LogAnalyzer Setup

From The Linux Source
Revision as of 13:24, 19 May 2017 by Support (Talk | contribs)

Jump to: navigation, search

Note: this documents rsyslog >=5.8.x and loganalyzer >=4.1.5

Database Setup

Prerequisites

Rsyslog
MySQL/MariaDB: See MySQL/MariaDB Setup to make sure you have MySQL or MariaDB set up/running
Apache
PHP

1. Install rsyslog and PHP mySQL modules

# yum install rsyslog-mysql php-mysql

2. Create tables in mySql
Note: this relies on already completing step 2 of Web Interface setup (below)

# mysql -p </usr/share/doc/rsyslog-mysql-*/createDB.sql

3. Create new mySql user and grant proper privs;

# mysql -p mysql
mysql> grant insert on Syslog.* to 'syslog-insert'@'localhost' identified by 'somepwA';
mysql> flush privileges;

Server rsyslog Setup

1. Save original version of rsyslog.conf
Note: do not overwrite if rsyslog.conf-original already exists, it should already be there from the company image, so this step is normally skipped

# cp -p /etc/rsyslog.conf /etc/rsyslog.conf-original

2. Update /etc/rsyslog.conf
Make sure the following is enabled/uncommented;

# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# backward compatibility layer added the following directive
$ModLoad imudp
# backward compatibility layer added the following directive
$UDPServerRun 514

Add the following line to end of ModLoad/MODULES section;

# enable mySql plugin/module
$ModLoad ommysql

Add the following line to the beginning of the logging/RULES section (before #kern.* line);

# log all to mySql
*.*       :ommysql:127.0.0.1,Syslog,syslog-insert,somepwA

3. Restart rsyslog service

# service rsyslog restart

Web Interface setup

1. Get latest loganalyzer package (http://loganalyzer.adiscon.com/)

2. Uncompress and move to proper RedHat/CentOS compatible locations
NOTE: 3.0.2 is probably not the version you're installing, please use the version you're installing in place of 3.0.2

# mkdir /tmp/work-syslog ; cd /tmp/work-syslog/
# tar xzvf loganalyzer-3.0.2.tar.gz
# mkdir /usr/share/loganalyzer-3.0.2 /usr/share/doc/loganalyzer-3.0.2
# mv loganalyzer-3.0.2/* /usr/share/doc/loganalyzer-3.0.2/
# mv /usr/share/doc/loganalyzer-3.0.2/src/* /usr/share/loganalyzer-3.0.2/
# mv /usr/share/doc/loganalyzer-3.0.2/doc/* /usr/share/doc/loganalyzer-3.0.2/
# rm -rf /usr/share/doc/loganalyzer-3.0.2/doc /usr/share/doc/loganalyzer-3.0.2/src /usr/share/loganalyzer-3.0.2/doc
# touch /usr/share/loganalyzer-3.0.2/config.php
# chown apache.apache /usr/share/loganalyzer-3.0.2/config.php

3. apache setup (we are assuming this is on a company image, which creates most of the needed files/configs)
3a. setup doc root
NOTE: syslog1 is the short hostname (hostname -s) of the system you are installing on

# cd /home/httpd/syslog1/
# rm -rf public_html
# ln -s /usr/share/loganalyzer-3.0.2 public_html

3b. setup vhost file
add the following to /etc/httpd/conf/vhost-ssl.d/0-syslog1 (hostname -s) after ServerAdmin and before proxy section

<Directory /home/httpd/syslog1/public_html>
   Options FollowSymLinks
</Directory>

3c. enable php

# cp -p /etc/httpd/conf.d/php.conf /etc/httpd/conf.d-run/

3d. start up or restart apache and make sure it starts on boot

# service httpd restart
# chkconfig httpd on

Web Interface mySQL setup

1. setup user & permissions

# mysql -p
> grant select, update, insert, create, drop, alter on Syslog.* to 'syslog-read'@'localhost' identified by 'somepwB';
> flush privileges;

2. web interface configuration
2a. go to the new URL (configured in; Web Interface setup, step 3a) in a browser, you will get the following message;

Error, main configuration file is missing!

2b. click 'here' on the following message;

Click here to Install Adiscon LogAnalyzer!

2c. click 'next' on the following page;

Step 1 - Prerequisites

2d. click 'next' on the following page;

Step 2 - Verify File Permissions

2e. click 'next' on the following page;

Step 3 - Basic Configuration

2f. Fill in the following and click 'next';

Source Type: MYSQL Native
Database Name: Syslog
Database Tablename: SystemEvents
Database User: syslog-read
Database Password: somepwB

2g. Click 'here' on the following message;

Step 8 - Done
Click here to go to your installation.

Web Interface Fix

There was an issue (in older vers), that appeared more than once (possibly due to apache or php settings), where a config was populated but was not usable due to missing values. The following needed to be set in this situation to configure these for the default values
1. fix config.php
1a. edit config.php

# vi /usr/share/loganalyzer-3.0.2/config.php

1b. set ViewMessageCharacterLimit

$CFG['ViewMessageCharacterLimit'] = 80;

1c. set ViewStringCharacterLimit

$CFG['ViewStringCharacterLimit'] = 30;

1d. set ViewEntriesPerPage

$CFG['ViewEntriesPerPage'] = 50;

1e. set ViewEnableDetailPopups

$CFG['ViewEnableDetailPopups'] = 1;

1f. set EnableIPAddressResolve

$CFG['EnableIPAddressResolve'] = 1;

Purging mySQL database

This rsyslog configuration writes everything to a mySql database, as well as to the standard log files. The OS has the logrotate process to manage the log files, but if you wish to manage or periodically purge the mySql data, you can set up the following cron job (thanks to Michael Meckelein for posting this in a forum):
NOTE: you may want to setup another user which has delete permissions (like syslog-purge) to do the periodic cleanup for this cron process

mysql -u syslog-read -p somepwA -e “delete from SystemEvents where ReceivedAt < date_add(current_date, interval -28 day)” Syslog

Recreating mySQL database

If you have to recreate mySQL data from scratch
1. make sure mysql is down

# service mysqld stop

2. wipe out all the data (make sure this is what you want to do, otherwise google how to repair innodb data)

# rm -rf /var/lib/mysql/* /var/lib/mysql/.my*

3. rebuild mysql & loganalyzer tables
Rerun the following steps from above

Server mySQL Setup; steps 2-4
Web Interface mySQL setup; step 1

Client rsyslog Setup

1. /etc/rsyslog.conf, add @sys.log.server.ip lines to logging section, ex;

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# centralized logging
*.* @172.160.135.160:514

2. Restart rsyslog service

# service rsyslog restart