Environment:
For the purpose of this guide, we will use 2 Centos 7 servers, one acts as rsyslog server with LogAnalyzer, and other acts as client.
Rsyslog Server :
OS: CentOS 7
IP address: 192.168.1.200
Hostname: loganalyzer.yallalabs.com
Client Server:
OS: CentOS 7
IP Address: 192.168.1.201
Hostname: server01.yallalabs.com
1./ Install Prerequisites
– In order for LogAnalyzer to function correctly, there are a number of prerequisite packages that need to be installed on our system.
– Install Httpd e php packages:
# sudo yum install httpd php php-mysql wget
– Enable at boot and start Httpd
# sudo systemctl enable httpd && systemctl start httpd
– If the firewalld is installed, you have to allow the http protocol :
$ sudo firewall-cmd --permanent --add-service=http $ sudo firewall-cmd --reload
– Install mariadb server and rsyslog-mysql package:
# sudo yum install mariadb-server -y rsyslog-mysql
– Enable at boot and start mariadb server:
# sudo systemctl enable mariadb && systemctl start mariadb
2./ Configure RSYSLOG Database
– Import the default database scheme offered by RSYSLOG using the below command:
# mysql -u root -p < /usr/share/doc/rsyslog-7.4.7/mysql-createDB.sql
- Create a user to access the Syslog database:
# mysql -u root -p MariaDB [(none)]> GRANT ALL ON Syslog.* TO 'rsyslog'@'localhost' IDENTIFIED BY 'Password'; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> exit
# sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.org # sudo vi /etc/rsyslog.conf
- Find and uncomment the following lines to make your server to listen on the udp and tcp ports.
[...] $ModLoad imudp $UDPServerRun 514 [...] $ModLoad imtcp $InputTCPServerRun 514 [...]
- Add the following lines to create a new forwarding rule and a load the mysql module:
[...] # Load the MySQL Module module(load="ommysql") [...] #*.* :ommysql:127.0.0.1,Syslog_Database,syslog_user,password *.* :ommysql:127.0.0.1,Syslog,rsyslog,Password
- Save and restart the rsyslog service
# sudo systemctl restart rsyslog
3./ Install LogAnalyzer
- Download LogAnalyzer
# VERSION=4.1.10 # sudo wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.10.tar.gz -P /tmp # sudo tar -xzvf /tmp/loganalyzer-${VERSION}.tar.gz -C /tmp
- Create the LogAnalyzer Directory under the apache web directory:
# sudo mkdir /var/www/html/loganalyzer
- Copy the installation files into loganalyzer directory using the following commands:
# sudo cp -r /tmp/loganalyzer-${VERSION}/src/* /var/www/html/loganalyzer # sudo cp /tmp/loganalyzer-${VERSION}/contrib/configure.sh /var/www/html/loganalyzer
- Let's create a blank configuration file named config.php
in loganalyzer directory and setup write permission to apache user using the following commands:
# cd /var/www/html/loganalyzer # sudo bash configure.sh # sudo chcon -h -t httpd_sys_script_rw_t config.php
- Allow the traffic to your server by executing the following commands:
# sudo firewall-cmd --add-port=514/{tcp,udp} --permanent # sudo firewall-cmd --add-service=http --permanent # sudo firewall-cmd --reload
4./ start LogAnalyzer web installer
After completing above steps open following url in your favorite web browser to start LogAnalyzer web installer.
http://localhost/loganalyzer
- Just click Next
Make sure config.php
is writable and click Next
- Fill the database details for loganalyzer, with the rsyslog database name, user and password created in latest steps and click Nex
t.
- Just click Next
- Create an Administrator account and click Next.
- Fill the Rsyslog database details and click Next
- click Finish
- Login to LogAnalyzer using Administrator credentials
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
44 comments
whoah this blog is great i like studying your articles.
Stay up the great work!
when opening http://localhost/loganalyzer it just list the files in the directory
Hi Marin,
Make sure to copy all the content to the loganalyzer directory and to assign the correct permission.
I also got the same error it is displaying the directory in the browser
Hi,
Check the configuration of you apache and macke sure that you copied all the loganalyzer directories and files.
Hi, I have followed the document as it is but getting below error
ERROR: At least one file or directory (or more) is not writeable, please check the file permissions (chmod 666)!
Step 2 – Verify File Permissions
The following file permissions have been checked. Verify the results below!
You may use the configure.sh script from the contrib folder to set the permissions for you.
file ‘./config.php’ File does NOT exist!
–> I have checked the path, cd /var/www/html/loganalyzer
–> There created one empty file config.php and gave ownership and group rights to apache
–>gave 666 permission to config.php
–>abd then run the command chcon -h -t httpd_sys_script_rw_t /var/www/html/loganalyzer/config.php
–>while browsing the server ip as http:///loganalyzer
–> getting below content
[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory –
[TXT] config.php 2018-07-02 10:44 0
[ ] configure.sh 2018-06-29 17:43 48
[ ] secure.sh 2018-06-29 16:53 31
[DIR] src/ 2018-06-29 16:53 –
–> when i clicked on src, got below error
Critical Error occured
Errordetails:
Error, main configuration file is missing!
Click here to Install Adiscon LogAnalyzer!
–> i have clicked on “click here”, then i got loganalyzer home page, then it asked me to click on “Next”, then i have clicked on Next button
–>then it gives me the following error
ERROR: At least one file or directory (or more) is not writeable, please check the file permissions (chmod 666)!
Step 2 – Verify File Permissions
The following file permissions have been checked. Verify the results below!
You may use the configure.sh script from the contrib folder to set the permissions for you.
file ‘./config.php’ File does NOT exist!
–> Thanks in advance
First of all, excellent guide! It helped really a lot.
Second, there is an typo in your instructions that renders the whole installation faulty. On step 3 you are missing a “*” on the first part of the copy. It should be:
[root@loganalyzer ~]# cp -r /tmp/loganalyzer-4.1.5/src/* /var/www/html/loganalyzer
Hi Fernando,
Thank you for note . We will correct the instructions .
How to config client?
Hi,
check out this link http://yallalabs.com/linux/how-to-setup-a-centralized-log-server-using-rsyslog-on-centos7-rhel-7/
In the host field of Log Analyzer appear the hostname and not the IP Address of the host, how to change this ?
Hi,
If you want to register the ip address instead of hostname you would need to define a template on both your remote and central servers that will use fromhost-ip instead of fromhost or hostname. This way you will transmit the message with the IP in the message and you will save that information on your rsyslog/loganalyzer server
Hello, I instaled and configured all the components. I have my rsyslog server centralized and working but when I enter to the web I receive the next message:
Could not find the configured table, maybe misspelled or the tablenames are case sensitive
I searched a lot of possibilities (changing the name of the tables on confing.php and others) but I can’t visualize de logs. Can anyone help me?
Thanks a lot for the post.
To resolve the problem of ” could not find the configured table, maybe misspelled or the table names are case sensitive ” . Just edit the /var/www/html/loganalyzer/config.php file and make sure that the value of the DBTableName field is written with the correct capital letters “SystemEvents”
Hi Lotfi,
I have done the changes in config.php file but still getting the same error. Please help
Hi,
I solved this by changing the Database Tablename also in Admin Center -> Sources
How can create an Operatoror /Viewer account ? (Step 6)
Hi Vladimir,
In the 6th step, you can only create an adminstrator user to gain access to the webui, after finishing the installation you can create users as you want.
Hi,
I have configured loganalyzer , its working fine, but entries are more than 1 crore, how can i manage it.
What do you mean by entries are more than 1 error? The logs are forwarded to your rsyslog server and loganalyzer will display them
I made this change but the error continues.
What do I do?
Could you please tell us what kind of error you are having?
thanks!! excellent guide!
I am having issue with timestamps. I am collecting logs from 3 different devices, all that devices have same timezons, but on web timestamp is of 1 year back against logs of 2 devices but for 1 device its working fine.
Will you please guide me on this?
BTW its helped me alot. Really great work
Hi,
Try to change the timezone in the php.ini file to your country timezone and restart the httpd service
Hi, I’ve got a problem.
I can not start LogAnalyzer web installer when i’d try with my log server IP 10.200.3.203/loganalyzer my browser shown this site can’t be reached.
How can i fix this. thanks
I am having the same issue. Did you ever find a solution?
Solution: My firewall settings on server we blocking port 80, and I was not serving port 80 in my httpd config.
Hi I have configured loganalyzer but when trying to fetch logs using show events menu it give this error:
No syslog records found
While reading the logstream, the php script timeout forced me to abort at this point
Hi,
If you dont see nothing means that, no clients machines sending logs to your syslog server, first check the configuration files of your rsyslog server and of the clients servers too.
I was just looking for this information for a while. After 6 hours of continuous Googleing, finally I got it in your site. I wonder what is the lack of Google strategy that don’t rank this kind of informative web sites in top of the list. Usually the top web sites are full of garbage.
Very nice post. I just stumbled upon your weblog and wanted to say that I’ve truly enjoyed browsing your blog posts. In any case I’ll be subscribing to your rss feed and I hope you write again very soon!
Hi, nice Job! but I have a question: My loganalyzer page displays my domain nane as hostname for my network devices, so I can’t identify the client device. How can I modify that to hte client IP please?
Hi,
You would need to define a template on both your remote and central server which uses
fromhost-ip
instead offromhost
orhostname
hellohello dear,
after changing vi /var/www/html/loganalyzer/config.php
te problem still present
Hi Abdal,
try to follow the steps indicated in this tutorial https://yallalabs.com/monitoring-tools/how-to-install-loganalyzer-adiscon-centos-8/
in the case that u still have problems we can assist you
Hello,
What logs/ from which path are visible in this above process
Hi, the logs shown are comming from the same server, so if you want to stream logs from other server, you need to deploy a centralized log server using rsyslog. You can look to the below article :
How To Setup A Centralized Log Server Using Rsyslog On CentOS7 / RHEL 7
Please , how can I resolve this issue
” Could not find the configured table, maybe misspelled or the tablenames are case sensitive ”
yet I checked: /var/www/html/loganalyzer/config.php
log Analyser rsyslogd[31221]: db error (1045): Access denied for user ‘rsyslog’@’localhost’ (using password: YES) [v8.24.0-57.el7_9]
log Analyser rsyslogd[31221]: action ‘action 7’ suspended, next retry is Wed May 5 15:34:00 2021 [v8.24.0-57.el7_9 try http://www.rsyslog.com/e/2007 ]
This error is often due to wrong syntax in the DBTableName field. To fix it you need to edit the /var/www/html/loganalyzer/config.php file and check if the DBTableName value is written with the correct capital letters like below
SystemEvents
Direcciono mis clientes al ip del servidor, pero no logro recibir ningún mensaje
Hi still I am seeing the ” Could not find the configured table, maybe misspelled or the tablenames are case sensitive ” error after made changes in /var/www/html/loganalyzer/config.php file.
You need modify the DB like this:
Mysql -uroot -p
Use Syslog;
mysql> update logcon_sources set DBTableName=’SystemEvents’ where ID=1;
mysql> flush privileges;
Hello, I did the installation and everything is ok, but the homepage shows all the logs even without the user being logged in.
Is it possible to change this configuration, to show the logs only to those who are logged in?