HowTo Setup a Syslog Server in a Cluster

Step1. Syslog Manager installation and setup

Install some prerequisites first for rsyslog.
[root@srvcentos-clum]# yum -y install httpd php mysql php-mysql mysql-server wget
Now install rsyslog
[root@srvcentos-clum]# yum -y install rsyslog*
Start mysqld, httpd and rsyslog services and let them to start automatically on every reboot.
[root@srvcentos-clum]# /etc/init.d/rsyslog start
Starting system logger:
[root@srvcentos-clum]# /etc/init.d/httpd start
Starting httpd:[ O.k. ]
[root@srvcentos-clum]# /etc/init.d/mysqld start
[root@srvcentos-clum]# chkconfig rsyslog on | chkconfig httpd on | chkconfig mysqld on
Set MySQL root database user password.
Note: in this case we have used centos as a password.
[root@srvcentos-clum]# mysqladmin -u root password 'centos';
Open the 'createDB.sql' file and change the database name as shown below. Here i am using 'rsyslogdb' as my database name.
[root@srvcentos-clum]# nano -w /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
CREATE DATABASE rsyslogdb;
USE rsyslogdb;
CREATE TABLE SystemEvents
(
ID int unsigned not null auto_increment primary key,
CustomerID bigint,
ReceivedAt datetime NULL,
DeviceReportedTime datetime NULL,
Facility smallint NULL,
Priority smallint NULL,
FromHost varchar(60) NULL,
Now import the database tables for rsyslog database into MySQL.
[root@srvcentos-clum]# mysql -u root -p < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
Enter password:
Now let us check the 'rsyslogdb' is imported into mysql.
[root@srvcentos-clum]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.1.66 Source distribution

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


mysql> show databases;
+--------------------+
| Databas            |
+--------------------+
| information_schema |
| mysql              |
| rsyslogdb          |
| test               |
+--------------------+
4 rows in set (0.01 sec)

mysql>
Set 'rsyslog' user privileges over database.
[root@srvcentos-clum]# mysql -u root -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.1.67 Source distribution
Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> GRANT ALL ON rsyslogdb.* TO rsyslog@localhost IDENTIFIED BY 'centos';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
Now edit the rsyslog config file and make the changes as shown below.
[root@srvcentos-clum]# nano -w /etc/rsyslog.conf
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception

## Uncomment below ##
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
## Uncomment below ##
$ModLoad imtcp
$InputTCPServerRun 514
## Add the following lines ##
$ModLoad ommysql
$ModLoad ommysql
*.* :ommysql:127.0.0.1,rsyslogdb,rsyslog,centos
$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24
Let me explain some lines in the above config file.
  • rsyslogdb - Database name
  • rsyslog – Database user
  • Centos – rsyslog user password
  • $AllowedSender – rsyslog accepts logs from clients on both UDP and TCP ports.

  • Disable all existing syslog services if you have any.(really unlikely)
    [root@srvcentos-clum]# /etc/init.d/syslog stop
    [root@srvcentos-clum]# chkconfig syslog off
    Install LogAnalyser
    LogAnalyser is a GUI interface to rsyslog and network event data. Download and install the latest version.
    [root@srvcentos-clum]# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.3.tar.gz
    [root@srvcentos-clum]# tar zxvf loganalyzer-3.6.3.tar.gz
    Move the extracted package to your Apache document root folder.
    [root@srvcentos-clum]# mv loganalyzer-3.6.3/src/ /var/www/html/loganalyser
    [root@srvcentos-clum]# mv loganalyzer-3.6.3/contrib/* /var/www/html/loganalyser/
    Set the file permissions to the following files and run the configure,sh script.
    [root@srvcentos-clum]# cd /var/www/html/loganalyser/
    [root@srvcentos-clum loganalyser]# chmod u+x configure.sh secure.sh
    [root@srvcentos-clum loganalyser]# ./configure.sh
    The 'configure.sh' command will create a blank php file.
    Note: Don't forget to open syslog port 514 and Apache port 80 or 443 in your firewall(iptables).
    Note: Our firewall(iptables) on the nodes is still disabled
    [root@srvcentos-clum]# nano -w /etc/sysconfig/iptables
    -A INPUT -p udp -m state --state NEW --dport 514 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW --dport 514 -j ACCEPT
    -A INPUT -p udp -m state --state NEW --dport 80 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

    Restart iptables service..
    [root@srvcentos-clum]# /etc/init.d/iptables restart

    Disable SELINUX.
    [root@srvcentos-clum]# nano -w /etc/selinux/config
    SELINUX=disabled

    Restart all services once again.
    [root@srvcentos-clumloganalyser]# service mysqld restart
    [root@srvcentos-clumloganalyser]# service httpd restart
    [root@srvcentos-clumloganalyser]# service rsyslog restart
    Point your web browser to http://ip-address or domain-name/loganalyser and begin the rest of installation.
    Note: in our case: http://192.168.1.54/loganalyser/
    (192.168.1.54 = SRVCENTOS-CLUM)

    Critical Error occured


    Click Next.
    Loganalyser

    Installer Step 1


    Click Next.
    Loganalyser

    Installer Step 2


    Click "Yes" on "User Database Options". Enter the database user name, password and database name and click Next.
    Loganalyser

    Installer Step 3


    Click Next.
    Loganalyser

    Installer Step 4


    Click Next.
    Loganalyser

    Installer Step 5


    Create a Main user for rsyslog console.
    Loganalyser

    Installer Step 6


    Select "MySQL Native" in the Source type drop down box and Enter the database name, database table name, database username and password. Click Next.
    Double check the database name, Table names. Because they are case sensitive. Refer the screenshots.
    Loganalyser


    Installer Step 7


    You're done. Click finish.
    Loganalyser

    Installer Step 8


    Enter the Main user account details.
    Loganalyser

    Login


    Now the main console screen will open with all log details. If it shows an error page restart all services once again.
    Loganalyser

    Step 2. Install rsyslog client's

    Install rsyslog on the nodes of the cluster and start rsyslog services.
    [root@srvcentos-clu1 ~]# yum -y install rsyslog
    [root@srvcentos-clu1 ~]# /etc/init.d/rsyslog start
    Starting system logger:
    [root@srvcentos-clu1 ~]# chkconfig rsyslog on
    Open the rsyslog config file and the rsyslog server details.
    root@srvcentos-clu1 ~]# nano -w /etc/rsyslog.conf

    authpriv.* @192.168.1.20:514 #udp
    or
    authpriv.* @@192.168.1.20:514 #tcp
    Restart the rsyslog daemon.
    [root@srvcentos-clu1 ~]# /etc/init.d/rsyslog restart
    Shutting down system logger: [ O.k. ]
    Starting system logger: [ O.k. ]
    Now goto server rsyslog console and check for client logs.

    IT Nyheder
    RMUS 2005-2017