Php-syslog-ng

From rsyslog wiki

Jump to: navigation, search

Contents

Using php-syslog-ng with rsyslog

php-syslog-ng is a very nice web based display application for displaying, searching and generating reports based on log entries inserted into a MySQL database. The configuration of rsyslog just needs to be tweaked a bit to insert the log information into MySQL in a form that php-syslog-ng expects.

Another nice feature with php-syslog-ng is that it passes it's search parameters via the URL - so custom searches, say certain levels of logs from certain machines, may be bookmarked in your browser.

Installing php-syslog-ng

The php-syslog-ng application could be installed on the same machine running rsyslog - however for security reasons it should really be run on a separate machine which then queries the mysql database.

In order to install and use php-syslog-ng you'll need apache and php on the system.

All you need to do is create an empty database - the installation process for php-syslog-ng will populate it with several tables. The most important one is the 'logs' table. It's structure follows:

Field name Type Allow nulls? Key Default value
host varchar(128) Yes Indexed
facility varchar(10) Yes Indexed
priority varchar(10) Yes Indexed
level varchar(10) Yes None
tag varchar(10) Yes None
datetime datetime Yes Indexed
program varchar(15) Yes Indexed
msg text Yes None
seq bigint(20) unsigned No Primary auto_increment

Sample rsyslog configuration 

/etc/rsyslog.d/mysql.conf (set to readable only by root)

# write out all log entries to the database formated for php-syslog-ng
$template	syslog-ng,"insert into logs(host, facility, priority, level, tag, datetime, program, msg) 
values ('%hostname%', '%syslogfacility-text%', '%pri-text%', '%syslogseverity-text%', '%syslogtag%', 
'%timereported:::date-mysql%', %programname%, '%msg%')", SQL
*.*	>mysqlhostname,dbname,dbusername,dbpassword;syslog-ng

For example - if the MySQL database server is on the same machine running rsyslog and the database name is rsyslog and the user created to write to it is rsyslog and the password is 'secretpass' then the last line would be 

*.*	>localhost,rsyslog,rsyslog,secretpass;syslog-ng

There should only be three lines in the file above - the comment, $template definition and the *.* filter definition. The entire $template definition must exist on one line. There should be one or two tabs between the $template and syslog-ng and *.* and the >mysqlhostname...

Configuring the server for remote log receipt

In order for the rsyslog server to receive log entries from remote hosts, it must be started with the -r514 and -t514 options (assuming you are using the default port 514 and want to receive messages on both UDP and TCP).

If you are running an iptables firewall on this host also remember to open UDP and TCP port 514.

Configuring clients

Linux clients: to have a Linux system send it's logs to the rsyslog/php-syslog-ng server add this line to the end of the /etc/syslog.conf file 

*.*	@rsysloghostname

You may want to adjust this so that only certain levels of messages are sent to the rsyslog server.

Windows clients: there are a number of applications out there that will allow you to have a windows machine send it's event log entries to a syslog/rsyslog server. Purdue University has produced an open source application called EvtSys that does this quite nicely. For a very solid and feature-rich version, you may want to have a look at Adiscon's MonitorWare for Windows, from the same guys who write rsyslog (plus, these tools provide funding for the rsyslog project).

Links:

References:

Alternatives:

  • phplogcon - from the same people who develop rsyslog
    • Personal commentary: having tried both php-syslog-ng and phplogcon - I personally like the organization and display of php-syslog-ng better - though phplogcon is potentially more powerful
Retrieved from "http://wiki.rsyslog.com/index.php/Php-syslog-ng"
Personal tools
language