PHPSYSLOG-NG - The Easy Tutorial

PHP-Syslog-NG Tutorial
Last Change : Feb 02 2008

Tool
Tutorial
Ergonomy
Forum

Details What is phpsyslog-ng ?
Screenshots
Prerequisites
Tutorial php-syslog-ng
Syslog Clients

⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!

By default syslog is installed on the Debian or Ubuntu machine.
The first thing we will do is to install syslog-ng instead of syslog and then install the php script php-syslog-ng.

1 - INSTALL SYSLOG-NG

Two big avantages of syslog-ng compared to syslog is the improved security of the tool and the possibility to choose the sources to log.
Let's install syslog-ng, it will removed syslog.

#apt-get install syslog-ng

2 - INSTALL PHP-SYSLOG-NG

download php-syslog-ng here:

http://code.google.com/p/php-syslog-ng/downloads/list

uncompress the tar.gz file

#tar -xvf phpsyslogng-2.8.tar.gz
move the folder inside your apache2 folder, for example:

#mv /home/po/Desktop/phpsyslogng-2.8 /var/www/

3 - CONFIGURE SYSLOG-NG

First thing to do is to create the MySQL syslog database.

#mysql -u root -p syslog < /var/www/phpsyslogng-2.8/scripts/scripts/dbsetup.sql
In the sametime, we will create three new MySQL users:

- syslogadmin, needed for the backups
- sysloguser
- syslogfeeder, needed to send the data to the database.

Add a password for syslogadmin and syslogfeeder:

mysql -u root -p
SET PASSWORD FOR syslogfeeder@localhost = PASSWORD ('syslogfeederpassword');
SET PASSWORD FOR syslogadmin@localhost = PASSWORD ('syslogadminpassword');
Now we have to enter the /etc/syslog-ng/syslog-ng.conf config file to configure the tool.
Uncomment the following line, it is requeired to receive logs from a remote host:

udp();
We need to forward the logs in the MySql database.

Add the following lines to tell syslog-ng where to send the data:

# pipe messages to /var/log/mysql.pipe to be processed by mysql

destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs
(host, facility, priority, level, tag, datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(yes)); };

# Below, all the log sources are forwarded to the MySQL database.

log { source(s_all); destination(d_mysql); };
You can find the config lines above in /phpsyslog-ng_directory/scripts/syslog.conf

4 - SCRIPTS AND CRON JOBS

Now, we have to create the temporary MySQL insertion file (pipe file):

#mkfifo /var/log/mysql.pipe
We have to push the logs inside the database with a bash script:

Create a new file and insert the lines below, be carefull to save the file as .sh extension.
If you don't want to create the file, you can find it under the phpsyslog directory, then /scripts/syslog2mysql.sh (don't forget to change the MySQL username and password)

#!/bin/bash

if [ ! -e /var/log/mysql.pipe ]
then
mkfifo /var/log/mysql.pipe
fi
while [ -e /var/log/mysql.pipe ]
do mysql -u syslogfeeder --password=syslogfeederpassword syslog < /var/log/mysql.pipe >/dev/null
done
The script means that if the mysql.pipe file does not exist, it is created automatically.
Then, while the mysql.pipe exists, open a MySQL connection, and send the "buffered" data the database.

Run the script. For us:

/var/www/phpsyslogng-2.8/scripts/syslog2mysql.sh
This is wise to add a line in the root crontab to start the script when the server boots.

# crontab -e -u root
@reboot root /var/www/phpsyslogng-2.8/scripts/syslog2mysql.sh >> /var/log/mysql.log 2>&1
The crontab command will update the /var/spool/cron/crontabs/root file.

As with every log collector, a policy to manage the amount of log has to be created.
For this, a nice logrotate.php script is provided in the .../phpsyslogng-2.8/scripts directory.

With this script,
- we can purge frequently the log table and backup it
- we can remove old records.

Open the .../phpsyslogng-2.8/scripts/logrotate.php file and just check at line 6, that the $APP_ROOT variable matchs what you have. In our config file, we changed it to:

$APP_ROOT = '/var/www/phpsyslogng-2.8';
In the "MISC FUNCTIONALITY" part of the /var/www/phpsyslogng-2.8/config/config.php file, you can configure settings related to the logrotate.php file. We chose to let the default settings.

In the "DATABASE CONNECTION INFO" part of the file, we must set the password for the MySQL syslogadmin user. We configured it at the top of this page. This MySQL user will have enough rights to backup the MySQL tables.

define('DBADMINPW', 'syslogadminpassword');
We need then to enable extension=mysql.so in the /etc/php5/cli/php.ini file.
Look for extension=mysql.so line and remove the semi colon at the beginning of the line.

extension=mysql.so
Try to run the logrotate.php script:

#php5 /var/www/phpsyslogng-2.8/scripts/logrotate.php
If you have someting like:

Starting logrotate
No DB link

It means that extension=mysql.so is not uncommented in the php.ini file.

If everything is okay, you should see something like that:

Starting logrotate
2006-07-29 22:42:50
Log rotate ended successfully

The last thing to do is to add this script into a monthly cron for example:
Be carefull that only root can access the file:

# chmod 700 /var/www/phpsyslogng-2.8/scripts/logrotate.php
# chown root:root /var/www/phpsyslogng-2.8/scripts/logrotate.php

#crontab -e -u root
00 30 1 * * /var/www/phpsyslogng-2.8/scripts/logrotate.php
The script will be runned the first day of every month at 00:30 the night.