LogAnalyzer Setup
Note: this documents rsyslog >=5.8.x and loganalyzer >=4.1.5
Contents
Database Setup
Prerequisites
Rsyslog MySQL/MariaDB: See MySQL/MariaDB Setup to make sure you have MySQL or MariaDB set up/running Apache PHP
1. Install rsyslog and PHP mySQL modules
# yum install rsyslog-mysql php-mysql
2. Create tables in mySql
Note: this relies on already completing step 2 of Web Interface setup (below)
# mysql -p </usr/share/doc/rsyslog-mysql-*/createDB.sql
3. Create new mySql user and grant proper privs;
# mysql -p mysql mysql> grant insert on Syslog.* to 'syslog-insert'@'localhost' identified by 'somepwA'; mysql> flush privileges;
Server rsyslog Setup
1. Save original version of rsyslog.conf
Note: do not overwrite if rsyslog.conf-original already exists, it should already be there from the company image, so this step is normally skipped
# cp -p /etc/rsyslog.conf /etc/rsyslog.conf-original
2. Update /etc/rsyslog.conf
Make sure the following is enabled/uncommented;
# Use traditional timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # backward compatibility layer added the following directive $ModLoad imudp # backward compatibility layer added the following directive $UDPServerRun 514
Add the following line to end of ModLoad/MODULES section;
# enable mySql plugin/module $ModLoad ommysql
Add the following line to the beginning of the logging/RULES section (before #kern.* line);
# log all to mySql *.* :ommysql:127.0.0.1,Syslog,syslog-insert,somepwA
3. Restart rsyslog service
# service rsyslog restart
Web Interface setup
1. Get latest loganalyzer package (http://loganalyzer.adiscon.com/)
2. Uncompress and move to proper RedHat/CentOS compatible locations
NOTE: 3.0.2 is probably not the version you're installing, please use the version you're installing in place of 3.0.2
# mkdir /tmp/work-syslog ; cd /tmp/work-syslog/ # tar xzvf loganalyzer-3.0.2.tar.gz # mkdir /usr/share/loganalyzer-3.0.2 /usr/share/doc/loganalyzer-3.0.2 # mv loganalyzer-3.0.2/* /usr/share/doc/loganalyzer-3.0.2/ # mv /usr/share/doc/loganalyzer-3.0.2/src/* /usr/share/loganalyzer-3.0.2/ # mv /usr/share/doc/loganalyzer-3.0.2/doc/* /usr/share/doc/loganalyzer-3.0.2/ # rm -rf /usr/share/doc/loganalyzer-3.0.2/doc /usr/share/doc/loganalyzer-3.0.2/src /usr/share/loganalyzer-3.0.2/doc # touch /usr/share/loganalyzer-3.0.2/config.php # chown apache.apache /usr/share/loganalyzer-3.0.2/config.php
3. apache setup (we are assuming this is on a company image, which creates most of the needed files/configs)
3a. setup doc root
NOTE: syslog1 is the short hostname (hostname -s) of the system you are installing on
# cd /home/httpd/syslog1/ # rm -rf public_html # ln -s /usr/share/loganalyzer-3.0.2 public_html
3b. setup vhost file
add the following to /etc/httpd/conf/vhost-ssl.d/0-syslog1 (hostname -s) after ServerAdmin and before proxy section
<Directory /home/httpd/syslog1/public_html> Options FollowSymLinks </Directory>
3c. enable php
# cp -p /etc/httpd/conf.d/php.conf /etc/httpd/conf.d-run/
3d. start up or restart apache and make sure it starts on boot
# service httpd restart # chkconfig httpd on
Web Interface mySQL setup
1. setup user & permissions
# mysql -p > grant select, update, insert, create, drop, alter on Syslog.* to 'syslog-read'@'localhost' identified by 'somepwB'; > flush privileges;
2. web interface configuration
2a. go to the new URL (configured in; Web Interface setup, step 3a) in a browser, you will get the following message;
Error, main configuration file is missing!
2b. click 'here' on the following message;
Click here to Install Adiscon LogAnalyzer!
2c. click 'next' on the following page;
Step 1 - Prerequisites
2d. click 'next' on the following page;
Step 2 - Verify File Permissions
2e. click 'next' on the following page;
Step 3 - Basic Configuration
2f. Fill in the following and click 'next';
Source Type: MYSQL Native Database Name: Syslog Database Tablename: SystemEvents Database User: syslog-read Database Password: somepwB
2g. Click 'here' on the following message;
Step 8 - Done Click here to go to your installation.
Web Interface Fix
There was an issue (in older vers), that appeared more than once (possibly due to apache or php settings), where a config was populated but was not usable due to missing values. The following needed to be set in this situation to configure these for the default values
1. fix config.php
1a. edit config.php
# vi /usr/share/loganalyzer-3.0.2/config.php
1b. set ViewMessageCharacterLimit
$CFG['ViewMessageCharacterLimit'] = 80;
1c. set ViewStringCharacterLimit
$CFG['ViewStringCharacterLimit'] = 30;
1d. set ViewEntriesPerPage
$CFG['ViewEntriesPerPage'] = 50;
1e. set ViewEnableDetailPopups
$CFG['ViewEnableDetailPopups'] = 1;
1f. set EnableIPAddressResolve
$CFG['EnableIPAddressResolve'] = 1;
Purging mySQL database
This rsyslog configuration writes everything to a mySql database, as well as to the standard log files. The OS has the logrotate process to manage the log files, but if you wish to manage or periodically purge the mySql data, you can set up the following cron job (thanks to Michael Meckelein for posting this in a forum):
NOTE: you may want to setup another user which has delete permissions (like syslog-purge) to do the periodic cleanup for this cron process
mysql -u syslog-read -p somepwA -e “delete from SystemEvents where ReceivedAt < date_add(current_date, interval -28 day)” Syslog
Recreating mySQL database
If you have to recreate mySQL data from scratch
1. make sure mysql is down
# service mysqld stop
2. wipe out all the data (make sure this is what you want to do, otherwise google how to repair innodb data)
# rm -rf /var/lib/mysql/* /var/lib/mysql/.my*
3. rebuild mysql & loganalyzer tables
Rerun the following steps from above
Server mySQL Setup; steps 2-4 Web Interface mySQL setup; step 1
Client rsyslog Setup
1. /etc/rsyslog.conf, add @sys.log.server.ip lines to logging section, ex;
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # centralized logging *.* @172.160.135.160:514
2. Restart rsyslog service
# service rsyslog restart