Setup Syslog with LogAnalyzer on Ubuntu Server

In this post I will cover.
1) Setting up a syslog server to log messages from local and remote sources.
2) Setup a GUI front end showing syslog items.

I’ve done this on both Ubuntu Server 10.04 and 12.04.

First we need to get some items loaded. We will load these right from the repository.

apt-get install build-essential apache2 php5 php5-gd libapache2-mod-php5 mysql-server php5-mysql rsyslog

Edit /etc/rsyslog.conf and uncomment or add the following. This will set the server to accept inbound syslog messages on UDP port 514.

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Next, since the log analyzer runs on php, we need to tell apache how to handle php pages. Edit /etc/apache2/apache2.conf and add in the following item underneath “DefaultType None”

DefaultType text/plain
Addtype application/x-httpd-php .php

Note: If this step is not done properly, you will get a message when loading the syslog web page prompting you to save the file instead of Apache displaying the file.

Now on to the LogAnalyzer.
Download the latest log analyzer from the adiscon web site at http://loganalyzer.adiscon.com/downloads

cd /opt
wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.2.tar.gz

Unzip and extract the file.

gunzip loganalyzer-3.5.6.tar.gz 
tar -xvf loganalyzer-3.5.6.tar 

Copy the LogAnalyzer /src/ folder to the Apache www root or subfolder, copy the install script, make executable, and run the install scripts. It’s important to run the configure script from the same directory that will hold the syslog php files.

mkdir /var/www/syslog
cp -r /opt/loganalyzer-3.5.6/src/* /var/www/syslog
cp -r /opt/loganalyzer-3.5.6/contrib/*.sh /var/www/syslog
chmod +x /var/www/syslog/*.sh
cd /var/www/syslog/
./configure.sh

Grant Apache access to syslog.

usermod -G adm www-data

Use a web browser to hit the new web service at http://SERVERNAME/syslog/index.php. The page will show a message stating the service is not configured. Follow the steps to setup your syslog front end.

Bookmark the permalink.

16 Responses to Setup Syslog with LogAnalyzer on Ubuntu Server

  1. Shaun Mcgill says:

    I have run through your tutorial Setup Syslog with LogAnalyzer on Ubuntu Server. Once I have got to the end I have tried to go on to http://localhost/syslog/index.php with both chrome and firefox but instead of opening the page it downloads the file. Have you encountered this before and how do you rectify it?

    Thanks,
    Shaun

    • Mike says:

      Sounds like you don’t have the application handler for php setup correctly. Make sure you added this section as explained above:

      DefaultType text/plain
      Addtype application/x-httpd-php .php

      You also want to be sure you have all the prereqs installed, including all the php items.

    • andy says:

      hey i have encountered the same problem, and what u need to do is
      just restart the web server after u made configuration change.

      like “/etc/init.d/apache2 restart”.

  2. kaushik says:

    your tutorial is so nice. and i there any change to configure client side in another system ?? by using “log analyzer” is an main server

  3. Sunil says:

    Hello Mike,

    I have installed the syslog and LogAnalyzer successfully. But now I am not able to find any option to add more device in the loganalyzer. So that I get analyze my other host like Firewall, Router, switch etc logs. Do you have any idea how to setup other devices?

    • Mike says:

      The syslog merely collects data. You need to configure each device (firewall, router, etc) to send syslog data to this server you just setup. Each device is different, but most will have the option to send syslog data to a remote server.

  4. Sunil says:

    Hello Mike,

    I know I have to configure my device to send syslog date to syslog server. But I would like to know do I have to configure device related configuration on my syslog server or not. if yes then what are the steps to do that.

    • Mike says:

      With this tutorial, there is no ‘device specific’ config on the server. The syslog daemon will accept any messages sent to it and add them to the log.

      • Tu Pham says:

        Hello Mike,

        So with this tutorial the syslog server can get it’s log only.

        How can we get syslog from other equipments in system?

        thanks!
        Tu

  5. Tu Pham says:

    The tutorial is very good! thanks Mike!

    I think have wrong typing here. just change index.php -> install.php

    sure it works

    http://SERVERNAME/syslog/index.php.

  6. AndreaP says:

    Thank you for this tutorial: 5 minutes and the server was up and running…

    Thank you Again!

  7. fayaz says:

    Dear Mike,

    in this method i am unable to create the user database in the step 3 lf loganalyzer setup. is there a simple way to add the user in the mysql privilege list.

    • Mike says:

      You can add mysql users in the MYSQL shell. As an example:
      GRANT ALL PRIVILEGES ON my_database.* TO ‘my_user’@’localhost’ IDENTIFIED BY ‘my_password’ WITH GRANT OPTION;

  8. Vita says:

    Hi Mike!
    Great tutorial, I was up and running in 10 minutes, all my servers and ASAs are now logged on this server. I am now just trying to work out how to show more than 2 days of data in the logs. They always end at 06:44:00 the day before. If you could just point me to a configuration file or DB table or something.
    Thank you
    Vita

  9. GMF says:

    I am trying this out on Ubuntu 14.04 with all preqs installed and in my /etc/apache2/apache2.conf the “DefaultType None” does not exist.

    thx,
    GMF

  10. Marc says:

    @GMF

    Quick and dirty solution.
    Move the /var/www/syslog directory to the /var/www/html directory
    “cp -r /var/www/syslog /var/www/html”

    With a browser go to /syslog/install.php

    Greetz
    Marc

Leave a Reply to Shaun Mcgill Cancel reply

Your email address will not be published. Required fields are marked *

Solve : *
12 + 2 =