Centralized Log Management with RSyslog , Recording in MySql DB , Viewing and querying in Web UI - By Raja Antony

Why Rsyslog?

For Centralized logging.Having a centralized logging is a prerequisite if you want to have your logs intacts. But having the events recorded in plain files is virtually impossible for queries.Because of this, we can configure rsyslog to write events in MySQL DB and a web interface for queries with filters to facilitate viewing of the logs without have to access the console for such task.

Rsyslog Installation

Installing rsyslog on Ubuntu is easy:

 #aptitude install rsyslog
 #aptitude install rsyslog-doc
All configuration is placed in the /etc/rsyslog.conf file or in files  found under the /etc/rsyslog.d directory. 
  • Configuration structure :Configuration files are structured in the following manner:

    • Modules
    • Global directives
    • Filter rules
  • Rsyslog Server configuration: 
 #vim /etc/rsyslog.conf
Local logging functionality is provided by the imuxsock plug-in (also 
enabled by default).

$ModLoad imuxsock
 $ModLoad imklog
On the server, assuming you are running rsyslog, you do this by  enabling the appropriate input module, as well as specifying the port to  be used: 
$ModLoad imudp
$UDPServerRun 514

$ModLoad imtcp 
$InputTCPServerRun 514 

Rsyslog provides a flexible system to specify the output formats. It is template-based. A template with the traditional syslog format looks as follows:

$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"

 Now we have the right template - but how to write it to a file? You probably have a line like this in your rsyslog.conf:

*.* -/var/log/messages.log;TraditionalFormat




Writing syslog messages to MySQL




rsyslog-mysql mysql-server php-mysql
while installing you will be prompted for mysql rsyslog user  password.Enter the details and remember them.Next, the server should  load the output module ommysql and be configured to connect to the  database. Its configuration should be similar to the following:

#vim /etc/rsyslog.conf
# service mysqld start
# mysql -uroot -predhat
mysql> GRANT SELECT, UPDATE, INSERT ON Syslog.* TO rsyslog@localhost IDENTIFIED BY 'password'; 
mysql> \q 
#vim /etc/rsyslog.conf 
$ModLoad ommysql 
*.* :ommysql:,Syslog,rsyslog,rsyslog 
[*.*  :ommysql:database-server,database-name,database-userid,database-password]
#restart mysql 
#restart rsyslog 

Now check your database:

#mysql -uroot -predhat 
#show databases; 
#USE Syslog;
#show tables;
#DESCRIBE SystemEvents; 
#select * from SystemEvents; 

you can see all your log messages here,if you have properly configured.Generate few log messages with logger command, then open three terminals.

#tail -f /var/log/messages
#logger system rebooted 

check the timestamps of the logs and whether they are being logged into database or not.
  • Clients Setup:
#apt-get install rsyslog

First, you need to create a working directory for rsyslog. This is where it stores its queue files (should need arise). You may use any location on your local system. There is nothing else to do. With the following simple config file, you forward anything you receive to a remote server and have buffering applied automatically when it goes down. This must be done on the client machine.

#vim /etc/syslog.conf
$ModLoad imuxsock    # local message reception 
$WorkDirectory /rsyslog/work       # default location for work (spool) files 
$ActionQueueType LinkedList       # use asynchronous processing
$ActionQueueFileName srvrfwd    # set file name, also enables disk mode 
$ActionResumeRetryCount -1       # infinite retries on insert failure 
$ActionQueueSaveOnShutdown on  # save in-memory data if rsyslog shuts down. 

*.* @@server:port 
*.* @      #forward all its logs via UDP 
*.* @@  #forward all its logs via TCP.



LogAnalyzer - WebUI


The LogAnalyzer project provides an easy to use but powerful frontend for searching, reviewing and analyzing syslog, event log and many other event sources.
  • HOWTO install LogAnalyzer
To install LogAnalyzer, you need:

* Apache
* PHP5

#apt-get install apache2
#apt-get install php5
#apt-get install libapache2-mod-php5
#/etc/init.d/apache2 restart 

Now install Loganalyzer. It's pretty easy.
#wget http://download.adiscon.com/loganalyzer/loganalyzer-3.0.1.tar.gz 
#tar -xvzf loganalyzer-3.0.1.tar.gz 
#mkdir -p /var/www/loganalyzer

Upload all files from the loganalyzer/src/ folder to you webserver. The other files are not needed on the webserver.

#cp -R loganalyser-v3.0.1/src/* /var/www/loganalyzer 

Upload the scripts configure.sh and secure.sh from the contrib folder to your webserver, into the same folder where you uploaded the other LogAnalyzer files into. Then set the execution flag to them (chmod +x configure.sh secure.sh).Now run ./configure.sh, this will create a blank config.php, and will also set write access to everyone to it.You can of course do this manually if you want.

#chmod +x configure.sh secure.sh 

Now open your LogAnalyzer installation in your favourite webbrowser, you will see an error, and you will be pointed to the installation script. The install script will guide you through the LogAnalyzer installation, just follow the instructions.



















Some Related Links for more information


Check tomcat log files catalina.out

tail -f /usr/share/tomcat5/logs/catalina.out

Colorful output in linux console

pink color

echo -e "\033[35m hellow world"

light blue 36m

so increase the numbers and test different colors 30 - 37

Set background color

use same format with numbers  40 - 47

Read more .....Click here !!

How to Configure Local Apt-Cacher-Server for Intranet -- Raja Arulappagari

Server Installation:

1. Install apt-cacher and apache2 webserver

#apt-get install apt-cacher apache2

2.Enable apt-cacher

Edit /etc/default/apt-cacher and change autostart to 1. (This will automatically start
cache server).

#vi /etc/default/apt-cacher


3.Restart the apache server

#/etc/init.d/apache2 restart

4.Restart the apt-cacher server

#/etc/init.d/apt-cacher restart

Now test your apt-cacher server.Go to remote machine in your network.open your
browser type the hostname or IP address of your apt-cacher

#firefox http:///apt-cacher  [ hostname / ip ]

sometimes it won't work. Then try

#firefox http://hostname/ip :3142";

save and quit


Create a small script.

#vi check-apt-cacher.sh

. /lib/lsb/init-functions
log_daemon_msg "Configuring APT cache proxy" "(based on SERVER_NAME_HERE's
ping -c 1 SERVER_NAME_HERE &> /dev/null
if [ $? = "0" ]; then
echo "Acquire::http::Proxy \"http://SERVER_NAME_HERE:3142\";" > /etc/apt/
rm /etc/apt/apt.conf.d/01SERVER_NAME_HEREproxy &> /dev/null
log_end_msg 0


(Note: Replace SERVER_NAME_HERE with the ipaddress of apt-cacher server).
save and quit
#chmod +x /root/check-apt-cacher
#crontab -e
*/1 * * * * /bin/bash /root/check-apt-cacher
save and quit
This script will run each minute (*/1) you can change it as you see fit.
You're done.
How It Works?

In each and every client machine in our network, we are going to mention the apt-
cacher server as a proxy server in the /etc/apt/apt.conf.d/ directory. So in our network,
If anyone Downloads packages using apt-get command. First, it checks in the cache
folder of apt-cacher server i.e.., /var/cache/apt-cacher/packages. If it doesn't find any
packages, it downloads from the internet and keeps in its cache folder and as well as
installs on the client machines(regardless of what version of ubuntu they are using). So
that if any other people tries to install the same package,they can directly install it from
the cache instead of hitting internet all the time,which saves bandwidth.
(Note : I have installed apt-cacher server on ubuntu 9.04 and i tried to access from
client side which is of ubuntu 9.04 and ubuntu 10.04. i installed few packages on the
client side, which client and as well as server doesn't have. The new package is fetched
form the internet and is kept in the apt-cacher cache directory.)

KVM Vs Vmware what to choose ?

I choose KVM

1) Cost is high in vmware and kvm is free

2) Ease of Deployment : Ease of installation is same in
both kvm and vmware , both are very easy , but in vmware
need to add licensing etc.

3) Speed : Lot of only research's showd kvm based meachins are more responsive then vmware .

4) Vmware meachines can be managed via infrasturcture client or ssh , kvm can be managed from CLI client, command line, SSH or thorugh enomaly web interface

Working with OpenNebula CLI ( OpenNebula CLI is available only on front-end )

1) Adding a new Host to compute cluster

onehost create

Note that im_mad, vmm_mad, tm_mad in our case should be im_kvm, vmm_kvm and tm_nfs respectively as we have configured them in /etc/one/oned.conf

Also note that Information manager needs to collect resource availability ( CPU and Memory ) information for the host we have added. This requires:

• oneadmin user on front-end should be able to ssh to host without entering password ( test this using sudo -u oneadmin ssh oneadmin@ on front-end )
• Inorder for this to work copy the contents of /var/lib/one/.ssh/id_rsa.pub on front-end to /var/lib/one/.ssh/authorized_keys on host

Type onehost list to check the status:

Notice the value of STAT attribute. If the attribute has a value of 'on' then the host has been successfully added to compute cluster:

0 0 200 198 198 1800340 1341620 on

Look into /var/log/one/oned.log on front-end for debugging
Once a host has been successfully added use onehost disable/enable to toggle its status.

2) Submitting a new Virtual Machine job

In order to provision a Virtual Machine in the compute cluster we need to construct a template and submit it using

onevm create