MonitorWare Knowledge Base

Hi,
I've successfully installed rsyslog and phpsyslogCon, but i still don't understand how to add sources (or destination).
For example, i want to centralize all my logs (first coming from a nagios server and a Fortinet firewall) onto my syslog server, so, how do i have to configure?

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

I have no specifics of the configuration, but when you installed phpLogCon, a wizard should have started and asked you a couple of questions, among them to create sources. Did it do that?

The installation routine will at least help you to add one source.
I recommend that you install the new UserDB System as well (Which requires at least phpLogCon 2.5.x from here: http://www.phplogcon.org/downloads).
There you can add/remove and configure sources within the Admin Center.

best regards,
Andre Lorbach

rgerhards wrote:I have no specifics of the configuration, but when you installed phpLogCon, a wizard should have started and asked you a couple of questions, among them to create sources. Did it do that?

Nothing like this, just a step where wizard ask me the path of syslog file (/var/log/syslog) that i had to create

alorbach wrote:The installation routine will at least help you to add one source.
I recommend that you install the new UserDB System as well (Which requires at least phpLogCon 2.5.x from here: http://www.phplogcon.org/downloads).
There you can add/remove and configure sources within the Admin Center.

best regards,
Andre Lorbach

I'll try, but my objective is to put syslog messages into a mysql db.

Okay, install works, i've got version 2.5.1 with a mysql db, so if i want to add an external source, what i have to do?

Well, i've found the AdminCenter, so i can add sources, but i don't understand, if i want to add external sources, shouldn't have to indicate ip adress?

First of all you need to setup rsyslog to log into a mysql database first. This article should help to set this up:
http://www.rsyslog.com/doc-rsyslog_mysql.html

Then as a next step you can add a new source within the admin center, sourcetype "MYSQL Native". You have to configure the database access properties then. Once you have added this new source, you will be able to select and switch to this source in the "Show Events" view.

best regards,
Andre Lorbach

Code: Select all

*.*       :ommysql:database-server,database-name,database-userid,database-password

okay, may i have to create a new database or use those created for phplogcon?

edit : and for database-server, the name of the server, localhost, or ip-adress?

edit : i'm a fucking noob,

Code: Select all

In many cases, MySQL will run on the local machine. In this case, you can simply use "127.0.0.1" for database-server. This can be especially advisable, if you do not need to expose MySQL to any process outside of the local machine. In this case, you can simply bind it to 127.0.0.1, which provides a quite secure setup. Of course, also supports remote MySQL instances. In that case, use the remote server name (e.g. mysql.example.com) or IP-address. The database-name by default is "syslog". If you have modified the default, use your name here. Database-userid and -password are the credentials used to connect to the database. As they are stored in clear text in rsyslog.conf, that user should have only the least possible privileges. It is sufficient to grant it INSERT privileges to the systemevents table, only. As a side note, it is strongly advisable to make the rsyslog.conf file readable by root only - if you make it world-readable, everybody could obtain the password (and eventually other vital information from it). In our example, let's assume you have created a MySQL user named "syslogwriter" with a password of "topsecret" (just to say it bluntly: such a password is NOT a good idea...). If your MySQL database is on the local machine, your rsyslog.conf line might look like in this sample:

    *.*       :ommysql:127.0.0.1,Syslog,syslogwriter,topsecret


Mokay, apparently, daemon rsyslogd doesn't want to start, i don't know why : i used the init script which was in the tarball (redhat directory, rsyslog.init) put into /etc/init.d/ as rsyslogd, all paths looks fine, so it does not work more.

Rainer is currently not available to help in this issue. I am not so deep within the rsyslog material.
However I would say this page may helps debugging rsyslog startup problems:
http://www.rsyslog.com/doc-debug.html

When i use "rsyslog -c3", it works..

Sorry, I have no idea about startup scripts. Which distro are you using it on? Is there a package available for it? If not, I suggest you check a distro-specific forum for how to start up services. Also, the rsyslog mailing list has helped with such cases in the past - there are some people with distro-specific knowledge on it...

HTH
Rainer