Keep an eye on your system logs with phpLogCon

phpLogCon provides a user-friendly Web interface to your system logs. It can handle logs from both Linux and Windows systems, so an administrator can log in to a single phpLogCon site to see what is happening on all the machines on a network.

phpLogCon is not available in the Ubuntu, openSUSE 11, or Fedora 9 repositories. It will be in Fedora 10 and is packaged in the Fedora development repository. I’ll download and build phpLogCon version 2.3.9 from source using an i386 Fedora 9 machine.

A install.php script included with phpLogCon helps you establish your configuration settings. The install.php file guides you through a multiple step process asking for configuration settings and updating your config.php file. The below commands will install the install.php file along with the rest of the phpLogCon PHP files. Once things are working you can remove this file. You will also need to allow the user that the Web server is running as to read your syslog files if you are planning to show the Web server’s syslog information.

cd /usr/local
tar xzf /tmp/phplogcon-2.3.9.tar.gz
cd ./phplogcon*
cp -av src /var/www/html/phplogcon
cd /var/www/html/phplogcon

touch config.php
chown root.apache config.php
chmod g+w,o-rwx config.php
ls -l config.php
-rw-rw---- 1 root apache 0 2008-08-12 12:28 config.php

cd /var/log
chgrp apache messages 
chmod g+r messages 

When you visit http://localhost/phplogcon after these steps you will get a page telling you that a critical error has occurred and that the main configuration file is missing. A link (to install.php on your server) on the error page allows you to configure your phpLogCon installation. Because you created a blank config.php file above and made it writable (temporarily) by the user that the Web server is running as, you can click the link to configure your phpLogCon. When you click the link, install.php first verifies that it can write to your config.php file. As mentioned above, install.php has multiple steps (eight, to be exact), and this takes care of steps 1 and 2 of the installation process.

Step 3 lets you set some general options such as how many messages to show per page and the number of characters from each message to show in the main view. You can also choose to disable the message details popup as well as automatic IP address resolution.

Leaving these general preferences at their default moves you to right to step 7. phpLogCon supports reading system log information not only from local files but also from relational databases. It supports MySQL, as well as other database servers through PHP Data Objects. In this article I’ll focus on using local syslog files directly. If you have rsyslog setup to put your system logs into a relational database then you will need to supply the database name, the schema that the log information uses (monitorware or syslogng), and the username and password to use to connect with the database. For this article I’ll simply allow the apache user read access to the system log information. You might consider using suphp to run your phpLogCon as a special user that has read access to the system log information in order to avoid exposing these files to read access by any PHP script.

Step 8 informs you that you have completed installation and are ready to use phpLogCon. There is a link to the location of phpLogCon on the server on the step 8 page so you can jump right into viewing your logs. Following this link brings you to a page that should look similar to the screenshot shown below.

If you can see some log entries with phpLogCon at this point, it is a good idea to make your config.php file read-only and remove install.php from your Web server. There is no gain in having the configuration file writable any more, and you should not have to use the install.php file again now that you are set up. Since you copied all the PHP files from /usr/local above, you can always restore the installation PHP file later if the need arises — for example, if you want to reconfigure your phpLogCon installation.

Back on the phpLogCon Web page, the Show Events button in the top toolbar shows you the page listing your most recent syslog events. Clicking on a cell in the Host or Syslogtag column lets you filter your message to show only those with the cell’s value or to search for more information online using that cell’s value to start the search. Clicking on a cell in the Message column shows that syslog message in full detail. The Message Details page has a Pager section that lets you move one message forward and backward in time as well as to the first and last page in the log.

I found that when viewing the most recent message and clicking to view a “newer” message, phpLogCon would show a page with an error report mentioning that there were no syslog records found (code 6). This makes sense if you were already viewing the most recent message — there should be nothing newer to show you. Unfortunately, the forward and back navigation buttons in the pager are not shown on this error page, so you have to use your browser’s back button to regain the message navigation buttons.

This problem does not exist when you try to view a message older than the oldest message because phpLogCon will gray out the “view older” button from the message navigation. The developers didn’t gray out the button to try to view a newer message than currently exists because new messages could come in at any time.

If you want to see new events as they come in, you can tell phpLogCon to automatically reload the page every 5, 10, 15, 30, or 60 seconds, or 5, 10, 15, or 30 minutes. This is a great feature if you want to keep an eye on things — you can leave a Web browser open on the phpLogCon page and see new events as they come in every 5 to 10 seconds. One downside of the automatic page reloading is that when it reloads you are returned to the top of the page each time. If phpLogCon used AJAX to add new events instead, it would be less intrusive when you are viewing an event in the list and have scrolled the Web page down slightly.

The Search button in the main toolbar at the top of the screen lets you find log messages that occurred using time, log facility and severity, the source of the log message, and a Syslogtag. This latter functionality is convenient when you want to show the history of a certain event type, such as the DHCP client. The easiest way to search by Syslogtag is to start with the normal Show Events view and click on a cell in the Syslogtag column. Select Filter message for ‘x’ where x is the value in the cell you clicked. If you are using the Search page and typing in the Syslogtag to find, make sure there is no leading white space in your input or you will get fewer results than you should. This sort of mistake is easy to make if you copy and paste the Syslogtag from a message detail display when you want to find messages of a certain type that occurred at some point in the past.

More to love

In the top left of the phpLogCon Web page you’ll find options to change which system logs you are viewing, what language to display things in and change your theme. phpLogCon comes with two themes: the one shown above and one using darker colors. You can configure its interface to display in German, English, and Portuguese.

To add a new system log source, you have to edit the config.php file — you can’t use the Web interface. At the end of the config.php file you will find something like the code shown below. The section in bold in the example here lets you view the secure system log as well as the default message log, provided that the /var/log/secure file is readable by the Web server.

$CFG['Sources']['Source1']['ID'] = 'Source1';
$CFG['Sources']['Source1']['Name'] = 'Web server system log';
$CFG['Sources']['Source1']['ViewID'] = 'SYSLOG';
$CFG['Sources']['Source1']['SourceType'] = SOURCE_DISK;
$CFG['Sources']['Source1']['LogLineType'] = 'syslog';
$CFG['Sources']['Source1']['DiskFile'] = '/var/log/messages';


$CFG['Sources']['Source2']['ID'] = 'Source2';
$CFG['Sources']['Source2']['Name'] = 'secure';
$CFG['Sources']['Source2']['ViewID'] = 'SYSLOG';
$CFG['Sources']['Source2']['SourceType'] = SOURCE_DISK;
$CFG['Sources']['Source2']['LogLineType'] = 'syslog';
$CFG['Sources']['Source2']['DiskFile'] = '/var/log/secure';

phpLogCon allows you to search your system logs from a Web browser and keep an eye on those logs as new messages come in. A little sprinkling of AJAX would make monitoring new events more convenient, but if you are looking for a Web-based interface to view system logs from files or relational databases, then phpLogCon is well worth a look.