Wednesday, February 5, 2014

Installing central syslog using rsyslog and LogAnalyzer on CentOS 6.x


## important installing gd gd-devel php-gd allows you to see nice graphs in loganalyzer
yum install httpd php mysql php-mysql mysql-server wget rsyslog rsyslog-mysql gd gd-devel php-gd -y

add services to start for runlevels 2,3,4,5

for x in httpd mysqld ; do chkconfig $x on; done

## start httpd
service  httpd start

## change mySQL root pass
## first start mySQL service
service mysqld start

/usr/bin/mysqladmin -u root password 'yourpass';

## prepare mySQL db for rsyslog
## you can find out correct location using:
rpm -ql rsyslog-mysql-5.8.10-8.el6.x86_64
/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog-mysql-5.8.10
/usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

therefore in my case:
vi /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
and edit top 2 lines to reflect that you actually using rsyslog ( default is syslog):

CREATE DATABASE rsyslogdb;
USE rsyslogdb;

## create actual DB
mysql -u root -p < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

## create mySQL db user for specifically for LogAnalyzer and rsyslog.
mysql -u root -p mysql
mysql> GRANT ALL ON rsyslogdb.* TO rsyslog@localhost IDENTIFIED BY 'Password';
mysql> flush privileges;
mysql> exit

## Now we have to edit rsyslog configuration file. I wanted to log all messages to MySQL
## so I would specify *.*. I have instructed rsyslog to log to MySQL running on 127.0.0.1,
## rsyslogdb is the name of the MySQL database, and I have specified MySQL rsyslog username and password.
##Also, I have added AllowedSender directive, this will make sure that rsyslog accepts logs form the clients
## on UDP as well as TCP port 514. Make sure your rsyslog.conf has following lines.

# vi /etc/rsyslog.conf

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

$ModLoad ommysql
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$ModLoad ommail

$ModLoad ommysql
*.* :ommysql:127.0.0.1,rsyslogdb,rsyslog,Password
$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24
##

### make sure to adjust AllowedSender in /etc/rsyslog.conf to match your network
$AllowedSender UDP, 127.0.0.1, 192.168.3.0/24, xxx.xxx.xxx.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.3.0/24, xxx.xxx.xxx.0/24

## Install LogAnalyzer from http://loganalyzer.adiscon.com/downloads
wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz
tar -zxvf loganalyzer-3.6.5.tar.gz
cp -rp loganalyzer-3.6.5/src /var/www/html/loganalyzer
cp -rp loganalyzer-3.6.5/contrib/* /var/www/html/loganalyzer/
cd /var/www/html/loganalyzer

## Move to the loganalyzer directory, modify the file permissions of the following 2 files, and run
## the configure.sh script. This will create a blank config.php file.

cd /var/www/html/loganalyzer
chmod u+x configure.sh secure.sh
./configure.sh
## create database and user for loganalyzer
mysqladmin  create loganalyzerdb -p
GRANT ALL ON loganalyzerdb.* TO loganalyzer@localhost IDENTIFIED BY 'Password';
Query OK, 0 rows affected (0.00 sec)
flush privileges;
Query OK, 0 rows affected (0.00 sec)

## this is create 0 bytes config.php  this is intentional as config will be done via browser
##Open your web browser and point it to http://Ip-Address/loganalyzer

#follow steps as per screen instructions
# I have included 2 main print screens you need pay attention to.







##Open iptable for UDP and TCP port 514. Open the iptables file and add following rules to it.
# vi /etc/sysconfig/iptables and add the following:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
## restart iptables service
service iptables restart


#Configure clients for Remote Logging
## on the client host ( assuming you have rsyslogd installed)
vi /etc/rsyslog.conf
*.* @@192.168.3.4
service rsyslog restart

## Now it's good time to restart rsyslog central server as well
service rsyslog restart