Centralized collection, storage and viewing of Syslog on Debian Linux
Rsyslog is used as the standard syslog service in Debian. The following describes how to send copies of the logs to the server, save them in the SQL database and view them through a convenient web interface.
Create the file /etc/rsyslog.d/send2server with the line:
For example:
In order not to collect debugging garbage, you can replace "*. *" With "* .notice" or "* .warning".
Re-read settings: /etc/init.d/rsyslog restart
')
The following lines should be uncommented in /etc/rsyslog.conf:
Re-read settings: /etc/init.d/rsyslog restart
The LogAnalyzer standard format Syslog.SystemEvents automatically adds its own columns to the SQL table, but this will require giving it too much privilege. To allow it only SELECT, create the columns manually:
After installation is complete:
The first user has administrator rights.
It is recommended to log into the “Admin Center / Users” and register a guest with the “ReadOnly User” flag.
Sending from client machines to the central server
Create the file /etc/rsyslog.d/send2server with the line:
*.* @hostname--fqdn--ip--For example:
*.* @netlog.lanIn order not to collect debugging garbage, you can replace "*. *" With "* .notice" or "* .warning".
Re-read settings: /etc/init.d/rsyslog restart
Delivery protocol
- the default is udp / 514
- if you specify "@@" instead of "@", then TCP (non-standard extension!) will be used instead of standard UDP.
- if you need 100% delivery reliability, instead of udp / tcp you should use the omrelp modules on the client and imrelp on the server.
')
Reception on the server
The following lines should be uncommented in /etc/rsyslog.conf:
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
Re-read settings: /etc/init.d/rsyslog restart
MySQL storage
- apt-get install rsyslog-mysql
- carefully answer all the questions asked
- except for passwords, it is enough to confirm the proposed values,
- settings are saved in /etc/rsyslog.d/mysql.conf
View in LogAnalyzer
- Download page: loganalyzer.adiscon.com/downloads (not in Debian packages)
- Install dependencies: apt-get install libapache2-mod-php5
- From the archive with source texts inside / var / www, you need to copy the folder ./src and rename it to “loganalyzer”.
- Recommended fix for ./include/functions_common.php to remove warnings from Apache logs:
--- loganalyzer/include/functions_common.php.orig 2011-11-14 14:32:32.000000000 +0200
+++ loganalyzer/include/functions_common.php 2011-11-16 02:05:58.982834986 +0200
@@ -1163 +1163,2 @@
- $content['EXTRA_METATAGS'] .= '/>';
+ if (array_key_exists($content['HeaderDefaultEncoding']))
+ $content['EXTRA_METATAGS'] .= '/>'; - Creating an empty configuration file will be filled with the installer:
touch config.php
chmod 666 config.php
Preparing SQL databases for LogAnalyzer
The LogAnalyzer standard format Syslog.SystemEvents automatically adds its own columns to the SQL table, but this will require giving it too much privilege. To allow it only SELECT, create the columns manually:
ALTER TABLE `SystemEvents` ADD `processid` varchar(60) NOT NULL DEFAULT '';
ALTER TABLE `SystemEvents` ADD `checksum` int(11) UNSIGNED NOT NULL DEFAULT '0';
Configuring LogAnalyzer
- Open netlog.lan / loganalyzer / install.php and go through all the steps.
- Format syslog-database = MonitorWare.
- The syslog database name and the SystemEvents table are case sensitive.
After installation is complete:
chmod 644 config.php
rm install.php
The first user has administrator rights.
It is recommended to log into the “Admin Center / Users” and register a guest with the “ReadOnly User” flag.
Source: https://habr.com/ru/post/136537/
All Articles