In medium or big corporate network there is always a questions like “how do we log all the activities from server hosts” or “how do we implement audit trails”...

Overview

Using syslog-ng you can easily set up centralized logging system which can collect logs from all servers (Linux/Unix machines or Windows Servers) that you have in the network. The logs can be stored in MySQL database. With the php-syslog-ng web utility srored data can be easily parsed or searched based on given criteria.

Server Configuration

But lets start from the beginning. First we need to setup the syslog server. After default installation the syslog-ng server requires almost no configuration. At the first place you need to specify the source, from where you will collect the data.
Uncomment the following line in the sources section (s_all) of syslog-ng.conf:

    #udp();
to
    udp();

With this line uncommented syslog-ng service will listen to its default 514 UDP port for incoming events from other syslog/eventlog daemons. If you want to store log data into MySQL database, for furder use, you have to add the following into destinations section:

destination d_mysql { 
pipe("/var/log/mysql.pipe" 
template("INSERT INTO logs (host, facility, priority, level, tag,
  datetime, program, msg) VALUES ( '$HOST', '$FACILITY',
  '$PRIORITY', '$LEVEL', '$TAG',
  '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
  template-escape(yes)); 
};

And at the end, you need to specify the rule that says what to do with the collected data. In this case we need to send it to the “destination”, that we already defined. So at the bottom of the file, comment out the section which says what to do with s_all source (which we modified at the begining), and make new one with the following in it:

log { 
    source(s_all); 
    destination(d_mysql); 
    };

I prefer the different events logged separately, as they belong to specific host, but in default configuration of syslog-ng daemon this option is not included. So if you want to separate the events you should enable the following into the "options" section, otherwise they will all originate from 127.0.0.1:

keep_hostname(yes);

With this the setup of syslog-ng daemon is ready, but we are not already finished. You must create mysql database, and to give rights to the mysql feeder to save the data in it. Do not restart syslog-ng daemon yet.

Install mysql server and download phpsyslog web tool from here. The easiest way to set up the database needed is to execute the sql script dbsetup.sql in the scripts directory part from phpsyslog package. Edit the file first and set the passwords for the three users that are going to be created. If you make other changes to the file, that reflect the name of the database for example, don't forget to edit and config.php after that. Once file is prepared run it in the following way:

#> mysql -u root -p < dbsetup.sql

With this the database is prepared, and now you just need to start the script that feeds it. Run syslog2mysql.sh in background. Probably if you are going to use this for production you`ll need to create init script, that runs it on system startup.

Once syslog2mysql.sh script is running it is time to restart the syslog-ng daemon and start sending your logs to the database.

#> /etc/init.d/syslog-ng restart

Place the files from the html directory from phpsyslogng package in a directory accessible from web on your webserver, and open it.

Php-syslog-ng Log rotation

Log rotation should be part of most installations where you use php-syslog-ng. It is better to use log rotation than deleting rows in the main table because deleting rows can lead to performance problems. Rotating old logs out of the main table will also usually result in better performance because the tables with old logs are static and can be optimized. The logrotate.php script in the scripts directory should be modified with the path where php-syslog-ng is installed, and is ready for use. The only thing you need with it is to add it to the crontab and have it run as frequently as you want. I my case I decided this to be once in a month - every 1st date of month at 00:00 o'clock. And this is my entry in crontab:

0 0     1 * *     root   /path-to-script/logrotate.php

Syslog client configuration (Linux/Windows)

Syslog-ng daemon configuration

Normally the client configuration is easier than server ones. There is no difference with syslog too. First we need to specify a new destination and after that to create a rule that says that all log events go to that destination. This is what you have to change in syslog-ng.conf when using syslog-ng as logging daemon:

 destination loghost {udp("LOGHOST_IP_ADDRESS");};

and the rule at the end:

 log { 
   source(s_all); 
   destination(loghost); 
 };

Syslog daemon configuration

If you are using old syslog daemon the things are even easier, just put the following somewhere in syslog.conf file:

*.*@syslog_server_ipaddress

Windows setup

And if you have windows servers you can also log the events from eventlog. A freeware tool called evtsyslog does all the work for you. For the installation you need to download the latest package, which contains just one .dll and one .exe file from here.
Extract both files in %\systemroot%\system32 directory.
There are two ways to start this program, as service or as process.
Probably you are going to use it for production machine, and the best practice is to install it as service. To do that, type in a dos prompt as administrator the following, and then start service manually from Services:

evtsys -i -h hostname