Set Up Rsyslog and LogAnalyzer on CentOS Linux 5.5 for Centralized Logging
LogAnalyzer is a web based program that allows you to view event messages from a syslog source within your web browser. Rsyslog is a drop in replacement for the syslog daemon that among other things allows syslog messages to be saved in a MySQL database. Combining these two great programs and directing other network devices to forward syslog messages to a central server allows for a very powerful solution for searching and archiving event messages that occur throughout your network environment. In this example I will install rsyslog on a CentOS Linux 5.5 server to aggregate and collect syslog messages and configure LogAnalyzer on the same server to allow for a user friendly interface for viewing and searching through these messages.
First we need to install some required RPM’s. Since I am running LogAnalyzer, Rsyslog, and MySQL all on the same server I will install these required packages:
# yum install httpd php mysql php-mysql mysql-server wget rsyslog rsyslog-mysql
Now we’ll make sure MySQL and Apache are configured to start automatically and start them up:
# chkconfig mysqld on
# chkconfig httpd on
# service mysqld start
# service httpd start
By default the MySQL root database user is blank so for security we should set it now:
# mysqladmin -u root password NewPassword
Now let’s import the database schema for the rsyslog database into MySQL. You may need to adjust the path to your “createDB.sql” file below if the rsyslog version has been updated.
# mysql -u root -p < /usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql
It is best practice to limit database access for applications, so now we’ll set up a user specifically for LogAnalyzer and rsyslog that we’ll use to access the newly created rsyslog database. For even greater security you may want to set up separate accounts for both rsyslog and LogAnalyzer, since LogAnalyzer is only viewing the rsyslog database fewer privileges like select should be needed. For my environment using the same user is adequate. Notice with MySQL you can make access very granular and specify to only allow the rsyslog user database access from the localhost. Also we’ll execute the “flush privileges” MySQL command to activate our permissions changes immediately.
# mysql -u root -p mysql
mysql> GRANT ALL ON Syslog.* TO rsyslog@localhost IDENTIFIED BY 'Password';
mysql> flush privileges;
Now it is time to edit the”/etc/rsyslog.conf” file. We’ll include information that will allow us to log syslog messages from rsyslog into the MySQL database. The first line loads the MySQL driver. The second line allows us to specify to log messages from the “authpriv” facility with all severities, which includes most log in/out messages and switch user events. If I wanted to log all messages to MySQL I would specify *.*. I have identified the MySQL database server to log to as 127.0.0.1, Syslog is the name of the MySQL database, and finally I have specified my MySQL rsyslog username and password. To specify additional syslog facility/severity combinations add them to the front of the second line and separate each combination with a semicolon (mail.*;authpriv.* :ommysql…). Remember that when you specify a severity that is the minimum level which will be logged, anything with a higher severity will also be logged. Add the code to the top of the file:
Now it’s time to shut down and disable the existing syslog daemon and enable and start up rsyslog:
# chkconfig syslog off
# service syslog stop
# chkconfig rsyslog on
# service rsyslog start
It is now time to go out to the web and download LogAnalyzer. To find information on the latest release go to http://loganalyzer.adiscon.com/downloads.
Or to download directly to your Linux server the version I am using enter this (wget is required):
# cd ~
# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.0.0.tar.gz
Unzip and untar the LogAnalyzer files:
# tar zxvf loganalyzer-3.0.0.tar.gz
Now it is time to move various files and subdirectories to your Apache web document root. In this example I am assuming that this is still the Apache default of “/var/www/html”.
# mv loganalyzer-3.0.0/src /var/www/html/loganalyzer
# mv loganalyzer-3.0.0/contrib/* /var/www/html/loganalyzer/
Change to new LogAnalyzer web subdirectory, modify the file permissions on two scripts, and run the configure.sh script. This will create a blank config.php file which will be have information added during the web portion of the configuration.
# cd /var/www/html/loganalyzer
# chmod u+x configure.sh secure.sh