Search:  
Gentoo Wiki

HOWTO_Setup_PHP-Syslog-NG

This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Contents

Introduction

System logs are very important for the continued health of your system. They provide a standard location to find errors, information, debug messages, and alerts. They can be used for diagnosis in order to prevent problems, and they are a valuable resource for troubleshooting.

PHP-syslog-NG is a front-end for viewing syslog-ng messages logged to MySQL in real-time. It features customized searches based on device, priority, message, and date.

For more information, visit the official PHP-Syslog-NG Web site.

Requirements

Installation

Currently, app-admin/phpsyslogng is masked with the ~ppc64 and ~x86 keywords. You'll need to add the package to /etc/portage/package.keywords in order to install it.

# echo "app-admin/phpsyslogng" >> /etc/portage/package.keywords
# emerge -av phpsyslogng

If you don't wish to add xml, zlib and mysql to the USE line of your /etc/make.conf, you'll need to at the very lest set it for this emerge.

# USE="mysql xml zlib" emerge -av phpsyslogng

Configuration

There just has to be a configuration section, didn't there? There are several files that need to be edited to get this working. This article assumes that everything is installed in the default locations. You'll have to adjust the paths according to your individual setup. If you set the vhosts USE Flag, you'll need to run webapp-config before continuing.

PHP-syslog-NG

You will need to set passwords for the database users DBUSERPW and DBADMINPW.

File: /var/www/localhost/htdocs/phpsyslogng/config/config.php
...
//========================================================================
// BEGIN: DATABASE CONNECTION INFO
//========================================================================
// DBUSER is the name of the basic user.
define('DBUSER', 'sysloguser');

// DBUSERPW is DBUSER's database password.
define('DBUSERPW', 'password');

// DBADMIN is the name of the admin user.
define('DBADMIN', 'syslogadmin');

// DBADMINPW is DBADMIN's database password.
define('DBADMINPW', 'password');

// DBNAME is the name of the database you are using.
define('DBNAME', 'syslog');

// DBHOST is the host where the MySQL server is running.
define('DBHOST', 'localhost');

// DBPORT is the port where the MySQL server is listening.
// The default port is 3306.
define('DBPORT', '3306');
//========================================================================
// END: DATABASE CONNECTION INFO
//========================================================================
...

Because this file contains passwords in plain text, you should change the permission and ownership so that only one user can read it. In this case, apache. Apache needs to be able to read this file, and the apache user shouldn't have shell access.

# chown apache:apache /var/www/localhost/htdocs/phpsyslogng/config/config.php
# chmod 400 /var/www/localhost/htdocs/phpsyslogng/config/config.php

Syslog-NG

Copy and paste the following sample configuration to /etc/syslog-ng/syslog-ng.conf. Be sure to set the password for syslogfeeder. This configuration file will also receive syslog events from other computers. If you don't need this then remove udp(); and tcp();.

File: /etc/syslog-ng/syslog-ng.conf
# syslog-ng conf file for use with phpsyslog-ng
source src {
  unix-stream("/dev/log" max-connections(256));
  internal();
  file("/proc/kmsg");
  tcp();
  udp();
};

log {
  source(src);
  destination(d_mysql);
};

destination d_mysql {
  program("/usr/bin/mysql --reconnect -f -T --user=syslogfeeder --password=PASSWORD syslog >> /var/log/db_log.log 2>&1" 
  template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC','$PROGRAM', '$MSG' );\n") template-escape(yes));
};

Since the password is stored in plain text, you should make it so that root is the only user who can read and write to this file.

# chmod 600 /etc/syslog-ng/syslog-ng.conf

As earlier configurations mention a pipe to get the messages to the database, it is not needed anymore. You can directly get the messages to the database with the above configuration. Errors go to /var/log/db_log.log for troubleshooting.

MySQL

Bet you're wondering when those passwords you've edited are actually going to be applied. They get set and applied in this step. In the # create users section, put a password in for all 3 users, syslogfeeder, sysloguser and syslogadmin. They must be the same as in the previous steps.

File: /var/www/localhost/htdocs/phpsyslogng/scripts/dbsetup.sql
...
# create users
INSERT INTO user (Host, User, Password) VALUES ('localhost','sysloguser', password('password'));
INSERT INTO db (Host, Db, User) VALUES ('localhost','syslog','sysloguser');

INSERT INTO user (Host, User, Password) VALUES ('localhost','syslogfeeder', password('password'));
INSERT INTO db (Host, Db, User) VALUES ('localhost','syslog','syslogfeeder');

INSERT INTO user (Host, User, Password) VALUES ('localhost','syslogadmin',password('password'));
INSERT INTO db (Host, Db, User) VALUES ('localhost','syslog','syslogadmin');
COMMIT;
FLUSH PRIVILEGES;
...

Create the tables and users with this command:

# mysql -u root -p < /var/www/localhost/htdocs/phpsyslogng/scripts/dbsetup.sql

Once you're done with this step, you should do one of three things because it contains the passwords in plain text: edit the passwords back to the original password, delete this file or change the permissions.

# chown root:root /var/www/localhost/htdocs/phpsyslogng/scripts/dbsetup.sql
# chmod 600 /var/www/localhost/htdocs/phpsyslogng/scripts/dbsetup.sql

Syslog-ng INIT Script

Since syslog-ng now needs MySQL when it starts, add mysql to the need line of the syslog-ng INIT script.

File: /etc/init.d/syslog-ng
...
depend() {
  # Make networking dependency conditional on configuration
  case $(sed 's/#.*//' /etc/syslog-ng/syslog-ng.conf) in
    *source*tcp*|*source*udp*|*destination*tcp*|*destination*udp*)
    need net mysql
    use stunnel ;;
  esac
...

Start the service and add it to the default run level, if it hasn't already been done.

# /etc/init.d/syslog-ng start
# rc-update add syslog-ng default

If you do a ps -ae you should see 3 processes, syslog-ng, sh and mysql. If there was a database connection problem, sh and mysql will be missing. See Troubleshooting.

Apache Configuration

Now to set up the host, so that you can actually access the program from your browser. The following configuration sample will allow all machines on the local area network to access PHP-syslog-NG. You can change the Allow from 192.168.1 to Allow from localhost or any other IP address or hostname you wish. If you aren't using virtual hosts, then you can just copy the setting within the VirtualHost tags to /etc/apache2/httpd.conf. Additionally, you'll need to edit your /etc/hosts or C:\WINDOWS\system32\drivers\etc\hosts files to point phpsyslogng to the computer running Apache.

File: /etc/apache2/vhosts.d/00-default_vhost.conf
<VirtualHost *:80>
  ServerName    phpsyslogng
  DocumentRoot  /var/www/localhost/htdocs/phpsyslogng/

  <Directory /var/www/localhost/htdocs/phpsyslogng/>
    Order deny,allow
    Allow from 192.168.1
    Deny from All
    Options ALL
  </Directory>
</VirtualHost>

At this point check that it all works by pointing a browser at http://phpsyslogng/ and log in. The default username and password is admin/admin. You should change this password now to check that user management is working.

Cron Script

Log rotation is easily done. PHP-syslog-NG has included a handy little script. You just need to copy it and change the permissions:

# cp /var/www/localhost/htdocs/phpsyslogng/scripts/logrotate.php /etc/cron.monthly/
# chmod 700 /etc/cron.monthly/logrotate.php

And edit the file so that $APP_ROOT matches the location of where you install PHP-syslog-NG:

File: /etc/cron.monthly/logrotate.php
...
$APP_ROOT = '/var/www/localhost/htdocs/phpsyslogng';
...

Although it will prematurely rotate your logs, you should test the script to ensure that it's working properly.

# php /etc/cron.monthly/logrotate.php

Congratulations! You now have a central location and easy way to parse through all of your log entries.

Optional Steps

PHP Sessions

This setting will apply to all sites using PHP. Only use it if you understand the implications, or in fact want sessions at all. Seems to work ok without this anyway.

Find and change this value; in PHP 5.2.1-r3 this was on line 966:

File: /etc/php/apache2-php5/php.ini
session.save_path = "/var/www/localhost/"

Other Backends

If you want to connect to different databases http://www.vermeer.org/display_doc.php?doc_id=1 may be of help to you.

Windows Hosts

If You want to log messages from Windows hosts then you'll need the Eventlog to Syslog Utility from Purdue University, and you'll need udp(); in your syslog-ng.conf source to receive these events

Polish Characters

If you are using Polish characters on Windows machines, it is necessary to add some conversion tips like below to results.php site:

File: results.php
// 5th column: Spit out the MSG field
$row[msg] = StrTr($row[msg], array("37777777645" => "A", "37777777671" => "a", "37777777752" => "e",
"37777777677" => "z", "37777777663" => "l", "37777777761" => "n", "37777777634" => "s"));
echo    "<td>".htmlspecialchars($row[msg])."</td>";

Troubleshooting

Try all the steps seperately.

Connection to database

First of all try your connection to the database:

# /usr/bin/mysql --user=syslogfeeder --password=PASSWORD

SQL-Statement Check

To get the SQL-Statements and try this directly in database alter the config like this:

File: syslog-ng.conf
## Log syslog-ng to mysql database (DEBUG MODE)
##
destination d_mysql {
file("/var/log/syslog2mysql.log"
    template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
    template-escape(yes));
    };

log {
        source(s_sys);
        destination(d_mysql);
};

Yout get something like this in the Logfile (/var/log/syslog2mysql.log):

INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg) VALUES ( 'linux', 'syslog', 'notice', 'notice', '2d', '2008-06-23', '08:17:52', 'syslog-ng', 'syslog-ng[6337]: syslog-ng starting up; version=\'2.0.5\'' );

Just try these SQL-Statements in the database to debug your installation:

# /usr/bin/mysql --user=syslogfeeder --password=PASSWORD 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 911
Server version: 5.0.44 Gentoo Linux mysql-5.0.44

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>  INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg) VALUES ( 'linux', 'syslog', 'notice', 'notice', '2d', '2008-06-23', '08:17:52', 'syslog-ng', 'syslog-ng[6337]: syslog-ng starting up; version=\'2.0.5\'' );
Query OK, 1 row affected (0.00 sec)

In this example everything worked fine.

In most cases the database layout and the template in syslog-ng.conf don't fit together.

More Information

Retrieved from "http://www.gentoo-wiki.info/PHP-Syslog-NG"

Last modified: Sun, 22 Jun 2008 20:28:00 +0000 Hits: 63,339