As a System Administrator, logging everything that happens on your systems is an important task for analysis of any unknown issues that occur on your machines. Diagnosis of any system problem starts with checking the system log files. System activity is recorded inside these files which indicate the source of problems that occur.
What is RSYSLOG
RSYSLOG is a super fast system to process logs and events. One of its main features is accepting inputs from various sources, transforming those inputs and outputting the results to different destinations. According to the official website (www.rsyslog.com), it can process up to 1 million messages per second.
RSYSLOG offers the below features:
- Multi-threading
- TCP, SSL, TLS, RELP
- MySQL, PostgreSQL, Oracle and more
- Filter any part of syslog message
- Fully configurable output format
- Suitable for enterprise-class relay chains
1- Install RSYSLOG v8 and Configure Database
CentOS 7 uses an old version of RSYSLOG. In order to install the latest version (v8), we need to install it from the repository offered by the RSYSLOG official website.
| 12345 | wget http://rpms.adiscon.com/v8-stable/rsyslog.repo mv rsyslog.repo /etc/yum.repos.d/rsyslog.repo yum install rsyslog* –skip-broken |
In order for the RSYSLOG service to start in case we reboot the system, issue the below command:
| 1 | chkconfig rsyslog on |
Instead of letting RSYSLOG output the messages to static files, we will create a database for RSYSLOG using its built in database located in /usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql
Install MySQL
But to use MySQL, we need to install the required packages to run a MySQL server:
| 1 | yum install mysql mysql-server |
After install MySQL, we need to start the mysqld service:
| 1 | service mysqld start |
To make this service start when the server reboots:
| 1 | chkconfig mysqld on |
For security reasons, it is advised to change the MySQL Admin password:
| 1 | mysqladmin -u root password ‘PasswordHere’ |
To test if MySQL is installed correctly, log into the database:
| 1 | mysql -u root -p |
You should get the below output:
| 12345678910111213 | Welcome to the MySQL monitor. Commands end with ; or \g.Your MySQL connection id is 4Server version: 5.1.73 Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners. Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement. mysql> |
Configure RSYSLOG Database
To create the RSYSLOG using the default database scheme offered by RSYSLOG, issue the below command:
| 1 | mysql -u root -p < /usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql |
Access the database you created with the password you assigned earlier:
| 1 | mysql -u root -p Syslog |
For security reasons, it is advised to add a dedicated admin database user called rsyslogdbadm to access this database only with a password of your choice.
| 123 | GRANT ALL ON rsyslogdb.* TO rsyslogdbadmin@localhost IDENTIFIED BY ‘PasswordHere’;FLUSH PRIVILEGES;exit |
Now let us test login with the user we created to the Syslog database. If it works, means our database is ready:
| 1 | mysql -u rsyslogdbadmin -p Syslog |
To configure RSYSLOG to output the messages to its database, we need to edit its configuration using rsyslog.conf located in /etc/rsyslog.conf .
| 1 | vi /etc/rsyslog.conf |
Things to modify in the configuration file:
- Add the MySQL Module:
| 12 | # Load the MySQL Modulemodule(load=”ommysql”) |
- Uncomment the below lines:
| 123456789 | # Provides UDP syslog reception# for parameters see http://www.rsyslog.com/doc/imudp.htmlmodule(load=”imudp”) # needs to be done just onceinput(type=”imudp” port=”514″) # Provides TCP syslog reception# for parameters see http://www.rsyslog.com/doc/imtcp.htmlmodule(load=”imtcp”) # needs to be done just onceinput(type=”imtcp” port=”514″) |
- Add a new forwarding rule:
| 12 | *.* :ommysql:127.0.0.1,Syslog,rsyslogdbadmin,PasswordHere# ### end of the forwarding rule ### |
You can also check the #RULES# section to modify any logs you do not want to see in the RSYSLOG database.
Once you are satisfied with the changes, restart the RSYSLOG service:
| 1 | service rsyslog restart |
To check if the RSYSLOG messages are being forwarded to MySQL database:
| 12345678 | mysql -u rsyslogdbadmin -p Syslog mysql> select count(*) from SystemEvents;+———-+| count(*) |+———-+| 2 |+———-+ |
2- Install LogAnalyzer v4.1.2 Web Application
Adiscon LogAnalyzer is a web inter-face to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.
Install Prerequisites
In order for LogAnalyzer to function correctly, there are a number of prerequisite packages that need to be installed on our system.
- Apache
Install Apache:
| 1 | yum install httpd |
Start the Service:
| 1 | service httpd start |
Make service automatically starts when the server reboots:
| 1 | chkconfig httpd on |
To make sure we have installed Apache correctly, browse to http://your-server-ip/ and you should get the below page:
- PHP
Install PHP
| 1 | yum install php php-mysql php-gd |
After installing PHP, let’s create a phpinfo page:
| 1 | nano /var/www/html/test.php |
Type the following and save the test.php
| 123 | <?phpphpinfo();?> |
Restart the Apache Service
| 1 | service httpd restart |
Browse to http://your-server-ip/test.php and you should get the following:
Install LogAnalyzer
Download LogAnalyzer v4.1.3 :
| 1 | wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.3.tar.gz |
Extract the downloaded tar file:
| 1 | tar zxvf loganalyzer-4.1.3.tar.gz |
In order to access LogAnalyzer using the web interface, copy the install files into Apache:
| 12 | cp -r loganalyzer-4.1.3/src/ /var/www/html/loganalyzercp -r loganalyzer-4.1.3/contrib/* /var/www/html/loganalyzer/ |
We need to allow execute permissions to the configure.sh and secure.sh files:
| 123 | cd /var/www/html/loganalyzer/ chmod +x configure.sh secure.sh |
Run the ./configure.sh. This will create a blank config.php file with write access:
| 1 | ./configure.sh |
Now we have to finalise the LogAnalyzer installation using the web interface. Browse to http://your-server-ip/loganalyzer and follow the instructions on the screen similar to the below:
Once you are done with the installation, you will have something like this:
This concludes our tutorial for the installation of the latest versions of RSYSLOG v8 and LogAnalyzer v4 on CentOS 7. If you have any questions or suggestions, do not hesitate to use the comments section below.
Happy Logging!
Like!! I blog quite often and I genuinely thank you for your information. The article has truly peaked my interest.