Syslog server with Rsyslog and LogAnalyzer in Ubuntu 12 Rumi, August 17, 2018 Installing Rsyslog from repository First make sure you have the latest update of Ubuntu 12.04 LTS sudo apt-get update && sudo apt-get upgrade Adding PPA repository sudo add-apt-repository ppa:adiscon/v8-devel If you get this error: “add-apt-repository: command not found” Try installing this python-software-properties package apt-get install python-software-properties Update your apt cache and install rsyslog sudo apt-get update && sudo apt-get upgrade sudo apt-get install rsyslog Installing some dependencies apt-get install rsyslog rsyslog-mysql unzip zip binutils cpp fetchmail flex gcc libc6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ mysql-server mysql-client libmysqlclient15-dev apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl Enter the password for MySQL when the installation ask you for it. Check that Apache and MySQL are listening on ports netstat -tapn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 25240/mysqld tcp 0 0 0.0.0.0::80 0.0.0.0:* LISTEN 25844/apache2 Next we configure the rsyslog server to listen on TCP port 514: sudo vim /etc/rsyslog.conf $ModLoad ommysql *.* :ommysql:127.0.0.1,<SyslogDatabase>,<rsyslogUserName>,<rsyslogUserPassword> Default values: <rsyslogUserName>: rsyslog <SyslogDatabase>: Syslog , created by default during the installation process of the dependencies <rsyslogUserPassword>: Password inserted during the installation process of the dependencies Add these lines in the rsyslog.conf # provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 $Modload imudp $UDPServerRun 514 Restarting the rsyslog service /etc/init.d/rsyslog restart Checking that rsyslog is listening on TCP port 514 netstat -ntap Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 25240/mysqld tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 25844/apache2 tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 27177/rsyslogd Installing the Log Analyzer First download the most recent build from here: http://loganalyzer.adiscon.com/downloads cd /usr/local/src wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz Extracting the file tar zxvf loganalyzer-3.6.5.tar.gz Move loganalyzer-x.x.x/src/ folder to you webserver root folder mv loganalyzer-3.6.5/src/* /var/www/ Changing user rights to Apache chown www-data:www-data -Rf /var/www/* cp loganalyzer-3.6.5/contrib/* /var/www/ chmod +x /var/www/configure.sh /var/www/secure.sh cd /var/www/ ./configure.sh This will create a blank config.php, and will also set write access to everyone to it. Now open in your favorite browser http://<LogAnalyzerIP>/install.php. Go through the simple steps configuration “Next” till the configuration steps is finished. Don’t forget to remove the installation file when finished rm -f /var/www/install.php Troubleshoot: If you get this error message: Syslog file is not readable, read access may be denied. Add use www-data to adm group sudo vim /etc/group adm:x:4:www-data Reload Apache service apache2 reload Rsyslog Client Configuration Install rsyslog-relp apt-get install rsyslog In /etc/rsyslog.conf add the following lines: $ActionQueueType LinkedList # run asynchronously $ActionQueueFileName fwdRule1 # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionResumeRetryCount -1 # infinite retries if host is down In /etc/rsyslog.conf add the following lines in the RULES section: # Dump all messages to the remote logging server through *.* @@LogAnalayzerIP:514 Restart the RSyslog service /etc/init.d/rsyslog restart Troubleshoot: If you are using OpenVZ with Proxmox VE you may have this king of message in your /var/log/syslog file: kernel: Cannot read proc file system: 1 – Operation not permitted. here’s the fix: sed -i -e 's/^\$ModLoad imklog/#\$ModLoad imklog/g' /etc/rsyslog.conf service rsyslog restart This is what you should get if your setup is successful Administrations Configurations (Linux) RsyslogSyslogUbuntuUbuntu 12
Only workable configuration steps are published on this blog. This document is pretty old, perhaps some package could be missing or could be an updated version os SQL is installed. You should try some updated one.