rsyslog* –skip-broken

In order for the RSYSLOG service to start in case we reboot the system, issue the below command:

1chkconfig rsyslog on

Instead of letting RSYSLOG output the messages to static files, we will create a database for RSYSLOG using its built in database located in  /usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql

Install MySQL

But to use MySQL, we need to install the required packages to run a MySQL server:

1yum install mysql mysql-server

 After install MySQL, we need to start the mysqld service:

1service mysqld start

To make this service start when the server reboots:

1chkconfig mysqld on

For security reasons, it is advised to change the MySQL Admin password:

1mysqladmin -u root password ‘PasswordHere’

To test if MySQL is installed correctly, log into the database:

1mysql -u root -p

You should get the below output:

12345678910111213Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 4Server version: 5.1.73 Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners. Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement. mysql>

Configure RSYSLOG Database

To create the RSYSLOG using the default database scheme offered by RSYSLOG, issue the below command:

1mysql -u root -p < /usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql

Access the database you created with the password you assigned earlier:

1mysql -u root -p Syslog

For security reasons, it is advised to add a dedicated admin database user called rsyslogdbadm to access this database only with a password of your choice.

123GRANT ALL ON rsyslogdb.* TO rsyslogdbadmin@localhost IDENTIFIED BY ‘PasswordHere’;FLUSH PRIVILEGES;exit

Now let us test login with the user we created to the Syslog database. If it works, means our database is ready:

1mysql -u rsyslogdbadmin -p Syslog

To configure RSYSLOG to output the messages to its database, we need to edit its configuration using rsyslog.conf located in /etc/rsyslog.conf .

1vi /etc/rsyslog.conf

Things to modify in the configuration file:

  • Add the MySQL Module:
12# Load the MySQL Modulemodule(load=”ommysql”)
  • Uncomment the below lines:
123456789# Provides UDP syslog reception# for parameters see http://www.rsyslog.com/doc/imudp.htmlmodule(load=”imudp”) # needs to be done just onceinput(type=”imudp” port=”514″) # Provides TCP syslog reception# for parameters see http://www.rsyslog.com/doc/imtcp.htmlmodule(load=”imtcp”) # needs to be done just onceinput(type=”imtcp” port=”514″)
  • Add a new forwarding rule:
12*.* :ommysql:127.0.0.1,Syslog,rsyslogdbadmin,PasswordHere# ### end of the forwarding rule ###

You can also check the #RULES# section to modify any logs you do not want to see in the RSYSLOG database.

Once you are satisfied with the changes, restart the RSYSLOG service:

1service rsyslog restart

To check if the RSYSLOG messages are being forwarded to MySQL database:

12345678mysql -u rsyslogdbadmin -p Syslog mysql> select count(*) from SystemEvents;+———-+| count(*) |+———-+|        2 |+———-+

2- Install LogAnalyzer v4.1.2 Web Application

Adiscon LogAnalyzer is a web inter-face to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.

Install Prerequisites

In order for LogAnalyzer to function correctly, there are a number of prerequisite packages that need to be installed on our system.

  • Apache

Install Apache:

1yum install httpd

Start the Service:

1service httpd start

Make service automatically starts when the server reboots:

1chkconfig httpd on

To make sure we have installed Apache correctly, browse to http://your-server-ip/ and you should get the below page:

  • PHP

Install PHP

1yum install php php-mysql php-gd

After installing PHP, let’s create a phpinfo page:

1nano /var/www/html/test.php

Type the following and save the test.php

123<?phpphpinfo();?>

Restart the Apache Service

1service httpd restart

Browse to http://your-server-ip/test.php and you should get the following:

Install LogAnalyzer

Download LogAnalyzer v4.1.3 :

1wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.3.tar.gz

Extract the downloaded tar file:

1tar zxvf loganalyzer-4.1.3.tar.gz

In order to access LogAnalyzer using the web interface, copy the install files into Apache:

12cp -r loganalyzer-4.1.3/src/ /var/www/html/loganalyzercp -r loganalyzer-4.1.3/contrib/* /var/www/html/loganalyzer/

We need to allow execute permissions to the configure.sh and secure.sh files:

123cd /var/www/html/loganalyzer/ chmod +x configure.sh secure.sh

Run the ./configure.sh. This will create a blank config.php file with write access:

1./configure.sh

Now we have to finalise the LogAnalyzer installation using the web interface. Browse to http://your-server-ip/loganalyzer and follow the instructions on the screen similar to the below:

Once you are done with the installation, you will have something like this:

This concludes our tutorial for the installation of the latest versions of RSYSLOG v8 and LogAnalyzer v4 on CentOS 7. If you have any questions or suggestions, do not hesitate to use the comments section below.

Happy Logging!

1 Comment

Leave a Reply

Your email address will not be published.


*