Syslog server with Rsyslog and LogAnalyzer in Ubuntu 12

Installing Rsyslog from repository

First make sure you have the latest update of Ubuntu 12.04 LTS

sudo apt-get update && sudo apt-get upgrade

Adding PPA repository

sudo add-apt-repository ppa:adiscon/v8-devel

If you get this error: “add-apt-repository: command not found”

Try installing this python-software-properties package

apt-get install python-software-properties

Update your apt cache and install rsyslog

sudo apt-get update && sudo apt-get upgrade
sudo apt-get install rsyslog

Installing some dependencies

apt-get install rsyslog rsyslog-mysql unzip zip binutils cpp fetchmail flex gcc libc6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ mysql-server mysql-client libmysqlclient15-dev apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Enter the password for MySQL when the installation ask you for it.
Check that Apache and MySQL are listening on ports

netstat -tapn

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 25240/mysqld
tcp 0 0 0.0.0.0::80 0.0.0.0:* LISTEN 25844/apache2

Next we configure the rsyslog server to listen on TCP port 514:

sudo vim /etc/rsyslog.conf
$ModLoad ommysql
*.* :ommysql:127.0.0.1,<SyslogDatabase>,<rsyslogUserName>,<rsyslogUserPassword>

Default values:
<rsyslogUserName>: rsyslog
<SyslogDatabase>: Syslog , created by default during the installation process of the dependencies
<rsyslogUserPassword>: Password inserted during the installation process of the dependencies

Add these lines in the rsyslog.conf

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$Modload imudp
$UDPServerRun 514

Restarting the rsyslog service

/etc/init.d/rsyslog restart

Checking that rsyslog is listening on TCP port 514

netstat -ntap

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 25240/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 25844/apache2
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 27177/rsyslogd

Installing the Log Analyzer

First download the most recent build from here: http://loganalyzer.adiscon.com/downloads

cd /usr/local/src
wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz

Extracting the file

tar zxvf loganalyzer-3.6.5.tar.gz

Move loganalyzer-x.x.x/src/ folder to you webserver root folder

mv loganalyzer-3.6.5/src/* /var/www/

Changing user rights to Apache

chown www-data:www-data -Rf /var/www/*
cp loganalyzer-3.6.5/contrib/* /var/www/
chmod +x /var/www/configure.sh /var/www/secure.sh
cd /var/www/
./configure.sh

This will create a blank config.php, and will also set write access to everyone to it. Now open in your favorite browser http://<LogAnalyzerIP>/install.php. Go through the simple steps configuration “Next” till the configuration steps is finished. Don’t forget to remove the installation file when finished

rm -f /var/www/install.php

Troubleshoot:
If you get this error message: Syslog file is not readable, read access may be denied. Add use www-data to adm group

sudo vim /etc/group
adm:x:4:www-data

Reload Apache

service apache2 reload

Rsyslog Client Configuration

Install rsyslog-relp

apt-get install rsyslog

In /etc/rsyslog.conf add the following lines:

$ActionQueueType LinkedList # run asynchronously
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionResumeRetryCount -1 # infinite retries if host is down

In /etc/rsyslog.conf add the following lines in the RULES section:

# Dump all messages to the remote logging server through
*.* @@LogAnalayzerIP:514

Restart the RSyslog service

/etc/init.d/rsyslog restart

Troubleshoot:
If you are using OpenVZ with Proxmox VE you may have this king of message in your /var/log/syslog file:
kernel: Cannot read proc file system: 1 – Operation not permitted.
here’s the fix:

sed -i -e 's/^\$ModLoad imklog/#\$ModLoad imklog/g' /etc/rsyslog.conf
service rsyslog restart

This is what you should get if your setup is successful

Share

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.