0% found this document useful (0 votes)
158 views5 pages

Rsyslog Config

This document provides instructions for setting up an RSYSLOG server to collect syslog data from client systems. It describes how to install RSYSLOG and dependencies on the server, configure MySQL to store logs, modify configuration files to enable remote TCP syslog reception and forwarding to MySQL, and set up a web interface for log viewing. It also explains how to configure client systems to send logs to the RSYSLOG server by modifying their rsyslog.conf files to forward logs over TCP.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
158 views5 pages

Rsyslog Config

This document provides instructions for setting up an RSYSLOG server to collect syslog data from client systems. It describes how to install RSYSLOG and dependencies on the server, configure MySQL to store logs, modify configuration files to enable remote TCP syslog reception and forwarding to MySQL, and set up a web interface for log viewing. It also explains how to configure client systems to send logs to the RSYSLOG server by modifying their rsyslog.conf files to forward logs over TCP.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

This first part discribes how to build RSYSLOG server that will gather the syslog data from

it's clients. In this example our server is called rsyslog.domain.com and it has a fixed IP
address of 192.168.0.15.
First we install some dependencies.
apt-get update
apt-get upgrade
apt-get install rsyslog rsyslog-mysql unzip zip binutils cpp fetchmail flex gcc libarchive-zipperl libc6-dev libcompress-zlib-perl libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl
perl perl-modules zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ mysqlserver mysql-client libmysqlclient15-dev apache2 apache2-doc apache2-mpm-prefork
apache2-utils libexpat1 ssl-cert libdb4.6-dev libapache2-mod-php5 php5 php5-common
php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-ps php5-pspell php5recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Create the MySQL server password when the installation asks you to enter it!
My OpenVZ template all ready had this so this command may not be nessecary for you
either...
apt-get install linux-kernel-headers
Make sure the services are up and running...
/etc/init.d/rsyslog restart
/etc/init.d/mysql restart
/etc/init.d/apache2 restart
Check that the server is listening on the proper TCP IP ports. (80 & 3306). RSYSLOG does
not yet listen on any port at this time.
rsyslog:~# netstat -tapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
State
PID/Program
name
tcp
0
0 127.0.0.1:3306
0.0.0.0:*
LISTEN
415/mysqld
tcp
0
0 0.0.0.0:80
0.0.0.0:*
LISTEN
581/apache2
Then we can create the rsyslog database:
mysqladmin -u root -p create rsyslog
Next we start the MySQL command shell and create the rsyslog user:

mysql -u root -p
GRANT SELECT, INSERT, UPDATE, DELETE ON rsyslog.* TO 'rsyslog'@'localhost'
IDENTIFIED BY 'ENTER-YOUR-NEW-RSYSLOG-PASSWORD-HERE';
FLUSH PRIVILEGES;
quit
Next we configure the rsyslog server to listen on TCP port 514:
vi /etc/rsyslog.conf
Add these lines... (remember to change your password to the one you entered when you
created your MySQL server's rsyslog user.)
$ModLoad MySQL
*.*
>127.0.0.1,rsyslog,rsyslog,ENTER-YOUR-NEW-RSYSLOG-PASSWORD-HERE

...and remove the comments in front of the lines that deal with the TCP syslog reception.
# /etc/rsyslog.conf Configuration file for rsyslog v3.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
$ModLoad MySQL
*.* >127.0.0.1,rsyslog,rsyslog,ENTER-YOUR-NEW-RSYSLOG-PASSWORD-HERE
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by
rklogd)
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################

And restart rsyslog service.


/etc/init.d/rsyslog restart
Check that the server is listening on the proper TCP IP ports. (80, 514 & 3306.)
rsyslog:~# netstat -tapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address

State

PID/Program

name
tcp
tcp
tcp

0
0
0

0 0.0.0.0:514
0 127.0.0.1:3306
0 0.0.0.0:80

0.0.0.0:*
0.0.0.0:*
0.0.0.0:*

LISTEN
618/rsyslogd
LISTEN
415/mysqld
LISTEN
581/apache2

Then we download the LogAnalyzer and configure the Apache web server to display the logs.
cd /tmp
wget http://download.adiscon.com/loganalyzer/loganalyzer-3.4.1.tar.gz
tar xvzf loganalyzer-3.4.1.tar.gz
mv loganalyzer-3.4.1/ /var/www/
cd /var/www
Then we configure www folders user rights for Apache web server.
chown www-data:www-data * . -Rf
And then we do some 'make nice' work on the LogAnalyzer folders.
mv loganalyzer-3.4.1/ loganalyzer
cd contrib/
cp * ./../src/
cd ./../src/
sh ./configure.sh
And we are ready to enter the final setup of LogAnalyzer using our web-browser. Point your
web-browser to the fixed IP address of our rsyslog server that in this demo is
http://192.168.0.15/loganalyzer/src/install.php
Go trough the simple setup script (it's pretty much... next -> next.)
Now you should have working rsyslog server with LogAnalyzer up and running.
Next we configure RSYSLOG clients to send their syslog data to the rsyslog server:

Configuring RSYSLOG Clients


Usually all we need to do is configure the rsyslog.conf file and restart the service. (Almost all
Debians come with rsyslog preinstalled.)

vi /etc/rsyslog.conf
Add the work spool directory lines that are used in case network connectivity is lost and
change your rsyslog server IP ADDRESS to 192.168.0.15. (You may also want to create the
/rsyslog/work spool directory with the mkdir command.)
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
$WorkDirectory /rsyslog/work # default location for work (spool) files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
*.* @@YOUR-RSYSLOG-SERVER-ADDRESS-HERE
###########################
#### GLOBAL DIRECTIVES ####
###########################

And restart rsyslog service.


/etc/init.d/rsyslog restart
Check that the server is connected on the proper TCP IP port (514).
root@ic1:~# netstat -tapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address
Foreign Address
State
PID/Program
name
tcp
0
0 192.168.0.100:49188 192.168.0.15:514
ESTABLISHED
13289/rsyslogd
This is what a successfull setup looks like.

You might also like