How to install Rsyslog with loganalyzer in Ubuntu

RSYSLOG is the rocket-fast system for log processing. It offers high-performance, great security features and a modular design. While it started as a regular syslogd, rsyslog has evolved into a kind of swiss army knife of logging, being able to accept inputs from a wide variety of sources, transform them, and output to the results to diverse destinations.

Adiscon LogAnalyzer is a web inter-face to syslog and other network event data. It provides easy browsing, analysis of realtime network events and reporting services.

This article explains the detailed steps to configure rsyslog with log analyzer in ubuntu server.

 

Installing Rsyslog server

Step1: Add PPA repository

#add-apt-repository ppa:adiscon/v8-devel

If you get this error: “add-apt-repository: command not found”, Try installing this python-software-properties package.

#apt-get install python-software-properties

Step2: Update apt cache

#apt-get update && sudo apt-get upgrade

Step3: Install rsyslog

#apt-get install rsyslog

Step4: Install dependency packages and complete the configurations

#apt-get install rsyslog rsyslog-mysql unzip zip binutils cpp fetchmail flex gcc libc6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ mysql-server mysql-client libmysqlclient15-dev apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Step5: Open rsyslog config file and complete the configuration

#vi /etc/rsyslog.conf

$ModLoad ommysql
*.* :ommysql:127.0.0.1,<SyslogDatabase>,<rsyslogUserName>,<rsyslogUserPassword>
$ModLoad imtcp
$InputTCPServerRun 1514
$Modload imudp
$UDPServerRun 1514

 

Note:

Default values:
<rsyslogUserName>: rsyslog
<SyslogDatabase>: Syslog , created by default during the installation process of the dependencies
<rsyslogUserPassword>: Password inserted during the installation process of the dependencies

 

Step6: Restart the rsyslog service
#/etc/init.d/rsyslog restart

 

Installing the Log Analyzer

Step1: Change the location
#cd /usr/local/src

Step2: Download the loganalyser package
#wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz

Step3: Extract the downloaded file
#tar -xvf loganalyzer-3.6.5.tar.gz
Step4: Move extracted files to webserver root folder

#mv loganalyzer-3.6.5/src/* /var/www/
Step5: Change the ownership to apache
#chown www-data:www-data -Rf /var/www/*

Step6: Copy the install script to webserver root folder
#cp loganalyzer-3.6.5/contrib/* /var/www/

Step7: Assign execute permission to the install script

#chmod +x /var/www/configure.sh /var/www/secure.sh

Step8: Change the location to webserver root folder

#cd /var/www/

Step9: Run the install script

#./configure.sh

Step10: Open the below link in browser and complete the installation
http://<LogAnalyzerIP>/install.php
Step11: Remove the installation file when finished

#rm -f /var/www/install.php

 

Note:

If you get this error message: "Syslog file is not readable, read access may be denied"
Add use www-data to adm group
#vi /etc/group
adm:x:4:www-data
Reload Apache

 

Rsyslog Client Configuration

Step1: Install rsyslog package

#apt-get install rsyslog

Step2: Open rsyslog config file and update the configurations

#vi /etc/rsyslog.conf
$ActionQueueType LinkedList # run asynchronously
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionResumeRetryCount -1 # infinite retries if host is down
In /etc/rsyslog.conf add the following lines in the RULES section:
# Dump all messages to the remote logging server through
*.* @@LogAnalayzerIP:1514

Step3: Restart the RSyslog service
#/etc/init.d/rsyslog restart

 

That's all......

Leave a Reply

Your email address will not be published. Required fields are marked *