Tuesday, August 14, 2012

Installing and configuring a LogAnalyzer on an Ubuntu Server

This is a re-write of an article on Linux Journal that I found when researching the project. I've re-written it in my own words and added some content that was missing in the original article. A link to it can be found at the bottom of the page. 

1) Install Ununtu server with SSH and LAMP options selected
2) Run the following commands:
~ $sudo -s
~ #apt-get update
~ #apt-get upgrade
~ #apt-get install php5-gd
~ #apt-get install rsyslog-mysql rsyslog-relp
You will then be asked for your MySQL root password followed by being asked to create a password for rsyslog to use. This is the password that rsyslog will use in its config files.
3) To turn on accepting remote logs though we still have to uncoment a couple of lines in /etc/rsyslog.conf:
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
Now, let's apply our changes:
~ #service rsyslog restart
4) Use your favorite editor and create /etc/rsyslog.d/relp.conf and enter the following in it:
$ModLoad imrelp
$InputRELPServerRun 20514
5) Make a working directory that it can store queue files in if needed.
~ # mkdir -p /var/rsyslog/work
Now we need to add the following to /etc/rsyslog.conf
# Buffering stuff:
$WorkDirectory /var/rsyslog/work # default location for work (spool) files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName dbq # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
~ # service rsyslog restart
6) Install LogAnalyzer- As of this writing, the newest version is v3.4.4
~ # tar -xzf loganalyzer-3.4.4.tar.gz
~ # cd loganalyzer-3.4.4
~ # mkdir /var/www/logs
~ # cp -R src/* /var/www/logs/
~ # cp contrib/* /var/www/logs/
~ # cd /var/www/logs/
~ # chmod +x configure.sh secure.sh
~ # ./configure.sh
To enable the authentication part of LogAnalyzer we need to make an empty database for users to be stored in and grant privileges on it.
~ # mysql -p
mysql> create database LogAnalyzerUsers;
mysql> show databases;
mysql> grant all on LogAnalyzerUsers.* to LAUser@'localhost' identified by '(pick a password)';
mysql> quit
7) Now open a web browser and go to http://"serverIP"/logs/. You will be pointed to the installation script which will guide you through the process of setting up LogAnalyzer.
On step 3, make sure to enable user database. Enter the database, username, and password we created above. Enable "Require user to be logged in". On step 7 use the following settings:
Name the source something logical seeing as it is going to be the compiled *logs from all your servers.
Source Type = MYSQL Native
Select View = Syslog Fields
Table type = MonitorWare
Database Host = localhost
Database Name = Syslog (case sensitive)
Database Tablename = SystemEvents (case sensitive)
Database User = rsyslog
Database User = (whatever you made it in step 2)
Enable Row Counting = no

Forwarding log files to Log analyzer:

Linux Servers:
Setting up your other boxes is fairly straight forward. For this example, assume the server you have been setting up is named "myserv". If you don’t want to edit your hosts file then either use the FQDN or the IP in place of myserv. If you are willing to run rsyslog on them then all you have to do is install librelp:
sudo apt-get install rsyslog-relp
Then add the following to your rsysnc configuration file /etc/rsyslog.conf:
$ModLoad omrelp
# forward messages to the remote server "myserv" on
# port 20514
*.* :omrelp:"myserv":20514;RSYSLOG_ForwardFormat
Windows servers:
If you want your Windows 2000 - Server 2008 machines to send logs to your new central log server then check out eventlog-to-syslog. Just download it, unzip it, copy evtsys.exe to C:\Windows\system32\ and execute
C:\Windows\system32>evtsys.exe -i -h ip.address.of.myserv
I tested the x64 version of this in a Windows 7 Enterprize virtual machine and it worked great.
Network Devices:
If you want to point your network devices to this server then just remember that it is listening on port 514 for both TCP and UDP connections.

Article source:

7 comments:

  1. One of the few guides that work, makes sense, is clearly written. Huge thanks DVR

    ReplyDelete
  2. Awesome help! Thanks a lot!

    ReplyDelete
  3. It almost worked. I just can't send logs from another ubuntu to my new rsyslog because i was typing *.* :omrelp:"myserv":20514;RSYSLOG_ForwardFormat when i needed to type without quotes!

    ReplyDelete
  4. dear steve, worked perfectly fine, but after restart and the browser promts the file to be saved.Kindly help in resolving the issue

    ReplyDelete
  5. plz need help, on loganalyzer web interface, after configuration i got this msg :

    Could not find the configured database

    Extra Error Details:
    mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead

    ReplyDelete
  6. Could you help me :
    I'm looking for the RsyslogDefault Format for the client, because my logs are not formated

    ReplyDelete
  7. in my IE i have this error (Error, main configuration file is missing!

    )

    ReplyDelete