Thursday, 28 July 2016

How to install and configure a SysLog Server

The following document describes how to install and configure a SysLog Server on a CentOS 6.5 Linux Operating System. The steps described below can also be applied to other distributions with very minor corrections. For more information check the corresponding documentation.

The solution is based on three main component:

LAMP stack (Linux, Apache, MySQL, PHP)
Rsyslog server http://www.rsyslog.com/
LogAnalyzer http://loganalyzer.adiscon.com/

This guide assumes that both SELinux and IPTables are disabled and not running. If that kind of security level is necessary, check the proper documentation.

Apache

To install Apache Web server open a root command line and type:
[root@localhost ]# yum install httpd

Start the server:
[root@localhost ]# service httpd start

Set automatically start the server at boot time:
[root@localhost ]# chkconfig httpd on

Test the Apache installation:

Open http://localhost or http://your-server-address on your web browser of choice and check if Apache is working. You should see a page like this:

MySQL

To install MySQL database, open a root command line and type:
[root@localhost ]# yum install mysql mysql-server

Start the server:
[root@localhost ]# service mysqld start 

Set the server to automatically start on boot:
[root@localhost ]# chkconfig mysql on 

Change the MySQL root user password
[root@localhost ]# mysqladmin -u root password 'changeMe' 

Test the MySQL installation.

Log in to the database:
[root@localhost ]# mysql -u root -p 

You should receive an output like this:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights
reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input
statement.

mysql>

Type 'exit' to log out:

mysql> exit

PHP

To install PHP open a root command line and type:
[root@localhost ]# yum install php php-mysql

Create a simple test page to test the installation, by using your editor of choice:
[root@localhost ]# nano /var/www/html/test.php

Insert the following content:
<?php 
    phpinfo(); 
?>

Save and close.

Restart the web server:
[root@localhost ]# service httpd restart

Open http://localhost/test.php or http://your-server-address/test.php on your web browser of choice. You should receive a page like this:

Rsyslog

To install Rsyslog server, open a root command line and type:
[root@localhost ]# yum install rsyslog*

Start the server:
[root@localhost ]# service rsyslog start 

Set automatically start the server at boot time:
[root@localhost ]# chkconfig rsyslog on

Rename the Rsyslog database:
[root@localhost ]# nano /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

From Syslog to rsyslogdb
CREATE DATABASE rsyslogdb; 
USE rsyslogdb; 
CREATE TABLE SystemEvents ( 
[...]

Create the rsyslogdb database:
[root@localhost ]# mysql -u root -p < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

Now you should be able to access the database:
[root@localhost ]# mysql -u root -p rsyslogdb

Create a dedicated user to access the Rsyslog database:
mysql> GRANT ALL ON rsyslogdb.* TO rsysloguser@localhost IDENTIFIED BY 'changeMe';
 
mysql> FLUSH PRIVILEGES;

mysql> exit

Test if you can access the database with the new user typing:
[root@localhost ]# mysql -u rsysloguser -p rsyslogdb

Configure the Rsyslog server in order to use MySQL.

Open the configuration file:
[root@localhost ]# nano /etc/rsyslog.conf

Uncomment the following modules:
$ModLoad imudp 
$UDPServerRun 514 

# Provides TCP syslog reception 
$ModLoad imtcp 
$InputTCPServerRun 514 

Add the MySQL module:
$ModLoad ommysql

Add the forwarding rule:
*.* :ommysql:127.0.0.1,rsyslogdb,rsysloguser,changeMe

where:
127.0.0.1 - mysql server address
rsyslogdb - mysql rsyslog database name
rsysloguser - mysql rsyslog database user username
changeMe - mysql rsyslog database user password

Save and exit.

Restart the Rsyslog server in order to load the new configuration:
[root@localhost ]# service rsyslog restart

You should be able to see the log entry in the database:
[root@localhost ]# mysql -u rsysloguser -p rsyslogdb

mysql> select count(*) from SystemEvents;
+----------+
| count(*) |
+----------+
|        2 |
+----------+

You should have a count number greater than ZERO. If not, wait a few seconds in order to let Rsyslog to generate log entries.


Hint:


To send a test message to the log:
[root@localhost ]# echo '<14>ip_address_here tag_here message here' | nc -v -u -w 0 127.0.0.1 514

LogAnalyzer

Download the latest version of the software (when this document was written, it was 3.6.5):
[root@localhost ]# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz

Unpack the tarball:
[root@localhost ]# tar zxvf loganalyzer-3.6.5.tar.gz

Copy installation files to the desired folder:
[root@localhost ]# cp -r loganalyzer-3.6.5/src/ /var/www/html/loganalyzer
[root@localhost ]# cp -r loganalyzer-3.6.5/contrib/* /var/www/html/loganalyzer/

Change directory to the installation folder:
[root@localhost ]# cd /var/www/html/loganalyzer/

Add the execution permission to the following files:
[root@localhost ]# chmod +x configure.sh secure.sh

Now run ./configure.sh. This will create a blank config.php, and will also set write access to everyone to it.
[root@localhost ]# ./configure.sh

To complete the installation open http://localhost/loganalyzer or http://your-server-address/loganalyzer on your web browser of choice. You should receive an error page like this:

Click on here link and start the guided installation process:

Step 1

Simply click Next to start the process.

Step 2

Simply click Next to continue the process.

Step 3

Enable the user database to secure the UI access and fill the fields accordingly

Step 4

Simply click Next to continue the process.

Step 5

Simply click Next to continue the process.

Step 6

Create a user in order to access the LogAnalyzer web interface. In the example we create a user admin/admin, fill the fields and click Next to continue the process.

Step 7

Create the first source for Syslog messages. Fill the fields and then click Next to continue the process.

Step 8

Simply click Next to continue the process. 


The installation is complete.

Step 9

Log in the web UI with the credentials created in Step 6

Step 10

Congratulations! You have successfully installed and configured your logging solution.
 

Install rsyslog package in your client systems.
For RHEl/CentOS Clients:
# yum install rsyslog -y
For Debian/Ubuntu Clients:
$ sudo apt-get install rsyslog
Open the rsyslog config file and the rsyslog server details.
# vi /etc/rsyslog.conf
Add Rsyslog server details:
*.*     @@192.168.54.102
and start rsyslog services.
# service rsyslog start 
# chkconfig rsyslog on
Now goto rsyslog server and check for client logs.

As you see in the above screenshot my client GitLab has been added and log details are shown in the LogAnalyzer admin console.

Troubleshooting

After login you may receive the error message:
could not find the configured table, maybe misspelled or the table names are case sensitive

This error is often due to wrong syntax in the DBTableName field. To fix it you need to edit the /var/www/html/loganalyzer/config.php file and check if the DBTableName value is written with the correct capital letters.
SystemEvents
# vi /var/www/html/loganalyzer/config.php

Amended the DBTableName value, the system should work properly.