Referrence : http://www.systeen.com

1) Install RSYSLOG

[root@hospitalone home]# wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
–2018-08-02 14:21:39– http://rpms.adiscon.com/v8-stable/rsyslog.repo
Resolving rpms.adiscon.com (rpms.adiscon.com)… 45.55.202.239
Connecting to rpms.adiscon.com (rpms.adiscon.com)|45.55.202.239|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 227
Saving to: ‘rsyslog.repo’

100%[=======================================================>] 227 –.-K/s in 0s

2018-08-02 14:21:40 (50.1 MB/s) – ‘rsyslog.repo’ saved [227/227]

[root@hospitalone home]# mv rsyslog.repo /etc/yum.repos.d/rsyslog.repo

[root@hospitalone home]# yum install rsyslog* –skip-broken

[root@hospitalone home]# systemctl enable rsyslog.service

[root@hospitalone home]# systemctl enable rsyslog.service
[root@hospitalone home]# systemctl enable rsyslog
[root@hospitalone home]# systemctl start rsyslog
[root@hospitalone home]# systemctl status rsyslog
● rsyslog.service – System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-08-02 14:24:59 +07; 2min 20s ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 4770 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─4770 /usr/sbin/rsyslogd -n

Aug 02 14:24:59 hospitalone.cattelecom.net systemd[1]: Starting System Logging Service…
Aug 02 14:24:59 hospitalone.cattelecom.net rsyslogd[4770]: environment variable TZ is not set, auto correcting this to TZ=/etc/…442 ]
Aug 02 14:24:59 hospitalone.cattelecom.net rsyslogd[4770]: warning: ~ action is deprecated, consider using the ‘stop’ statement…307 ]
Aug 02 14:24:59 hospitalone.cattelecom.net systemd[1]: Started System Logging Service.
Aug 02 14:24:59 hospitalone.cattelecom.net rsyslogd[4770]: warning: ~ action is deprecated, consider using the ‘stop’ statement…307 ]
Aug 02 14:24:59 hospitalone.cattelecom.net rsyslogd[4770]: [origin software=”rsyslogd” swVersion=”8.36.0″ x-pid=”4770″ x-info=…start
Hint: Some lines were ellipsized, use -l to show in full.

[root@hospitalone home]# tail -10 /var/log/messages
Aug 2 14:26:51 hospitalone systemd[1]: smb.service failed.
Aug 2 14:26:53 hospitalone nmbd[6920]: [2018/08/02 14:26:53.495222, 0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
Aug 2 14:26:53 hospitalone nmbd[6920]: *****
Aug 2 14:26:53 hospitalone nmbd[6920]:
Aug 2 14:26:53 hospitalone nmbd[6920]: Samba name server MYSERVER is now a local master browser for workgroup CLEARSYSTEM on subnet 192.168.99.1
Aug 2 14:26:53 hospitalone nmbd[6920]:
Aug 2 14:26:53 hospitalone nmbd[6920]: *****
Aug 2 14:27:09 hospitalone systemd[1]: Reloading.
Aug 2 14:27:54 hospitalone dnsmasq-dhcp[1182]: DHCPINFORM(enp6s0) 192.168.99.251 6c:3b:e5:14:7a:4f
Aug 2 14:27:54 hospitalone dnsmasq-dhcp[1182]: DHCPACK(enp6s0) 192.168.99.251 6c:3b:e5:14:7a:4f Pariwat-PDS

[root@hospitalone home]# cd /usr/share/doc/rsyslog-8.36.0/
[root@hospitalone rsyslog-8.36.0]# ls -ll
total 764
-rw-r–r– 1 root root 501 May 4 16:37 AUTHORS
-rw-r–r– 1 root root 707775 Jun 25 22:20 ChangeLog
-rw-r–r– 1 root root 35146 May 4 16:37 COPYING
-rw-r–r– 1 root root 9137 May 4 16:37 COPYING.ASL20
-rw-r–r– 1 root root 7639 May 4 16:37 COPYING.LESSER
drwxr-xr-x 20 root root 4096 Aug 2 14:24 html
-rw-r–r– 1 root root 1046 May 4 16:37 mysql-createDB.sql
-rw-r–r– 1 root root 1088 May 4 16:37 pgsql-createDB.sql

[root@hospitalone rsyslog-8.36.0]# mysql -u root -p < /usr/share/doc/rsyslog-8.36.0/mysql-createDB.sql
Enter password:

[root@hospitalone rsyslog-8.36.0]# mysql -u root -p Syslog
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 87
Server version: 5.5.56-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [Syslog]> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| Syslog |
| mysql |
| performance_schema |
+——————–+
4 rows in set (0.00 sec)

MariaDB [Syslog]> show tables;
+————————+
| Tables_in_Syslog |
+————————+
| SystemEvents |
| SystemEventsProperties |
+————————+
2 rows in set (0.00 sec)

MariaDB [Syslog]> GRANT ALL ON Syslog.* TO rsyslogdbadmin@localhost IDENTIFIED BY ‘YourPassword’;
Query OK, 0 rows affected (0.00 sec)

MariaDB [Syslog]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

MariaDB [Syslog]> exit
Bye

[root@hospitalone rsyslog-8.36.0]# mysql -u rsyslogdbadmin -p Syslog
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 212
Server version: 5.5.56-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [Syslog]> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| Syslog |
+——————–+
2 rows in set (0.00 sec)

MariaDB [Syslog]> show tables;
+————————+
| Tables_in_Syslog |
+————————+
| SystemEvents |
| SystemEventsProperties |
+————————+
2 rows in set (0.00 sec)

vi /etc/rsyslog.conf

Find and uncomment the following lines

Provides UDP syslog reception

$ModLoad imudp
$UDPServerRun 514

Provides TCP syslog reception

$ModLoad imtcp
$InputTCPServerRun 514

Add the following lines to create a template to storing the logs forwarded by the clients

$template TmplAuth, “/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log”
$template TmplMsg, “/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log”

authpriv.* ?TmplAuth
*.info;mail.none;authpriv.none;cron.none ?TmplMsg

[root@hospitalone log]# mkdir /var/log/client_logs
[root@hospitalone client_logs]# pwd
/var/log/client_logs

[root@hospitalone client_logs]# systemctl restart rsyslog

2) Install LogAnalyzer

[root@hospitalone home]# wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.3.tar.gz
–2018-08-02 15:02:12– http://download.adiscon.com/loganalyzer/loganalyzer-4.1.3.tar.gz
Resolving download.adiscon.com (download.adiscon.com)… 138.201.116.127, 2a01:4f8:c17:44a6::2
Connecting to download.adiscon.com (download.adiscon.com)|138.201.116.127|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1337332 (1.3M) [application/x-gzip]
Saving to: ‘loganalyzer-4.1.3.tar.gz’

100%[==============================================>] 1,337,332 336KB/s in 3.9s

2018-08-02 15:02:17 (336 KB/s) – ‘loganalyzer-4.1.3.tar.gz’ saved [1337332/1337332]

[root@hospitalone home]# tar zxvf loganalyzer-4.1.3.tar.gz
loganalyzer-4.1.3 loganalyzer-4.1.3.tar.gz pariwat.k
[root@hospitalone home]# pwd
/home

[root@hospitalone home]# ls -ll
total 1308
drwxrwxr-x 5 root root 90 Mar 26 2015 loganalyzer-4.1.3
-rw-r–r– 1 root root 1337332 Mar 26 2015 loganalyzer-4.1.3.tar.gz

[root@hospitalone home]# cp -r loganalyzer-4.1.3/src/ /var/www/html/loganalyzer
[root@hospitalone home]# cp -r loganalyzer-4.1.3/contrib/* /var/www/html/loganalyzer/
[root@hospitalone home]# cd /var/www/html/loganalyzer/

[root@hospitalone loganalyzer]# chmod +x configure.sh secure.sh
[root@hospitalone loganalyzer]# ls -ll
-rw-r–r– 1 root root 49 Aug 2 15:05 configure.sh
[root@hospitalone loganalyzer]# ls -ll
-rwxr-xr-x 1 root root 49 Aug 2 15:05 configure.sh

Run the ./ This will create a blank config.php file with write access:

[root@hospitalone loganalyzer]# ./configure.sh

http://192.168.99.1/loganalyzer

[root@hospitalone log]# mkdir syslog
[root@hospitalone syslog]# pwd
/var/log/syslog

 

Advertisements