Rsyslog is an open source software used to forward the log messages on Unix/Linux systems in your network. It is an important thing to every Linux users/admins to get a log messages when troubleshooting times or something went wrong with their systems.

Install rsyslog in CentOS 6.4

Install some prerequisites first for rsyslog.

[root@server ~]# yum install httpd php mysql php-mysql mysql-server wget -y

Now install rsyslog

[root@server ~]# yum install -y rsyslog*

Start mysqld, httpd and rsyslog services and let them to start automatically on every reboot.

[root@server ~]# /etc/init.d/rsyslog start
Starting system logger:
[root@server ~]# /etc/init.d/httpd start
Starting httpd:                                            [  OK  ]
[root@server ~]# /etc/init.d/mysqld start
[root@server ~]# chkconfig rsyslog on
[root@server ~]# chkconfig httpd on
[root@server ~]# chkconfig mysqld on

Set MySQL root database user password.

[root@server ~]# mysqladmin -u root password 'centos';

Open the ‘createDB.sql’ file and change the database name as shown below. Here i am using ‘rsysdb’ as my database name.

[root@server ~]# vi /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql 
CREATE DATABASE rsysdb;
USE rsysdb;
CREATE TABLE SystemEvents
(
        ID int unsigned not null auto_increment primary key,
        CustomerID bigint,
        ReceivedAt datetime NULL,
        DeviceReportedTime datetime NULL,
        Facility smallint NULL,
        Priority smallint NULL,
        FromHost varchar(60) NULL,

Now import the database tables for rsyslog database into MySQL.

[root@server ~]# mysql -u root -p < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql 
Enter password: 
[root@server ~]#

Now let us check the ‘rsysdb’ is imported into mysql.

[root@server ~]# mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.1.66 Source distribution

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| rsysdb             |
| test               |
+--------------------+
4 rows in set (0.01 sec)

mysql>

Set ‘rsyslog’ user privileges over database.

[root@server ~]# mysql -u root -p
 Enter password:
 Reading table information for completion of table and column names
 You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor.  Commands end with ; or \g.
 Your MySQL connection id is 6
 Server version: 5.1.67 Source distribution
Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
 affiliates. Other names may be trademarks of their respective
 owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> GRANT ALL ON rsysdb.* TO rsyslog@localhost IDENTIFIED BY 'centos';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye

Now edit the rsyslog config file and make the changes as shown below.

[root@server ~]# vi /etc/rsyslog.conf
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
# Provides UDP syslog reception

## uncomment ##
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
## Uncomment ##
$ModLoad imtcp
$InputTCPServerRun 514
## Add the following lines ##
$ModLoad ommysql
$ModLoad ommysql
*.* :ommysql:127.0.0.1,rsysdb,rsyslog,centos
$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24

Let me explain some lines in the above config file.

rsysdb                   -  Database name

rsyslog                  – Database user

Centos                   – rsyslog user password

$AllowedSender  – rsyslog accepts logs from clients on both UDP and TCP ports.

Disable all existing syslog services if you have any.

[root@server ~]# /etc/init.d/syslog stop
[root@server ~]# chkconfig syslog off

Install LogAnalyser

LogAnalyser is a GUI interface to rsyslog and network event data. Download and install the latest version.

[root@server ~]# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.3.tar.gz
[root@server ~]# tar zxvf loganalyzer-3.6.3.tar.gz

Move the extracted package to your Apache document root folder.

[root@server ~]# mv loganalyzer-3.6.3/src/ /var/www/html/loganalyser
[root@server ~]# mv loganalyzer-3.6.3/contrib/* /var/www/html/loganalyser/

Set the file permissions to the following files and run the configure,sh script.

[root@server ~]# cd /var/www/html/loganalyser/
[root@server loganalyser]# chmod u+x configure.sh secure.sh 
[root@server loganalyser]# ./configure.sh

The ‘configure.sh’ command will create a blank php file.

Note: Don’t forget to open syslog port 514 and Apache port 80 or 443 in your firewall/router.

[root@server ~]# vi /etc/sysconfig/iptables
-A INPUT -p udp -m state --state NEW --dport 514 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 514 -j ACCEPT
-A INPUT -p udp -m state --state NEW --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT

Restart iptables service..

[root@server ~]# /etc/init.d/iptables restart

Disable SELINUX.

[root@server ~]# vi /etc/selinux/config 
SELINUX=disabled

Restart all services once again.

[root@server loganalyser]# service mysqld restart
[root@server loganalyser]# service httpd restart
[root@server loganalyser]# service rsyslog restart

Point your web browser to http://ip-address or domain name/loganalyser and begin the rest of installation.

Click on ‘here’ link.

Click Next.

Click Next.

Click “Yes” on “User Database Options”. Enter the database user name, password and database name  and click Next.

Click Next.

Click Next.

Create a Main user for rsyslog console.

Select “MySQL Native” in the Source type drop down box and Enter the database name, database table name, database username and password. Click Next.

Double check the database name, Table names. Because they are case sensitive. Refer the screenshots.

You’re done. Click finish.

Enter the Main user account details.

Now the main console screen will open with all log details. If it shows an error page restart all services once again.

Configure clients

Install rsyslog in client systems and start rsyslog services.

[root@client ~]# yum install rsyslog -y
[root@client ~]# /etc/init.d/rsyslog start
Starting system logger:
[root@client ~]# chkconfig rsyslog on

Open the rsyslog config file and the rsyslog server details.

[root@client ~]# vi /etc/rsyslog.conf

*.*     @@192.168.1.200

Restart the rsyslog daemon.

[root@client ~]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@client ~]#

Now goto server rsyslog console and check for client logs.

For more information about configure rsyslog to get log messages from the clients refer their documentation section.

--------------------------------------------------------------------- Install and Configure Rsyslog in CentOS 6.4 / RHEL 6.4