#apt-get update
#apt-get upgrade
#apt-get install apache2 mysql-server
#apt-get install php5-gd rsyslog-mysql rsyslog-relp
You will then be asked for your MySQL root password followed by being asked to create a password for rsyslog to use. This is the password that rsyslog will use in its config files
if not complete we need to install this repository :
#apt-get install rsyslog rsyslog-mysql unzip zip binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ mysql-server mysql-client libmysqlclient15-dev apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libdb4.6-dev libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Check that the server is listening on the proper TCP IP ports. (80 & 3306). RSYSLOG does not yet listen on any port at this time.
# netstat -tapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 415/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 581/apache2
Then we can create the rsyslog database:
#mysqladmin -u root -p create rsyslog
#mysql -u root -p
mysql>GRANT SELECT, INSERT, UPDATE, DELETE ON rsyslog.* TO 'rsyslog'@'localhost' IDENTIFIED BY 'ENTER-YOUR-NEW-RSYSLOG-PASSWORD-HERE';
mysql>FLUSH PRIVILEGES;
mysql>quit
if database doesn't have these table SystemEvents and SystemEventsProperties
Alternatively you can copy and paste it into the interactive mysql shell
USE Syslog;
CREATE TABLE SystemEvents
(
ID int unsigned not null auto_increment primary key,
CustomerID bigint,
ReceivedAt datetime NULL,
DeviceReportedTime datetime NULL,
Facility smallint NULL,
Priority smallint NULL,
FromHost varchar(60) NULL,
Message text,
NTSeverity int NULL,
Importance int NULL,
EventSource varchar(60),
EventUser varchar(60) NULL,
EventCategory int NULL,
EventID int NULL,
EventBinaryData text NULL,
MaxAvailable int NULL,
CurrUsage int NULL,
MinUsage int NULL,
MaxUsage int NULL,
InfoUnitID int NULL ,
SysLogTag varchar(60),
EventLogType varchar(60),
GenericFileName VarChar(60),
SystemID int NULL
);
CREATE TABLE SystemEventsProperties
(
ID int unsigned not null auto_increment primary key,
SystemEventID int NULL ,
ParamName varchar(255) NULL ,
ParamValue text NULL
);
Next we configure the rsyslog server to listen on TCP port 514:
#vi /etc/rsyslog.conf
Add these lines... (remember to change your password to the one you entered when you created your MySQL server's rsyslog user.)
$ModLoad MySQL
*.* >127.0.0.1,rsyslogdb,rsysloguser,ENTER-YOUR-NEW-RSYSLOG-PASSWORD-HERE
...and remove the comments in front of the lines that deal with the TCP syslog reception.
# /etc/rsyslog.conf Configuration file for rsyslog v3.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
$ModLoad MySQL
*.* >127.0.0.1,rsyslog,rsyslog,ENTER-YOUR-NEW-RSYSLOG-PASSWORD-HERE
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
And restart rsyslog service.
#/etc/init.d/rsyslog restart
2.Install LogAnalyzer- As of this writing, the newest
#cd /tmp
#wget http://download.adiscon.com/loganalyzer/loganalyzer-3.4.4.tar.gz
#tar -xzf loganalyzer-3.4.4.tar.gz
#cd loganalyzer-3.4.4
#mkdir /var/www/logs
~ # cp -R src/* /var/www/logs/
~ # cp contrib/* /var/www/logs/
~ # cd /var/www/logs/
~ # chmod +x configure.sh secure.sh
~ # ./configure.sh
Now open a web browser and go to http://serverIP/logs You will be pointed to
the installation script which will guide you through the process of setting
up LogAnalyzer.
Rsyslog Client Configuration
In /etc/rsyslog.conf add the following lines in the RULES section:
#vim /etc/rsyslog.conf
# Dump all messages to the remote logging server through
*.* @@LogAnalayzerIP:1514 Restart the RSyslog service #/etc/init.d/rsyslog restart Troubleshoot:
If you are using OpenVZ with Proxmox VE you may have this king of message
in your /var/log/syslog file:
kernel: Cannot read proc file system: 1 – Operation not permitted.
here’s the fix:
sed -i -e 's/^\$ModLoad imklog/#\$ModLoad imklog/g' /etc/rsyslog.conf
service rsyslog restart ==================================================
http://stevesbog.blogspot.com/2012/08/installing-and-configuring-loganalyzer.htmlhttps://www.howtoforge.com/centralized-rsyslog-server-monitoringhttp://terraltech.com/syslog-server-with-rsyslog-and-loganalyzer/