Centralised Syslog Daemon

6 02 2010

Network traffic logs mostly prevail throughout the whole network, some of which are recorded as eventlogs individually. Important traffic logs can be viewed on network devices. To centralise computer traffic logs makes administrators’tasks a lot easier.

I implemented this system on CentOS5 with rsyslog and phplogcon. You can choose Syslog-ng for an alternative.

Prerequisite

1. Make sure you install all of these
yum install rsyslog rsyslog-mysql
yum install mysql-server
yum install httpd php php-mysql php-gd

2. Start mysql service
/etc/init.d/mysqld start
3. Create rsyslog database
mysql < /usr/share/doc/rsyslog-mysql-2.0.6/createDB.sql
4. Add a user for rsyslog. Execute these commands to mysql.
CREATE USER 'syslog'@'localhost' IDENTIFIED BY 'p$ss4w*rd';
GRANT ALL on Syslog.* TO 'syslog'@'localhost'
FLUSH PRIVILEGES;

*** You should change root password after installing mySQL. See this for more details.
5. Edit /etc/rsyslog.conf by adding these below on the top of this file.
$ModLoad ommysql
*.*     : ommysql:127.0.0.1,Syslog,syslog,p$ss4w*rd

***Please consider loopback IP carefully because I have this error message “Can’t connect to [local] MySQL server” while using localhost rather that loopback IP. The reason is rsyslog uses TCP/IP to connect to mySQL, but my localhost utilises Unix socket file. To see a different, run this command
mysqladmin version
mysqladmin -h 127.0.0.1 version

More details…
6. Create a static link file.
ln -s /usr/lib/rsyslog/ommysql.so /usr/lib/rsyslog/ommysql
7. Edit /etc/sysconfig/rsyslog by adding “-r” option.
SYSLOGD_OPTIONS="-m 0 -r"
8. Stop syslog and start rsyslog.
/etc/init.d/syslog stop
/etc/init.d/rsyslog start

9. If you are successful, /var/log/messages will not complain any error message.

Deploy phplogcon

1. Get phplogcon or
wget http://www.virtualxp.org/downloads/phplogcon-2.6.4.tar.gz
2. Unpack it and copy those in src directory to /var/www/html/rsyslog
mkdir /var/www/html/rsyslog
gunzip phplogcon-2.6.4.tar.gz
tar -xvf phplogcon-2.6.4.tar
cp -r phplogcon-2.6.4/src/* /var/www/html/rsyslog

3. Generate configuration file
cd /var/www/html/rsyslog
touch config.php
chown apache config.php

4. Open a web browser, go to http://localhost/rsyslog. It will escort you to the configuration process. Make sure you select source type to mySQL Native. A comprehensive guide is provided here.


Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: