May 142010
 

The installation process is little sipmler with Ubuntu 10.04 LTS as rsyslog is already integrated.
You’ll notice that the installation process is almost the same as the old one.

You will need Centreon-Syslog installation files. Please go to http://forge.centreon.com/ and register. You’ll be able to download sources after that:

http://forge.centreon.com/projects/list_files/centreon-syslog

Download the stable release (when I wrote, it was the 1.2.1 version). After getting the frontend and server files, transfer them on your server with WinSCP or any other tools you like.

WinSCP is available as setup or portable version http://winscp.net/eng/download.php

Personnaly, I prefer the portable one.

Once the tranfer is done, we will start with the installation process:

Centreon-Syslog

tar xvzf centreon-syslog-server-1.1.tar.gz
cd centreon-syslog-server-1.1
sudo bash install.sh -i

Use the default settings and paths. When you are asked for account credentials, use these:

MySQL password: mysqlcentaccess03
database name: syslog
user: syslogadmin
password: syslogpasswd03

RSyslog

sudo aptitude install rsyslog-mysql -y

Do not create any database.

Edit rsyslog configuration file

sudo nano /etc/rsyslog.conf

Instert at the beginig of the file these parameter to enable UDP and TCP input

$ModLoad MySQL
$AllowedSender UDP, 127.0.0.1, 192.168.0.0/24 
$AllowedSender TCP, 127.0.0.1, 192.168.0.0/24

Off course, replace 192.168.0.0 by your network address

Uncomment like this:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Add at the end of the file log events redirection inside your database:

$template sysMysql,"INSERT INTO logs (host,facility, priority,level,tag,datetime,program,msg) VALUES ('%HOSTNAME%','%syslogfacility%','%syslogpriority-text%','%syslogseverity-text%','%syslogtag%', '%timereported:::date-mysql%','%programname%', '%msg%')", SQL 

 *.=notice;mail.*;\
       *.=crit;*.=err;\
       *.=warning >127.0.0.1,syslog,syslogadmin,syslogpasswd;sysMysql

Edit the default settings:

sudo nano /etc/default/rsyslog

And replace like this:

#RSYSLOGD_OPTIONS="-c4"
RSYSLOGD_OPTIONS="-r514 -t514 -m 0"

Edit mysql.conf

sudo nano /etc/rsyslog.d/mysql.conf

And replace ‘,,,’ by this:

,syslog,syslogadmin,syslogpasswd

Edit 50-default.conf to correct the path

sudo nano /etc/rsyslog.d/50-default.conf

At the end of the file, comment the xconsole section:

#daemon.*;mail.*;\
#       news.err;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       |/dev/xconsole

Correct syslog database:

mysql -u root --password=mysqlcentaccess
USE syslog;
CREATE TABLE SystemEvents
(
ID int unsigned not null auto_increment primary key,
CustomerID bigint,
ReceivedAt datetime NULL,
DeviceReportedTime datetime NULL,
Facility smallint NULL,
Priority smallint NULL,
FromHost varchar(60) NULL,
Message text,
NTSeverity int NULL,
Importance int NULL,
EventSource varchar(60),
EventUser varchar(60) NULL,
EventCategory int NULL,
EventID int NULL,
EventBinaryData text NULL,
MaxAvailable int NULL,
CurrUsage int NULL,
MinUsage int NULL,
MaxUsage int NULL,
InfoUnitID int NULL ,
SysLogTag varchar(60),
EventLogType varchar(60),
GenericFileName VarChar(60),
SystemID int NULL
);

CREATE TABLE SystemEventsProperties
(
ID int unsigned not null auto_increment primary key,
SystemEventID int NULL ,
ParamName varchar(255) NULL ,
ParamValue text NULL
);

exit;

It’s time to restart the rsyslog:

sudo service rsyslog restart

Installing the frontend

First, install the requirements:

sudo aptitude install libssl-dev php5-dev libssh2-1 libssh2-1-dev -y
cd /usr/local/src
sudo wget http://pecl.php.net/get/ssh2-0.11.0.tgz
sudo tar xvfz ssh2-0.11.0.tgz
cd ssh2-0.11.0

Create the following file ssh2-patch.patch with nano

--- ssh2.c.php53	2008-12-14 10:04:22.000000000 +0100
+++ ssh2.c	2008-12-14 10:04:24.000000000 +0100
@@ -48,7 +48,6 @@
 #endif
 
 #ifdef ZEND_ENGINE_2
-static
     ZEND_BEGIN_ARG_INFO(php_ssh2_first_arg_force_ref, 0)
         ZEND_ARG_PASS_INFO(1)
     ZEND_END_ARG_INFO()
sudo patch -p0 < ssh2-patch.patch
sudo phpize
sudo ./configure --with-ssh2
sudo make
sudo cp modules/ssh2.so /usr/lib/php5/20090626/

Enable ssh2 in php5:

sudo nano /etc/php5/cli/conf.d/ssh2.ini

Add this entry:

extension=ssh2.so

Normaly it should generate the same entry in this file:

cat /etc/php5/apache2/conf.d/ssh2.ini

Restart apache2:

sudo service apache2 restart

Frontend

tar xvfz centreon-syslog-frontend-1.2.1.tar.gz
cd  centreon-syslog-frontend-1.2.1
sudo bash install.sh -i

Accept the licence and when asked, provide centreon configuration directory:

/etc/centreon

Finish the installation

Connect to your Centreon web interface and proceed to the plugin configuration:

If you have this error do not worry, you’ll have to wait for the first rotation log:

After that, you’ll have the search function effective:

  9 Responses to “Installing Centreon Syslog plugin on Ubuntu 10.04 LTS Edit”

  1. Mysql Error : DB Error: no such table

    What should i do when I have this kind of error the whole morning already?

    have you got some clue to clarify my mind?

    Thanks in advance!

    By the way, nice job done!

  2. Hi neeemoo,

    as written :

    “If you have this error do not worry, you’ll have to wait for the first rotation log”

    I don’t know what is the default rotation log delay but usually after 24 hours you should be able to use the search function.

  3. You should have indicated that before I uninstalled it. :s I thought that time to wait was about 30 min or sth. So let me try to redo it over again and I’ll let you know if there are still the same “troubleshooting” or not.

  4. Hello admin,

    You’re right that time to wait for the first rotation log can take too long; 24h! Now I can see the same thing as from your tutorail last screenshot.
    Nevertheless, how would we know that the log time may take that much time to update? And how should we get information via syslog? (I don’t think I understood enough the use of syslog.)

    Thanks for your precision.

  5. Hi neeemoo,

    The system default log ratation is defined on daily basis.
    You could find explanations for Ubuntu on this page:
    https://help.ubuntu.com/community/LinuxLogFiles#Log%20Rotation

    Syslog module could be used for example to centralise your syslog information from all your nagios satelittes in one single view.
    You could also use the Centreon-E2S plugin to get your Windows computer events centralized in centreon syslog.
    More informations are available here:
    http://forge.centreon.com/projects/show/centreon-e2s

    Regards

  6. Hello…
    I have a quick question.
    I currently some events/logs being being written to the logs table inside the syslog database.
    I also have events being sent into the SystemEvents table.
    I would like for the SystemEvents table to show up on the Centreon Syslog interface.
    At the moment…only the logs table gets updated into all_logs and displayed inside Centreon.
    What do i need to do to have the SystemEvents table synchronize into all_logs?
    Thanks

  7. Hi Tim,

    I guess you are talking about ‘/etc/default/rsyslog’ configuration file. Edit it and add the logs you are planning to monitor (from /var/log). For example, if you want kernel log addition modify like this:

    *.=notice;mail.*;\

    replaced by

    *.=notice;mail.*;kern.*;\

    Regards

  8. Hi,

    Got a question, maybe someone will answer me :

    I Followed this post step by step and everything is working great, syslog correctly insert CISCO’s syslog.
    The only problem i got is with NETASQ messages.

    I did not find any leads to solve my problem, as you can see on the screenshot bellow the netasq’s syslog aren’t correctly interpreted.

    http://img716.imageshack.us/img716/9650/rsyslog.png

    I understand that the problem is about the lines at the end of the rsyslog.conf

    $template sysMysql,”INSERT INTO logs (host,facility, priority,level,tag,datetime,program,msg) VALUES (‘%HOSTNAME%’,’%syslogfacility%’,’%syslogpriority-text%’,’%syslogseverity-text%’,’%syslogtag%’, ‘%timereported:::date-mysql%’,’%programname%’, ‘%msg%’)”, SQL

    *.=notice;mail.*;\
    *.=crit;*.=err;\
    *.=warning >127.0.0.1,syslog,syslogadmin,syslogpasswd;sysMysql

    This template is alright for Cisco devices, but as you can see, netasq messages aren’t correctly showed.
    Does somebody have a lead, a url or anything that could help me to find a way to solve that issue and to properly show netasq syslog ?

    Thanks in advance, sorry for my english.

    Regards.

  9. For information,

    this is a sample a netasq message :

    id=firewall time=”2008-07-31 15:09:26″ fw=”F50-EE592000800808″ tz=+0000 startime=”2008-07-31 15:09:26″ pri=1 srcif=”Ethernet0″ srcifname=”In” ipproto=udp proto=netbios-dgm src=192.168.2.150 srcport=138 srcportname=netbios-dgm dst=192.168.2.255 dstport=138 dstportname=netbios-dgm action=block msg=”IP address spoofing (type=1)” class=protocol classification=0 alarmid=1 logtype=”alarm