Install Centralized Syslog Server with Web Interface

Introduction

This document applies to Ubuntu 7.10 Server. It may work on other version, but I didn’t tested them.

The PHP-Syslog-NG version used is 2.9.3l, but it may also work on feature versions.

You will need to install a syslog-ng © daemon. (will be installed from Ubuntu repositories).

You will need to get latest version of PHP-Syslog-NG, it is a log monitor designed to let the user quickly and easily manage logs from many hosts.

Initial Configuration of Ubuntu Server

Make sure you have updated Ubuntu repository, and upgraded to latest packages.

# sudo apt-get update

# sudo apt-get upgrade

Installing & configuring syslog-ng daemon

syslog-ng© is the world's most flexible and scalable audit trail processing tool for organizations of any size. It provides a centralized, securely stored log of all devices on your network, whatever platform they run on. And syslog-ng also incorporates a host of powerful features, including filtering based on message content, as well as customizable data mining and analysis capabilities.

I have installed syslog-ng from Ubuntu repositories.

# sudo apt-get install syslog-ng

Installation will replace current klogd (kernel log) and syslogd daemons.

Configuration:

Default configuration file located at /etc/syslog-ng/syslog-ng.conf.

Now you need to concentrate on configuration of this file how to fit your need.

I am giving example of configuring UDP as source to get the messages remotely, for this you need to change the following line under “source”s and “options” sections.

Open /etc/syslog-ng/syslog-ng.conf in your favorite editor (mine is “joe”)

# sudo jmacs /etc/syslog-ng/syslog-ng.conf

Find:

#Disable statistic log messages.

stats_freq(0);

Replace with:

#Enable statistic log messages.

stats_freq(43200);

Find:

# (this is equivalent to the "-r" syslogd flag)

# udp();

Replace with:

# (this is equivalent to the "-r" syslogd flag)

udp();

Find:

# enable or disable DNS usage

# syslog-ng blocks on DNS queries, so enabling DNS may lead to

# a Denial of Service attack

# (default is yes)

use_dns(no);

Replace with:

# enable or disable DNS usage

# syslog-ng blocks on DNS queries, so enabling DNS may lead to

# a Denial of Service attack

# (default is yes)

use_dns(yes);

dns_cache(yes);

If you want to know more about sources, options, logs, filters, destination, go to: http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/index.html

Installing & configuring PHP-Syslog-NG

PHP-Syslog-NG is a front-end for viewing syslog-ng messages logged to MySQL in real-time.

It features customized searches based on device, time, priority, message, and date.

How it works:

Syslog-ng by default collects all the messages from the various sources and places them to the MySQL Database.

PHP-Syslog-NG which is the front end interface then looks and reads from the MySQL Database when searched from the web interface.

First install some packages needed for PHP-syslog-NG installation.

# sudo apt-get install mysql-server

# sudo apt-get install apache2

# sudo apt-get install php5

# sudo apt-get install php5-cli

# sudo apt-get install libapache2-mod-php5

# sudo apt-get install php5-mysql

# sudo apt-get install php5-gd

# sudo apt-get install libice6

# sudo apt-get install msttcorefonts

Set mysql root password

# mysql -u root

mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourpassword');

A successful mysql command will show:

Query OK, 0 rows affected (0.00 sec)

For older versions (prior 2.9.8), create a folder for PHP-Syslog-NG

# sudo mkdir /usr/share/php-syslog-ng

# cd /usr/share/php-syslog-ng

For newer versions (2.9.8 and up), no need to create folder

# cd /usr/share

Download & extract PHP-Syslog-NG, then remove/copy downloaded file from this directory

# sudo wget http://php-syslog-ng.gdd.net/current.tgz

## Replace <version> with version you downloaded (mine is 2.9.3l)

# sudo tar xzvf php-syslog-ng-<version>.tgz

# sudo rm php-syslog-ng-2.9.3l.tgz

Configure write permissions for apache on required directories

# sudo chmod 777 html/config/ html/jpcache/

Make sure you have PHP memory limit is at least 128MB and maximum execution time at least 300 seconds

Open /etc/php5/apache2/php.ini in your favorite editor (mine is “joe”)

Find:

max_execution_time

Set to, at least 300

Find:

memory_limit

Set to, at least 128MB

Make log directory:

# sudo mkdir -p /var/log/php-syslog-ng

Edit virtual host entry file for apache:

# cd /etc/apache2/sites-available

# sudo jmacs php-syslog-ng

Here is an example of virtual host entry file:

ServerName syslog.planetit.ws

ServerAdmin alex@planetit.ws

DocumentRoot /usr/share/php-syslog-ng/html

Options FollowSymLinks

AllowOverride All

</Directory>

# pcw No directory listings

# Options Indexes FollowSymLinks MultiViews

Options -Indexes FollowSymLinks MultiViews

AllowOverride All

Order allow,deny

allow from all

</Directory>

ErrorLog /var/log/apache2/php-syslog-ng-error.log

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn

CustomLog /var/log/apache2/php-syslog-ng-access.log combined

ServerSignature On

</VirtualHost>

Enable apache virtual host:

# sudo a2ensite php-syslog-ng

Reload apache:

# sudo invoke-rc.d apache2 reload

Go to web browser for web installation (http://<your_php-syslog-ng_url>/install)

Screen 1:

Make sure everything on the pre-installation check screen is green, if not, fix it before continuing!

Click next at the top right to begin the installation.

Screen2:

Accept the license agreement

Screen 3:

Enter the mysql ROOT user’s password

Leave everything else as default unless you really need to change something (you may whant to uncheck “install sample data” box)

Click Next

Click OK to accept the notice about CEDMB

Wait (be patient, the CEMDB take a minute or two to populate)

Screen 4:

Enter a site name, eg: “PlanetIT Syslog Server”

Click Next

Screen 5:

Leave the default fields as is unless necessary.

Enter email address into email field

Enter a password for the admin or leave the random one there (but right it down so you can get into the site).

Click Next

Screen 6:

Click the "View Site" button

Main Site:

If you installed the sample data there will be a couple of entries, if not, you'll get an error message like this:

There appear to be no hosts in the Database yet

You can generate fake ones using scripts/dbgen.pl

Now go back to terminal console and change directory to /usr/share/php-syslog-ng/script:

# cd /usr/share/php-syslog-ng/scripts

Update all files with the correct path for your install using perl:

# sudo perl -i -pe 's/\/www\/php-syslog-ng/\/usr\/share\/php-syslog-ng/g' *

Open root’s crontab for editing:

# sudo crontab -e -u root

Copy & paste these lines into the crontab:

@daily php /usr/share/php-syslog-ng/scripts/logrotate.php >> /var/log/php-syslog-ng/logrotate.log

@daily find /usr/share/php-syslog-ng/html/jpcache/ -atime 1 -exec rm -f '{}' ';'

0,5,10,15,20,25,30,35,40,45,50,55 * * * * php /usr/share/php-syslog-ng/scripts/reloadcache.php >> /var/log/php-syslog-ng/reloadcache.log

Copy logrotate.d file:

# sudo cp /usr/share/php-syslog-ng/scripts/logrotate.d /etc/logrotate.d/php-syslog-ng

Edit /etc/syslog-ng/syslog-ng.conf for PHP-Syslog-NG specific configuration:

# sudo jmacs /etc/syslog-ng/syslog-ng.conf

Copy & Paste these lines at the end of the syslog-ng.conf file you just opened:

destination d_mysql {

program("/usr/bin/mysql -usyslogadmin -psyslogadmin syslog"

template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg)

VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")

template-escape(yes));

};

log {

source(s_all);

destination(d_mysql);

};

Reload sylog-ng deamon

# sudo invoke-rc.d syslog-ng reload

Configuring Client Machines:

In this example I will explain how to configure Linux machines to send all syslog messages to remote syslog server. It will help you to check the remote sylog intsllation we just did.

This example works on most Linux machines with default syslogd daemon installed.

You must do it with root privileges, (in Ubuntu you can use “sudo” for this).

Edit /etc/syslog.conf:

# jmacs /etc/syslog.conf

Put on the top of the syslog.conf file you just opened:

*.* @<your_syslog-ng_server>

Replace <your_syslog-ng_server> with you remote syslog-ng server IP or hostname.

Reload syslod, so the changes will take effect:

# /etc/init.d/syslog reload

Source: http://www.planetit.ws