Install Guide for LogZilla v3.2
From Network Management Wiki
Contents |
About
This guide will walk you through a standard installation of LogZilla v3.2.
The majority of the commands on this page require running with root privileges. This can be accomplished by:
sudo su -
LogZilla v3.2 on non-Ubuntu OS's
Obtaining LogZilla
You can get the latest software, licensing (including free licenses) and video tutorials for LogZilla at LogZilla.pro
Subversion (SVN) Server
Our public subversion server provides up-to-date bug fixes and enhancements.
This is the recommended method for installation so that users can easily receive upgrades.
To install using the SVN method, follow the instructions below and use the SVN option rather than downloading the tar.gz package from http://www.logzilla.pro
Update Notification
You can either subscribe to the RSS feed for notification of new updates at https://www.assembla.com/spaces/logzilla/stream.rss or by simply following @lzupdates on twitter
Obtaining a license
To get a license for LogZilla please visit LogZilla.pro
NOTE: When ordering a license from www.logzilla.pro, you MUST provide a valid name, address, IP and MAC address when asked. Every order is checked, any false information will be denied.
Prerequisites
The path used as an example in this guide is "/var/www/logzilla", please change paths accordingly below if your environment is different.
Operating System
LogZilla requires a basic LAMP server. You can configure your Ubuntu server for LAMP during initial installation or by running:
sudo tasksel
Additionally, the following packages must be installed:
aptitude install build-essential apache2 mysql-server php5 libmysqlclient-dev syslog-ng php5-cli libapache2-mod-php5 php5-mysql
Configure Syslog-ng
By default udp() is commented out after installing syslog-ng for the first time. To change that:
sudo vi /etc/syslog-ng/syslog-ng.conf ## In mine, it was around line 93. Just need to remove the # from in front of udp();
syslog-ng: UDP and TCP Enable Example
The example below shows both UDP and TCP reception enabled.
- Note, you may already have some of the entries below, but everything in the source definition is shown in in context).
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
udp();
# TCP enabled below for all hosts on port 5000:
tcp(ip(0.0.0.0) port(5000));
};
Perl
cpan Date::Calc File::Tail DBD::mysql Text::LevenshteinXS MIME::Lite String::CRC32 Digest::Perl::MD5 LWP::Simple
Installing LogZilla
Once we have all the prerequisite packages installed, we can move on to the actual installation of LogZilla.
cd /var/www
Normal Install
Visit http://www.logzilla.pro/downloads and choose your version.
Once you have the link, use wget:
wget http://x.x.x.x tar xzvf logzilla_v<version>.tgz
Subversion Install
Make sure you have SVN installed:
aptitude install subversion
Checkout the LogZilla SVN:
svn co https://svn2.assembla.com/svn/logzilla/ logzilla
Continue the install:
cd /var/www/logzilla/scripts sudo ./install.pl
Thats it. :) Below is a walk through of all questions that are asked during the install phase:
========================================
LogZilla End User License
========================================
...LICENSE TEXT...
Do you accept? (yes/no) [n]: y
========================================
Installation
========================================
Enter the MySQL root username [root]:
Enter the password for root [mysql]:
Database to install to [syslog]:
Enter the name of the MySQL server [localhost]:
Enter the port of the MySQL server [3306]:
Enter the name to create as the owner of the syslog database [syslogadmin]:
Enter the password for the syslogadmin user [syslogadmin]:
Enter the name to create as the WEBSITE owner [admin]:
Enter the password for admin [admin]:
Enter your email address [info@logzilla.pro]:
Enter a name for your website [The home of LogZilla]:
Enter the base url for your site (include trailing slash) [/logs/]: /
Where should log files be stored? [/var/log/logzilla]:
How long before I archive old logs? (in days) [7]:
Do you plan to log Windows events from SNARE to this server? [n]: y
Updating file paths
Updating log paths
Generating /var/www/logzilla/html/config/config.php
All data will be installed into the syslog database
Ok to continue? [y]:
Adding LogZilla logrotate.d file to /etc/logrotate.d
Ok to continue? [y]:
Adding LogZilla to syslog-ng
Ok to continue? [y]:
Where is your syslog-ng.conf file located? [/etc/syslog-ng/syslog-ng.conf]:
Adding syslog-ng configuration to /etc/syslog-ng/syslog-ng.conf
Found 1 sources
Which source definition would you like to use? [s_all]:
========================================
Cron Setup
========================================
Cron is used to run backend indexing and data exports.
Install will attempt to do this automatically for you by adding it to /etc/cron.d
In the event that something fails or you skip this step,
You MUST create it manually or create the entries in your root's crontab file.
Ok to continue? [y]:
Will this copy of LogZilla be used to process more than 1 Million messages per day?
Note: Your answer here only determines how often to run indexing. [n]:
Cronfile added to /etc/cron.d
========================================
SUDO Setup
========================================
In order for the Apache user to be able to apply changes to syslog-ng, sudo access needs to be provided in /etc/sudoers
Note that you do not HAVE to do this, but it will make things much easier on your for both licensing and Email Alert editing.
If you choose not to install the sudo commands, then you must manually SIGHUP syslog-ng each time an Email Alert is added, changed or removed.
Ok to continue? [y]:
Please provide the username that Apache runs as [www-data]:
Appended sudoer access for www-data to /etc/sudoers
========================================
AppArmor Setup
========================================
In order for MySQL to import and export data, you must take measures to allow it access from AppArmor.
Install will attempt do do this for you, but please be sure to check /etc/apparmor.d/usr.sbin.mysqld and also to restart the AppArmor daemon once install completes.
Ok to continue? [y]:
Adding the following to lines to /etc/apparmor.d/usr.sbin.mysqld:
/tmp/logzilla_import.txt r,
/var/www/logzilla/exports/** rw,
========================================
Feedback and Support
========================================
If it's ok with you, install will include a small 'Feedback and Support'
icon which will appear at the bottom right side of the web page
This non-intrusive button will allow you to instantly open support
requests with us as well as make suggestions on how we can make LogZilla better.
You can always disable it by selecting 'Admin>Settings>FEEDBACK' from the main menu
Ok to add support and feedback? [y]:
Syslog-ng MUST be restarted, would you like to send a HUP signal to the process?
Ok to HUP syslog-ng? [y]:
HUPing syslog-ng PID 8459
LogZilla installation complete!
Apache
This assumes you are on a new server with no other website running. To add a non-root web or for virtual hosts, please consult the Apache documentation.
Add LogZilla to Apache
vi /etc/apache2/sites-enabled/000-default
Change:
DocumentRoot /var/www
to
DocumentRoot /var/www/logzilla/html
Change:
<Directory /var/www/>
to:
<Directory /var/www/logzilla/html/>
Subversion users may want to restrict access to both the .svn directories and the ioncube* directories.
To do so, add the following to your apache config, before the last line (</VirtualHost>)
DO NOT Block the IonCube directories until after you finish the IONCube portion of this install guide. Otherwise, you won't be able to access it :-)
<DirectoryMatch .*\.svn/.*>
Deny From All
</DirectoryMatch>
<DirectoryMatch .*ioncube.*>
Deny From All
</DirectoryMatch>
Save and quit file:
ESC (press the escape key) :wq
Sample Full Apache Config
The following config shows a complete sample of the 000-default apache virtualhost config on an Ubuntu Server:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
UseCanonicalName On
DocumentRoot /var/www/logzilla/html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/logzilla/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<DirectoryMatch .*\.svn/.*>
Deny From All
</DirectoryMatch>
<DirectoryMatch .*ioncube.*>
Deny From All
</DirectoryMatch>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
Restart Apache:
/etc/init.d/apache2 restart
Apparmor
By default, Apparmor blocks MySQL from reading and writing to disk.
v3.2 will attempt to add the necessary support to the AppArmor profile for you, but in case it does not, you can following the steps below to add it:
vi /etc/apparmor.d/usr.sbin.mysqld
Add:
/tmp/logzilla_import.txt r, /<YOUR_PATH>/logzilla/exports/** rw,
Note: replace /var/www/logzilla with your installed path (Make sure you do not use symbolic links in the paths)
To the end, so that it looks like this:
# vim:syntax=apparmor
# Last Modified: Tue Jun 19 17:37:30 2007
#include <tunables/global>
/usr/sbin/mysqld {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/mysql>
#include <abstractions/winbind>
capability dac_override,
capability sys_resource,
capability setgid,
capability setuid,
network tcp,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/mysql/*.pem r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/usr/sbin/mysqld mr,
/usr/share/mysql/** r,
/var/log/mysql.log rw,
/var/log/mysql.err rw,
/var/lib/mysql/ r,
/var/lib/mysql/** rwk,
/var/log/mysql/ r,
/var/log/mysql/* rw,
/var/run/mysqld/mysqld.pid w,
/var/run/mysqld/mysqld.sock w,
/sys/devices/system/cpu/ r,
/tmp/logzilla_import.txt r,
/var/www/logzilla/exports/** rw,
}
Installing Sphinx
Sphinx is used to provide the full text search capabilities for LogZilla, it is an order of magnitude faster than using MySQL alone (much, much faster).
The sphinx installation is now part of the LogZilla install - there is no need to compile it separately.
1. Create your first index and start the search daemon:
cd /var/www/logzilla/sphinx ./indexer.sh full /var/www/logzilla/sphinx/bin/searchd -c /var/www/logzilla/sphinx/sphinx.conf
Errors Compiling Sphinx
If you see this error:
ERROR: cannot find MySQL include files.
Then you didn't install all the prerequisites listed at the beginning of this guide.
If you see this error:
source='sphinx.cpp' object='sphinx.o' libtool=no \
DEPDIR=.deps depmode=none /bin/bash ../config/depcomp \
g++ -DHAVE_CONFIG_H -I. -I../config -DSYSCONFDIR="\"/var/www/logzilla/sphinx/src/sphinx-0.9.9/../../etc\"" -I/usr/local/include -I/usr/include/mysql -DBIG_JOINS=1 -fno-strict-aliasing -DUNIV_LINUX -DUNIV_LINUX -Wall -g -D_FILE_OFFSET_BITS=64 -O3 -DNDEBUG -c -o sphinx.o sphinx.cpp
../config/depcomp: line 512: exec: g++: not found
make[2]: *** [sphinx.o] Error 127
make[2]: Leaving directory `/var/www/logzilla/sphinx/src/sphinx-0.9.9/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/var/www/logzilla/sphinx/src/sphinx-0.9.9/src'
make: *** [all-recursive] Error 1
Then you didn't install all the prerequisites listed at the beginning of this guide.
If you see an error when creating the full index that looks similar to this:
ERROR: index 'idx_logs': sql_query_pre[0]: Column 'max_id' cannot be null (DSN=mysql://syslogadmin:***@127.0.0.1:3306/syslog).
Then it means you have no logs in the database yet, wait until you get a few entries, then try again.
Configure MySQL
LogZilla uses partitioning (at midnight by default) to segment the logs. This utilizes the event scheduler in MySQL 5.1, which may be disabled by default in your OS.
To check the current status of event scheduler:
logzilla# mysql -u<username> -p<password> mysql> SELECT @@event_scheduler; +-------------------+ | @@event_scheduler | +-------------------+ | OFF | +-------------------+ 1 row in set (0.00 sec)
To enable it, log into mysql and then:
mysql> SET GLOBAL event_scheduler = 1; Query OK, 0 rows affected (0.00 sec) mysql> SELECT @@event_scheduler; +-------------------+ | @@event_scheduler | +-------------------+ | ON | +-------------------+ 1 row in set (0.00 sec) mysql> quit;
NOTE: You will also need to enable the event scheduler in your my.cnf file so that it persists across restarts.
my.cnf settings
Here are the my.cnf settings I used when testing system scalability.
The tests were inserting around 15-20k MPS and had, at the time, around 40m messages.
Queries took < 1 second. Be careful with the memlock option. You need enough memory on the server.
# BEGIN logzilla settings event-scheduler=1 skip-name-resolve query_cache_size = 16M table_cache = 512 tmp_table_size = 128M max_heap_table_size = 128M myisam_sort_buffer_size = 512M sort_buffer_size = 8M join_buffer_size = 256K key_buffer = 512M bulk_insert_buffer_size = 512M memlock myisam_use_mmap myisam-block-size = 16384 # END logzilla settings
You also may want to disable binary logging as noted HERE
IONCube Licensing
LogZilla 3.2 uses a licensing encoder provided by IONCube
IONCube in LogZilla v3.2.323 and up
As of LogZilla v3.2.323, IONCube licensing is automatically installed during the install process providing you are using Ubuntu.
Note that this is dependent on your OS - if you are not using Ubuntu, you may need to manually add the zend line as noted below to your php.ini.
IONcube - pre LogZilla v3.2.323 versions
Installation is simple, but requires access to the php.ini To install, you must use one of the loaders provided in the html/ioncube directory. For example:
cd logzilla/html/ioncube ls -al -rw-r--r-- 1 root root 1.3K 2009-07-14 17:37 ioncube-encoded-file.php -rw-r--r-- 1 root root 26K 2009-07-14 17:37 ioncube-loader-helper.php -rw-r--r-- 1 root root 294K 2009-07-14 17:37 ioncube_loader_lin_4.1.so -rw-r--r-- 1 root root 287K 2009-07-14 17:37 ioncube_loader_lin_4.2.so -rw-r--r-- 1 root root 296K 2009-07-14 17:37 ioncube_loader_lin_4.2_ts.so -rw-r--r-- 1 root root 287K 2009-07-14 17:37 ioncube_loader_lin_4.3.so -rw-r--r-- 1 root root 297K 2009-07-14 17:37 ioncube_loader_lin_4.3_ts.so -rw-r--r-- 1 root root 292K 2009-07-14 17:37 ioncube_loader_lin_4.4.so -rw-r--r-- 1 root root 302K 2009-07-14 17:37 ioncube_loader_lin_4.4_ts.so -rw-r--r-- 1 root root 277K 2009-07-14 17:37 ioncube_loader_lin_5.0.so -rw-r--r-- 1 root root 286K 2009-07-14 17:37 ioncube_loader_lin_5.0_ts.so -rw-r--r-- 1 root root 988K 2009-07-14 17:37 ioncube_loader_lin_5.1.so -rw-r--r-- 1 root root 1.1M 2009-07-14 17:37 ioncube_loader_lin_5.1_ts.so -rw-r--r-- 1 root root 960K 2009-07-14 17:37 ioncube_loader_lin_5.2.so -rw-r--r-- 1 root root 1011K 2009-07-14 17:37 ioncube_loader_lin_5.2_ts.so
For instructions on loading, browse to your server url /ioncube/
For example:
http://localhost/ioncube/
Or, for 64 bit systems,
http://localhost/ioncube_64/
According to the output, I need to add zend_extension = /usr/local/ioncube/ioncube_loader_lin_5.3.so to my php.ini.
First, copy the ioncube_64/ (or just ioncube/ if you are 32bit) to the /usr/local directory
cp -rp html/ioncube_64 /usr/local/ioncube
Now, edit your php.ini and add the zend line:
vi /etc/php5/apache2/php.ini zend_extension = /usr/local/ioncube/ioncube_loader_lin_5.2.so
Next, restart Apache:
/etc/init.d/apache2 restart * Restarting web server apache2 waiting [ OK ]
That's it!
Once you have the licensing working, you should remove the html/ioncube directories - or at least move them out of the html/ directory for security purposes.
Appendix/FAQ
Password Reset
To reset your password OR clear the database and reset LogZilla to the defaults:
cd /var/www/logzilla/scripts ./cleardatabase.pl
Don't worry, you will be asked which options you want.
Further Reading
These links may help you get more familiar with some of the technologies being used in this version of LogZilla.
UDP Buffers
Note - be sure to read the update to this section below first!
For large scale systems, you must increase your udp receive buffers.
Here's an excellent site that explains how to do this: Topics in High-Performance Messaging
In my tests, I had to increase my default buffers to 1m in order to receive messages at a rate of 10k mps.
You can test this by doing the following:
1. Stop syslog-ng
2. Start a netcat session to log all data to a file:
netcat -u -p 514 -l > /tmp/logs
3. In another ssh session, use loggen to generate messages:
./loggen -r 10000 -D -I 10 127.0.0.1 514
4. Once loggen complete, you will see stats like this:
average rate = 10877.62 msg/sec, count=108783, time=10.006, msg size=256, bandwidth=2719.40 kB/sec
5. use wc to check the line count of your /tmp/logs file:
wc -l /tmp/logs
This number should match, or come very close to, the number from loggen.
In the case of the test above, you should see:
#wc -l /tmp/logs 108783 /tmp/logs
You can also check your udp receive buffer errors in linux by typing:
netstat -su
6. If you don't receive all of the messages, then increase your default buffers using:
sysctl -w net.core.rmem_default=1048576
This will set the buffer to 1M (the default in linux is 122k (net.core.rmem_default = 124928))
Continue with testing until you are comfortable with the buffer size assigned.
Once you have a good buffer size, you can set it permanently by addding the sysctl variable setting given above to /etc/sysctl.conf (leaving off the sysctl -w part).
UPDATE
After doing more research, the awesome folks at Balabit (syslog-ng's creators) pointed out the following:
> quoting socket(7) on Linux > > rmem_default > contains the default setting in bytes of the socket receive buffer. > > rmem_max > contains the maximum socket receive buffer size in bytes which a user may set by using the SO_RCVBUF socket option. > > > syslog-ng allows you to change the socket buffer given rmem_max allows > that using the so_rcvbuf() option for the given source. > > Changing rmem_default at the system scope might be a bit of an overkill, > as _all_ udp sockets would get this large socket buffers. > > And socket buffers are in non-pageable memory, don't forget that.
So, this is a much simpler thing than modifying the rmem_default. To make the necessary changes for syslog-ng to not drop udp messages, take these steps:
1. Change the rmem_max value to 1m in your system as described above:
sysctl -w net.core.rmem_max=1048576
Remember - this only changes it temporarily. See above for making it permanent.
2. Change your syslog-ng.conf from
udp();
to:
udp( so_rcvbuf(1048576));
So, here's my final syslog-ng.conf:
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
# cdukes: Added so_rcvbuf because I was dropping udp messages when they exceeded around 50-100mps.
udp( so_rcvbuf(1048576));
#udp();
};
VMWare Installations
If you plan to install LogZilla to a VMWare ESX Server and you will be receiving a large amount of logs, then you'll want to set the resource allocation on the disk to high.
To do this, right-click on your VM and select 'edit'.
Next, click the 'Resources' tab and click 'disk' and change the drop-down menu from 'normal' to 'high' (see screenshot).
Security
Specific code has been implemented to avoid any XSS/SQL injections to LogZilla. However, as you may know, no software is truly secure.
If you are concerned about security with LogZilla, it is highly recommended that you also employ the use of the Apache ModSecurity tool.
For Ubuntu users, here's an easy to follow install guide
Here are the basic steps from that guide:
1. Install
sudo apt-get -y install libapache-mod-security
2. Configure
Using any editor, make a file “/etc/apache2/conf.d/modsecurity2.conf” and put the following contents in the file.
<ifmodule mod_security2.c> Include conf.d/modsecurity/*.conf </ifmodule>
3. Set up logging
By default, mod_security logs to /etc/apache2/logs, the following commands will put the log in /var/log/apache2/mod_security and create a symbolic link back to /etc/apache2/logs
sudo mkdir /var/log/apache2/mod_security sudo ln -s /var/log/apache2/mod_security/ /etc/apache2/logs
4. Download and install the rules
sudo mkdir /etc/apache2/conf.d/modsecurity cd /etc/apache2/conf.d/modsecurity sudo wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz sudo tar xzvf modsecurity-core-rules_2.5-1.6.1.tar.gz sudo rm CHANGELOG LICENSE README modsecurity-core-rules_2.5-1.6.1.tar.gz
5. Enable
sudo a2enmod mod-security
6. Restart Apache
sudo /etc/init.d/apache2 restart
Note the comments in that guide (specifically comment's #17 and 18) - I had an error when I restarted Apache like this:
... waiting apache2: Syntax error on line 232 of /etc/apache2/apache2.conf: Syntax error on line 132 of /etc/apache2/conf.d/modsecurity/base_rules/modsecurity_40_generic_attacks.data: /etc/apache2/conf.d/modsecurity/base_rules /modsecurity_40_generic_attacks.data:170: <input> was not closed.\n/etc/apache2/conf.d/modsecurity/base_rules/modsecurity_40_generic_attacks.data:132: <
