Rsyslog and LogAnalyzer installation how-to1In my growing lab, I have Zabbix for monitoring and alerting, Spacewalk as installation and management solution… But now I want to collect all the logs from all the systems and network devices to one service, browse them and get reports and statistics. That is why I’ve implemented Rsyslog – it is capable of doing this task, and is maybe the most common tool for collecting logs. Plus, it can be set up to write all gathered logs to MySQL Database – and LogAnalyzer will take them from it and give them a comfortable and nice interface. May be later we will try something more pretty like Graylog, but for now it is time to move on to our Rsyslog and LogAnalyzer installation how-to.

Rsyslog and LogAnalyzer installation how-to Step 1: Install MySQL

Before installing Rsyslog itself, it is logical to set up it’s backend at first. Steps for backend installation and set up include: installation of MySQL, initial set up and user creation, creation of database for Rsyslog and granting all permissions for this database to newly created user.

MySQL install:

Start and enable the MySQL service and make initial configuration, where you need to set up root password and agree with “Y” on every question it will ask

Now create and set up a database for Rsyslog by using external script provided with Rsyslog:

Now login to MySQL console and create a user for this database. Grant him all privileges to our Syslog database:

Let’s check everything is OK by logging to the MySQL with our new user:

Rsyslog and LogAnalyzer installation how-to Step 2: Rsyslog install

Now let’s install Rsyslog itself. Download a repo definition and install it:

Now we need to set up Rsyslog to use TCP and UDP communication, and to use it’s backend we set up in Step 1. Edit Rsyslog configuration file:

Uncomment these strings in file:

Add MySQL support by including MySQL module

Add forwarding rule, so that all received logs were forwarded to MySQL database through included module:

Exit and save with :wq. Now, when configuration is over, start and enable the service:

Rsyslog and LogAnalyzer installation how-to Step 3: LogAnalyzer

Rsyslog writing to MySQL is only a half of success, now we need a comfortable and user-friendly interface – LogAnalyzer. But before we set it up, we need a platform – and this is LAMP. M – in for MySQL – we already have, so we need to install Apache as a web server, and a PHP support:

Apache:

PHP:

Everything is ready for installation! Let’s proceed with LogAnalyzer. Download the package:

Untar and copy to www directory of web server:

Now make a config file executable and run it for creation of config.php:

And – I hate doing this – but we need to temporarily disable SELinux to pass through Step 2 of web-based configuration master. After finishing installation, you can enable it again and leave it working:

Rsyslog and LogAnalyzer installation how-to Step 4: Firewall

Forgot? Yes, we need to add ports for Rsyslog to receive logs from other rsyslog clients, and add our httpd to the ruleset. As we can see from the config, Rsyslog uses port 514/TCP and 514/UDP for communication

Rsyslog and LogAnalyzer installation how-to Step 5: Web-Based configuration:

At this point, we are step away from the finishing line. Open you favorite (mine is Edge, for I fanatically love Microsoft) browser and browse to : http://<IP-or-Hostname-Of-Server/Loganalyzer

You will see the warning, that configuration is missing. That’s we are here for, so proceed:

LogAnalyzer1

And then again – just click Next:

LogAnalyzer2

Now the tricky step: If you have temporarily disabled SELinux, you will see no error, however, if it is in Enforcing mode, you will see the error – file not writeable:

LogAnalyzer3

In Step 3 we set up MySQL connectivity. Enter credentials created on Step 1, Syslog – as a database name and remember – it is case-sensitive

LogAnalyzer4

Step 4 – Click Next to create new tables:

LogAnalyzer5

Step 5 – Check if everything is OK, and just click Next:

LogAnalyzer6

Step 6 – Create user account for the service:

LogAnalyzer7

Step 7 – On this screen, you can just click Next

LogAnalyzer8

And Step 8 – Confirms, that everything is OK

LogAnalyzer9

So that’s it! We have Rsyslog writing to MySQL and a nice Web-interface – LogAnalyzer! Now let me say some words about Clients

Rsyslog and LogAnalyzer installation how-to: On the client side

Linux Clients:
Here – everything is simple. Review Step 2. For client install, you need to install Rsyslog to the client machine, and edit it’s config file. There is no need to include MySQL module here. Yes, uncomment these strings, as in Step 2:

And the forwarding rule will be more simple:

Do not forget to start and enable the service:

Windows Clients:

For this type of clients things get tricky. First of all – Rsyslog Client for Windows – Exists, but it is Trial. But that’s not all – Rsyslog for Windows is too complicated. But there is another way! There are Plenty of free syslog clients for Windows – just google it. For my network, I chose Datagram Syslog Agent. It is simple, reliable and easy to configure. And – it is fully free (you can’t say that about server, though)!

First, download the package, unzip and run. You will see the only window:

LogAnalyzer13

Enter your Syslog server IP-address, click Install, and then – Start Service. At this point, you can choose what to forward to send only information relevant to you.

So that’s the full case of implementing centralized log gathering with Rsyslog and LogAnalyzer!

Resources:

Datagram Syslog Agent Download

Rsyslog

LogAnalyzer