Comments on Centralized RSYSLOG Server Monitoring

? There is no mail database in this server. Only rsyslog database.

groupadd logadmin

usermod -a -G logadmin www-data 

 create 640 root logadmin

Unfortunately, that did not help, still struggling with that pesky "Syslog file is not readable, read access may be denied" message and no logs at all in any way.

Might be good to include that also... but it should install automatically as a dependency.

I believe you have posted the wrong apt-get install row.

 You miss the rsyslog-mysql package!

This tutorial is "bare-bones" tutorial.

It does not deal with any security settings you probably want to implement on your own. For instance I recommend using SSL encryption for the site. I recommend using .htaccess file for login protection etc...

Fixed, thanks a lot for the note.

Hi.

What's the purpose of granting access to the mail database to the rsyslog user?

ERROR: Failed to open the syslog file '/var/log/syslog'! Check if the file exists and LogAnalyzer has sufficient rights to it<

see my comment below

Nice tutorial. Works well! Thank you.

command cd contrib/  did not work. But I found my way out.

Peerx

Hello,

thank you for easy and great tutorial, but I have a problem with LogAnalyzer, after that I click to next, next, ... in the installation wizard, the analyzer show me a message "Syslog file is not readable, read access may be denied". Can you write step by step on install.php page?

you need to edit syslog's permission so "others" can read it, command:

 cd /var/log/

 chmod 644 syslog

 note: for the security freaks, yes this can be a leak for security purposes. another way is to add the loganalyzer to the same usergroup  as root. dont know how to do this though

 I know it's pretty easy but can be confusing for some!

 thanks

First we install some dependencies.

Love what you guys do here! Keep up the great work.

Was I to curios? Will this happen with the Loganalyzer installation? 

 Regards
Ralph

How about a response to Ralph's comment?  When do the tables get built in MySQL?

I have got that error:

"Could not find the configured table, maybe misspelled or the tablenames are case sensitive"

What I did wrong ?

I know this is a really old post but it was also the top post when I was looking for an answer to the same problem. 

Thank you Sami, I set this up today on a Debian VM and it works great!

One note, it appears that when you install the rsyslog-mysql package in Debian now, it creates the database for you and prompts for a password.  Unfortunately not sure that it works right as I don't think the user had the correct permissions to the database from the package script, so I used your instructions to grant them anyway!

Cheers!

phobia

Need help with Debian GNU/Linux?   Try Efnet #debian

1. rsyslog

2. webmin,

3. PHPMyAdmin and

4. loganalyzer

 This is on Debian 7

http://cdimage.debian.org/debian-cd/7.0.0/amd64/iso-cd/debian-7.0.0-amd64-netinst.iso 

I have only tested this on "debian-7.0.0-amd64-netinst" and is working as expected

### Note that the MySQL conf for rsyslog is /etc/rsyslog.d/mysql.conf

### and it is configured by default when you install rsyslog

###                 So, no need of creating it manually.

 ######################################################

 #!/bin/bash

##### Syslog and Log analiser on Debian 7

##### This will install RSYSLOG Server with web UI

##### This assumes that installation is done on fresh debian net install version which installs and configures MySQL from scratch

##### So that no need of manually creating any DB and/or users

##### Just remember the MySQL root password for the installtion purpose

## Note: Put in you MySQL root password which you gonna use when it prompts for new installation and remember to use the same, otherwise installation will fail.

MYSQL_PASS="gfkjh867gdfk"

##### Function to prompt for user attention

function pause(){

   read -p "$*"

}

##### 1. Installing RSYSLOG Server, MySQL, Apache2 webmin and PHPMyAdmin

## First we install some dependencies.

## Installing webmin

echo "I am assuming loganalyzer-3.6.3 as latest and stable"

echo "Please terminate this script if this not the latest version and correct the same inside the script and run the script again"

echo "Press [Ctrl+C] to terminate the installation or"

pause 'Press [Enter] key to continue...'

echo "### Webmin Source########################" >> /etc/apt/sources.list

echo "deb http://download.webmin.com/download/repository sarge contrib" >> /etc/apt/sources.list

echo "deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib" >> /etc/apt/sources.list

echo "Getting Key for webmin signature"

cd /root

wget http://www.webmin.com/jcameron-key.asc

apt-key add jcameron-key.asc

apt-get update

apt-get upgrade

apt-get -y install webmin vim sudo

echo "webmin, vim, sudo have been installed"

echo "Now installing packages for syslog server"

### Remove PostgreSQL if it is installed

echo "Running postgresql remover"

apt-get -y autoremove postgresql 

apt-get install rsyslog rsyslog-mysql unzip zip binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev perl libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ mysql-server mysql-client apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libdb-dev libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-mysql php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl libmysqlclient-dev php5-intl php5-common php5-common

apt-get install linux-kernel-headers mysql-server mysql-dev

## Install phpMyAdmin

echo "installing PhpMyAdmin"

apt-get install phpmyadmin

echo "Make sure to restart rsyslog, mysql and apache2"

/etc/init.d/rsyslog restart

/etc/init.d/mysql restart

/etc/init.d/apache2 restart

### Check that the server is listening on the proper TCP IP ports. (80 & 3306). RSYSLOG does not yet listen on any port at this time.

echo "Check that the server is listening on the proper TCP IP ports. (80 & 3306). RSYSLOG does not yet listen on any port at this time."

netstat -tapn

pause 'Press [Enter] key to continue...'

### Note that the MySQL conf for rsyslog is /etc/rsyslog.d/mysql.conf

### and it is configured by default when you install syslog

### Don't change unless you know what you are doing

#echo 'CREATE USER rsyslog@localhost IDENTIFIED BY "rsyslog";

#CREATE DATABASE IF NOT EXISTS `rsyslog` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`;

#GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON `rsyslog`.* TO rsyslog@localhost;' | mysql -u root -p$MYSQL_PASS

### Configure syslog to listen on TCP 514

### Just edit /etc/rsyslog.conf and remove the comment for "$InputTCPServerRun 514"

#read -p "Press [Enter] key to continue..."

sed -i '17i $ModLoad imudp' /etc/rsyslog.conf

sed -i '19i $UDPServerRun 514' /etc/rsyslog.conf

sed -i '23i $ModLoad imtcp' /etc/rsyslog.conf

sed -i '25i $InputTCPServerRun 514' /etc/rsyslog.conf

cat /etc/rsyslog.conf

echo "rsyslog.conf file has been modified, please look around and press [Enter] if it is fine"

echo "If you find anything wrong, then please open another SSH Session and correct the same and then come here and press [Enter]"

pause 'Press [Enter] key to continue...'

/etc/init.d/rsyslog restart

netstat -tapn

echo "Make sure syslog is listening on TCP/UDP PORT 514"

pause 'Press [Enter] key to continue...'

#### 2. Installing Log Analyzer 

#### Then we download the LogAnalyzer and configure the Apache web server to display the logs.

echo "Preparing to install loganalyzer....Assuming latest stable version is loganalyzer-3.6.3"

mkdir /var/repo

mkdir /var/repo/loganalyzer

cd /var/repo/loganalyzer

wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.3.tar.gz

tar xvzf loganalyzer-3.6.3.tar.gz

mv loganalyzer-3.6.3/ /var/www/

echo "Adding the proper access rights for apache2 for /var/www/"

cd /var/www

chown www-data:www-data * . -Rf

echo "Renaming loganalyzer-3.6.3 to loganalyzer"

mv loganalyzer-3.6.3/ loganalyzer

cd loganalyzer/contrib/

echo "Copying "configure.sh" and "secure.sh" from contrib/ to src/"

cp * ./../src/

echo "Navigating in to src/"

cd ./../src/

echo "Running "configure.sh" script"

sh ./configure.sh

echo "All set, Point your web browser to 'http://192.168.0.15/loganalyzer/src/install.php' and folow the on screen installation instructions"

For all those who are wondering when the tables are made...
The answer is, they are automatically made during the web-installation.
Make sure you enter the correct user-name and password.

Sam

Dear team,

how to add remote hosts to rsyslog server ???

Thanks,

SAVY

Dear team,

Please I meet this problem message alert:

No syslog records found

how can I fix it ???

Nice to see so many people taking interest in this.For those who are experiencing problems with the "No syslog records found" try these steps.

Is the server receiving records from the clients?tail -f /var/log/syslog

Are the records ending up in the database?Use server.domain.com/phpmyadmin to browse your SystemEvents table.

Wrong listing: [email protected]:~# netstat -tapn

Dear SAVY,Just connet to your MySQL database, and try this:

use Syslog;

ALTER TABLE SystemEvents ADD processid varchar(60) NOT NULL DEFAULT '' AFTER Checksum;

... and reload yout Loganalyzer page ;-)

Hi. Want to ask if this log monitoring was totally free and no license required ?