Today, we are going to explain how to setup a Centralized Log Server using Rsyslog and Loganalyzer on Ubuntu 16.04 LTS or Ubuntu 18.04 LTS to manage the logs of your client systems from a common place taht will be saved in a mysql Database. You don’t have to visit the client systems when you want to check the log files of your client systems. This can be useful if you have large number of systems on your network and want to do the log management from a centralized dedicated log server.
Environment:
For the purpose of this guide, we will use 2 servers, Ubuntu 16.04 LTS or Ubuntu 18.04 LTS one acts as rsyslog server with LogAnalyzer, and other CentOS 7 or RHEL 7 acts as rsyslog client.
Rsyslog Server:
OS: Ubuntu 16.04 LTS or Ubuntu 18.04 LTS
IP address: 192.168.1.200
Hostname: loganalyzer.yallalabs.com
Client Server:
OS: CentOS 7
IP Address: 192.168.1.201
Hostname: server01.yallalabs.com
1./ Install Prerequisites
– In order for LogAnalyzer to function correctly, on the rsyslog server, you need to install a LAMP Stack. Take a look to our previous tutorial that describes How To Install LAMP Stack (Linux, Apache, MySQL, PHP 7) On Ubuntu 16.04 / Ubuntu 18.04
– we need also to install the rsyslog-mysql package, use the below comand to install it:
[root@loganalyzer ~]# apt-get install rsyslog-mysql
– Just click no, because we are going to create the Syslog databse manually
2./ Configure Rsyslog Database
– Create the Syslog database:
[root@loganalyzer ~]# mysql -u root -p
mysql> CREATE DATABASE Syslog;
– Create a user to access the Syslog database:
mysql> GRANT ALL ON Syslog.* TO 'rsyslog'@'localhost' IDENTIFIED BY 'Password'; mysql> FLUSH PRIVILEGES; mysql> exit
– Import the default database schema offered by Rsyslog using the below command:
[root@loganalyzer ~]# mysql -u rsyslog -D Syslog -p < /usr/share/dbconfig-common/data/rsyslog-mysql/install/mysql
3./ Configure Loganalyzer Users Database
- Create the Loganalyzer Users database:
[root@loganalyzer ~]# mysql -u root -p
MariaDB [(none)]> CREATE DATABASE loganalyzer;
- Create a user to access the Loganalyzer Users database:
mysql> GRANT ALL ON loganalyzer.* TO 'loganalyzer'@'localhost' IDENTIFIED BY 'Password'; mysql> FLUSH PRIVILEGES; mysql> exit
4./ Configure Rsyslog Server
- Take a backup of the rsyslog.conf before editing it
[root@loganalyzer ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.org [root@loganalyzer ~]# vi /etc/rsyslog.conf
- Find and uncomment the following lines to make your server to listen on the udp and tcp ports.
[...] # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") [...] # provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") [...]
- To configure Rsyslog to output logs to database, edit the mysql.conf file as below:
[root@loganalyzer ~]# vi /etc/rsyslog.d/mysql.conf [..] # Load the MySQL Module $ModLoad ommysql #*.* :ommysql:Host,DB,DBUser,DBPassword *.* :ommysql:127.0.0.1,Syslog,rsyslog,Password
- Make the following changes if the server version is Ubuntu 18.04 Lts
### Configuration file for rsyslog-mysql ### Changes are preserved module (load="ommysql") *.* action(type="ommysql" server="localhost" db="Syslog" uid="rsyslog" pwd="Password")
- Save and restart the rsyslog service
[root@loganalyzer ~]# systemctl restart rsyslog
5./ Install LogAnalyzer
- Download LogAnalyzer package from the official website
[root@loganalyzer ~]# cd /tmp [root@loganalyzer ~]# wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.6.tar.gz [root@loganalyzer ~]# tar -xzvf loganalyzer-4.1.6.tar.gz
- Create the LogAnalyzer Directory under the apache web directory:
[root@loganalyzer ~]# mkdir /var/www/html/loganalyzer
- Copy the installation files into loganalyzer directory using the following commands:
[root@loganalyzer ~]# cp -r /tmp/loganalyzer-4.1.6/src/* /var/www/html/loganalyzer
- Create a blank configuration file named config.php in loganalyzer directory and setup write permission to www-data user using the following commands:
[root@loganalyzer ~]# cd /var/www/html/loganalyzer [root@loganalyzer ~]# touch config.php [root@loganalyzer ~]# chown www-data:www-data config.php [root@loganalyzer ~]# chmod 666 config.php
- Finally, change all files owner to www-data
[root@loganalyzer ~]# chown www-data:www-data -R /var/www/html/loganalyzer/
4./ start LogAnalyzer web installer
After completing above steps open following url in your favorite web browser to start LogAnalyzer web installer.
http://rsyslog_server_ip/loganalyzer
- Just click Next
Make sure config.php is writable and click Next
- Fill the database details for loganalyzer, with the loganlyzer database name, user and password created in third step and click Next.
- Just click Next
- Just click Next
- Create an Administrator account and click Next.
- Fill the Rsyslog database details created in second step and click Next
- click Finish
- Login to LogAnalyzer using the user created in the step number 6
- To configure client to send logs to your server, you need to follow our previous articles:
- How To Setup A Centralized Log Server Using Rsyslog On CentOS7 / RHEL 7
- How to Setup A Centralized Log Server Using Rsyslog on Ubuntu 16.04 LTS
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
15 comments
Hey Lotfi
Just followed your guide and installed 4.1.7, works great.
Just noticed after the install i had issues reading the syslog file – permissions etc. I did the following:
Add use www-data to adm group
#vi /etc/group
adm:x:4:www-data
Reload Apache
Then it worked perfect.
Great guide, thanks heaps!
Hi Ryan,
Thanks for coming to our website, we are so glad that you find ours guides very helpful. Please subscribe to our newsletter and our YouTube channel.
Hello,
I followed the instruction fine but using 4.1.7 which is the newest version for now using ubuntu 18.04 I came across two issues,
a. On step 3 after putting the database credentials, step 4 is showing black pages, to resolve it you should install module for connecting php and mysql by running
sudo apt-get install php7.2-mysql -y
b. After finalizing the installation, and login you will get “Cannot find configurable table … error” to resovle it I changing the configuration on /var/www/html/loganalyzer/config.php
from
$CFG[‘Sources’][‘Source1’][‘DBTableName’] = ‘systemevents’;
to
$CFG[‘Sources’][‘Source1’][‘DBTableName’] = ‘SystemEvents’;
Thanks …. Hope will help someone
Hi Lotfi,
I have followed the instructions but after it succeeded I even got a message “content encoding error”
Could you please explain where you got the error while accessing the web interface?
Hello,
I am getting below error after logged in:-
COULD NOT FIND THE CONFIGURED DATABASE
Hi,
Make sure to put a correct name and password for your database
Hi Lotfi,
Is it possible to to separate the remote logs from the OS logs, maybe creating 2 different source on loganalyzer pointing to different tables on MySQL? If so, could you give an hint on how to configure it on rsyslog and MySQL. Thank you.
Hi Simone, unfortunately it’s not possible to separate the logs by using different tables. Maybe to reach this purpose you can graylog2
I just want to comment few things where I made mistakes so if someone is facing similar problems.
Error was: COULD NOT FIND THE CONFIGURED DATABASE
I made mistakes in config.php file:
1. DBname: syslog not Syslog like it should be
2. DBTableName: systemevents not SystemEvents like it should be
Overall really great post, working fine!
Hello I followed this guide to setup my contral loganalyzer. all worked fine. I am looking for the option to configure clients to send logs to the server.
Thank a lot
Hi,
check the second part “Client configuration” of this guide https://yallalabs.com/linux/how-to-setup-a-centralized-log-server-using-rsyslog-on-ubuntu-16-04-lts/
Works great!
Thanks for the tutorial, following it i have to change only one things, editing this file:
/etc/php/7.4/apache2/php.ini
and enable mysqli extension, otherwise i receive this error:
PHP Warning: mysqli_error() expects parameter 1 to be mysqli
Thanks
Ciao Alessandro,
Thanks for finding, we appreciate a lot your comment.