Thursday, September 1, 2011

Centralized Log Management with RSyslog


Why Rsyslog?

For Centralized logging.Having a centralized logging is a prerequisite if you want to have your logs intacts. But having the events recorded in plain files is virtually impossible for queries.Because of this, we can configure rsyslog to write events in MySQL DB and a web interface for queries with filters to facilitate viewing of the logs without have to access the console for such task.

Rsyslog Installation

Installing rsyslog on Ubuntu is easy:
 #aptitude install rsyslog
 #aptitude install rsyslog-doc
All configuration is placed in the /etc/rsyslog.conf file or in files found under the /etc/rsyslog.d directory. 
  • Configuration structure :Configuration files are structured in the following manner: 

    Modules
    • Global directives
    • Filter rules
  • Rsyslog Server configuration: 
 #vim /etc/rsyslog.conf
Local logging functionality is provided by the imuxsock plug-in (also 
enabled by default).

$ModLoad imuxsock
 $ModLoad imklog
On the server, assuming you are running rsyslog, you do this by enabling the appropriate input module, as well as specifying the port to be used: 
UDP:
 
$ModLoad imudp
$UDPServerRun 514
TCP:

$ModLoad imtcp 
$InputTCPServerRun 514 

Rsyslog provides a flexible system to specify the output formats. It is template-based. A template with the traditional syslog format looks as follows:



$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"


 Now we have the right template - but how to write it to a file? You probably have a line like this in your rsyslog.conf:

*.* -/var/log/messages.log;TraditionalFormat

 

-------------------------------------------------------------------------

Writing syslog messages to MySQL

--------------------------------------------------------------------------

rsyslog-mysql mysql-server php-mysql

while installing you will be prompted for mysql rsyslog user password.Enter the details and remember them.Next, the server should load the output module ommysql and be configured to connect to the database. Its configuration should be similar to the following:

#vim /etc/rsyslog.conf
# service mysqld start
# mysql -uroot -predhat
mysql> GRANT SELECT, UPDATE, INSERT ON Syslog.* TO rsyslog@localhost IDENTIFIED BY 'password'; 
mysql> \q 
#vim /etc/rsyslog.conf 
$ModLoad ommysql 
*.* :ommysql:127.0.0.1,Syslog,rsyslog,rsyslog 
[*.*  :ommysql:database-server,database-name,database-userid,database-password]
#restart mysql 
#restart rsyslog 

Now check your database:

#mysql -uroot -predhat 
#show databases; 
#USE Syslog;
#show tables;
#DESCRIBE SystemEvents; 
#select * from SystemEvents; 

you can see all your log messages here,if you have properly configured.Generate few log messages with logger command, then open three terminals.

#tail -f /var/log/messages
#logger system rebooted 
#mysql 


check the timestamps of the logs and whether they are being logged into database or not. 
  • Clients Setup:
#apt-get install rsyslog


First, you need to create a working directory for rsyslog. This is where it stores its queue files (should need arise). You may use any location on your local system. There is nothing else to do. With the following simple config file, you forward anything you receive to a remote server and have buffering applied automatically when it goes down. This must be done on the client machine.

#vim /etc/syslog.conf
$ModLoad imuxsock    # local message reception 
$WorkDirectory /rsyslog/work       # default location for work (spool) files 
$ActionQueueType LinkedList       # use asynchronous processing
$ActionQueueFileName srvrfwd    # set file name, also enables disk mode 
$ActionResumeRetryCount -1       # infinite retries on insert failure 
$ActionQueueSaveOnShutdown on  # save in-memory data if rsyslog shuts down. 

*.* @@server:port 
*.* @172.168.155.75:514      #forward all its logs via UDP 
*.* @@172.168.155.75:514  #forward all its logs via TCP. 

 

-----------------------------------------------------------

LogAnalyzer - WebUI

------------------------------------------------------------

The LogAnalyzer project provides an easy to use but powerful frontend for searching, reviewing and analyzing syslog, event log and many other event sources. 
  • HOWTO install LogAnalyzer
To install LogAnalyzer, you need:

* Apache
* PHP5

#apt-get install apache2
#apt-get install php5
#apt-get install libapache2-mod-php5
#/etc/init.d/apache2 restart 

Now install Loganalyzer. It's pretty easy. 
#wget http://download.adiscon.com/loganalyzer/loganalyzer-3.0.1.tar.gz 
#tar -xvzf loganalyzer-3.0.1.tar.gz 
#mkdir -p /var/www/loganalyzer 

Upload all files from the loganalyzer/src/ folder to you webserver. The other files are not needed on the webserver.

#cp -R loganalyser-v3.0.1/src/* /var/www/loganalyzer 

Upload the scripts configure.sh and secure.sh from the contrib folder to your webserver, into the same folder where you uploaded the other LogAnalyzer files into. Then set the execution flag to them (chmod +x configure.sh secure.sh).Now run ./configure.sh, this will create a blank config.php, and will also set write access to everyone to it.You can of course do this manually if you want.

#chmod +x configure.sh secure.sh 
#./configure.sh 

Now open your LogAnalyzer installation in your favourite webbrowser, you will see an error, and you will be pointed to the installation script. The install script will guide you through the LogAnalyzer installation, just follow the instructions.



 

 

 

 

 

 

 

 

 

 

 

 

 

Some Related Links for more information

 

http://www.ubuntu.com/system/files/CentralLogging-v4-20090901-03.pdf