loganalyzer--Syslog-based log management and audit platform

The Loganalyzer is a web front end for syslog logs and other network event data. It provides simple browsing, searching, basic analysis, and some chart reporting functions for logs.
Data can be obtained from a database or a generic syslog text file, so Loganalyzer does not need to change the existing record schema.
Based on the current log data, it can handle syslog log messages, Windows event logging, support troubleshooting, and enable users to quickly find solutions to the problem seen in log data.
Loganalyzer Gets the client log there are two save modes, one is to read the log in the client/var/log/directory directly and save it to the server directory, one is to save the read to the Log servers database
The latter is used here for testing.

First, the service side

1. Initializing the database

initialize database, Createdb.sql script rsylog under Plugins/ommysql source code bundle
#mysql-uroot-p123.com </usr/local/src/rsyslog-5.6.2/plugins/ommysql/createdb.sql
#mysql-uroot-p
Mysql>grant all privileges on syslog.* to ' rsyslog ' @ ' localhost ' identified by ' 123456 ' with GRANT option;
Mysql>grant All privileges the syslog.* to ' rsyslog ' @ ' percent ' identified by ' 123456 ' with GRANT option;
Mysql>flush privileges;

can also generate initialization scripts on its own

Cat > createdb.sql << eof create database syslog default  character set utf8; use syslog; Create table systemevents (        id int unsigned  not null auto_increment primary key,         Customerid bigint,        receivedat datetime null,         DeviceReportedTime datetime NULL,         Facility smallint NULL,         priority smallint null,        fromhost varchar ( )  NULL,        Message text,         ntseverity int null,        importance int null,        eventsource  varchar (&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;EVENTUSER&NBSP;VARCHAR)  NULL,         EventCategory int NULL,         EventID int NULL,        EventBinaryData  text null,        maxavailable int null,         CurrUsage int NULL,         minusage int null,        maxusage int null,         InfoUnitID int NULL ,         syslogtag varchar (,        ) Eventlogtype varchar (,  )      genericfilename varchar (,      )   systemid int null)  DEFAULT CHARSET=utf8; CREATE TABLE  Systemeventsproperties (        id int unsigned not  null auto_increment primary key,         Systemeventid int null ,        paramname varchar ( 255)  null ,        paramvalue text null)   default charset=utf8; Eof

2.rsyslog installation Configuration

The service side needs to use the Rsyslog log service. So there are two kinds of service end, if it is more than 6 system, the system comes with the default log service is Rsyslog

2.1.6x System

#yum Install Rsyslog-mysql y
Rsyslog-mysql a module for Rsyslog to send logs to the MySQL database, which must be installed.

2.2.5.x System
1) Install Rsyslog by compiling
#tar-ZXVF rsyslog-5.6.2.tar.gz

#./configure--enable-mysql--prefix=/usr/local/rsyslog

#make && make Install

Modifying the Rsyslog configuration

#vim/usr/local/src/rsyslog-5.6.2/rsyslog.conf

//Configure service-side Support Rsyslog-mysql module
$ModLoad Ommysql
*. *: ommysql:172.18.2.124,syslog,rsyslog,123456
Description: localhost indicates a local host, syslog is the database name, Rsyslog is the user of the database, and 123456 is the user password.

turn on the UDP service port to get other Linux system logs in the network
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # Start a UDP syslog server at standard Port 514

#复制配置文件
#cp/usr/local/src/rsyslog-5.6.2/rsyslog.conf/etc/rsyslog.conf
#关闭现有的日志服务
#service syslog Stop
#chkconfig syslog off

#cp/etc/init.d/{syslog,rsyslog} #rsyslog没有启动脚本, copy the syslog script
#sed-I s/syslog/rsyslog/g/etc/init.d/rsyslog #修改syslog字符为rsyslog
#chmod 700/etc/init.d/rsyslog
#chkconfig--add Rsyslog #添加rsyslog服务
#chkconfig Rsyslog on

# Create Rsyslog Bin Ln
Ln-sv/usr/local/rsyslog/sbin/rsyslogd/sbin/rsyslogd #创建软连结, the Rsyslog script starts with the RSYSLOGD under/sbin

edit/ETC/BASHRC to write all the commands executed by the client to the system log/var/log/messages.
# VI/ETC/BASHRC
Add a line at the end of a file
Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; }‘
Set it in effect
# SOURCE/ETC/BASHRC
Restart Log service
#/etc/init.d/rsyslog Restart

2) Install Rsyslog via Yum
#yum install-y rsyslog rsyslog-mysql

Modifying the Rsyslog configuration

#vim/etc/rsyslog.conf
Configuring the service-side Support Rsyslog-mysql module
$ModLoad Ommysql
*. *: ommysql:172.18.2.124,syslog,rsyslog,123456
Description: localhost indicates a local host, syslog is the database name, Rsyslog is the user of the database, and 123456 is the user password.

Turn on the UDP service port to get other Linux system logs in the network
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # Start a UDP syslog server at standard Port 514

Edit/ETC/BASHRC to write all the commands executed by the client to the system log/var/log/messages.
# VI/ETC/BASHRC
Add a line at the end of a file
Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; }‘
Set it in effect
# SOURCE/ETC/BASHRC

To close an existing log service
#/etc/init.d/syslog stop
Start the Rsyslog Log service
#/etc/init.d/rsyslog Start

Edit/ETC/BASHRC to write all the commands executed by the client to the system log/var/log/messages.
# VI/ETC/BASHRC
Add a line at the end of a file
Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; }‘
Set it in effect
# SOURCE/ETC/BASHRC

To close an existing log service
#/etc/init.d/syslog stop
Start the Rsyslog Log service
#/etc/init.d/rsyslog Start

3) Verification Results

Viewing/var/log/message, you will find that command-line commands have been recorded in the message

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7C/AA/wKiom1bVQRWBk5GvAABnnLBY6aw555.png "title=" 1.png " alt= "Wkiom1bvqrwbk5gvaabnnlby6aw555.png"/>

Validating Database Results

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7C/A8/wKioL1bVQa-TbLIQAABkpUhMz6U035.png "title=" 2.png " alt= "Wkiol1bvqa-tbliqaabkpuhmz6u035.png"/>

Second, the client

Configuring the Rsyslog client to send local logs to the server
# vi/etc/rsyslog.conf
* * @172.18.2.125
At the end of the line, the above line is added, that is, the client sends the local log to the server.


Edit/ETC/BASHRC to write all the commands executed by the client to the system log/var/log/messages.
# VI/ETC/BASHRC
Add a line at the end of a file
Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; }‘
Set it in effect
# SOURCE/ETC/BASHRC
Restart Log service
#/etc/init.d/rsyslog Restart

Enter any command on the client to view the message log on the server side
2015-12-24t16:38:54+08:00 test135 root: [Euid=root]:root pts/0 2015-12-24 14:59 (172.18.2.238): [/root]/etc/init.d/ Rsyslog restart
2015-12-24t16:39:04+08:00 test135 root: [Euid=root]:root pts/0 2015-12-24 14:59 (172.18.2.238): [/root]less/var/log/ Messages
2015-12-24t16:39:06+08:00 test135 root: [Euid=root]:root pts/0 2015-12-24 14:59 (172.18.2.238): [/root]ll
2015-12-24t16:41:04+08:00 test135 root: [Euid=root]:root pts/0 2015-12-24 14:59 (172.18.2.238): [/root]pwd


View the message log on the server and receive a message log from the client
Dec 11:40:30 t123 root: [Euid=root]:root pts/4 2015-12-24 16:50 (172.18.2.238): [/root]ls

There's a response record inside the MySQL library.

| 18 |       NULL | 2015-12-25 11:40:57 | 2015-12-25 11:40:30 |        1 |        5 | t123      |  [euid=root]:root PTS/4 2015-12-24 16:50 (172.18.2.238): [/root]ls               &N Bsp                          ,         &NB Sp                          ,         &NB Sp                          ,         &NB Sp                             |       NULL |       NULL | NULL        | NULL      |          null |    null | NULL            | &nbsp       NULL |      null |     NULL |     NULL |          1 | Root:        | NULL         | NULL            |     NULL |

Third, installation and use of Loganalyzer

1. Installation
#tar XVF loganalyzer-3.0.4.tar.gz

#cd loganalyzer-3.0.4

#cp-R src//var/www/html/loganalyzer

#cp-R contrib/*/var/www/html/loganalyzer

#执行脚本
#cd/var/www/html/loganalyzer/
#/bin/sh/var/www/html/loganalyzer/configure.sh
#/bin/sh/var/www/html/loganalyzer/secure.sh

#赋予权限
#chown-R Apache:apache/var/www/html/loganalyzer
#启动httpd
#service httpd Restart
#访问页面
Http://172.18.2.125/loganalyzer

2. Initialization

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7C/A8/wKioL1bVREGjuagsAAGqmH6fex4929.png "style=" float: none; "title=" 1.png "alt=" Wkiol1bvregjuagsaagqmh6fex4929.png "/>

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7C/A8/wKioL1bVREPxciVbAAGRmoH4mTM108.png "style=" float: none; "title=" 2.png "alt=" Wkiol1bvrepxcivbaagrmoh4mtm108.png "/>

Because the script has been executed above, so here config.php already have writable permission

#/bin/sh/var/www/html/loganalyzer/configure.sh
#/bin/sh/var/www/html/loganalyzer/secure.sh

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7C/A8/wKioL1bVREexxE5WAAJdMJPkM8w065.png "style=" float: none; "title=" 3.png "alt=" Wkiol1bvreexxe5waajdmjpkm8w065.png "/>

Step three configuring the data source

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7C/AA/wKiom1bVQ9OAVZMrAAHB3ApbqlQ498.png "style=" float: none; "title=" 4.png "alt=" Wkiom1bvq9oavzmraahb3apbqlq498.png "/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7C/A9/wKioL1bVREyDCQnoAAGLM5-Uo2o043.png "style=" float: none; "title=" 5.png "alt=" Wkiol1bvreydcqnoaaglm5-uo2o043.png "/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7C/A9/wKioL1bVRE7RP6_XAAFFlwgaOkY882.png "style=" float: none; "title=" 6.png "alt=" Wkiol1bvre7rp6_xaafflwgaoky882.png "/>

Sixth step, create an administrative user

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/7C/A9/wKioL1bVRFHjCc8oAAHjjUw52SQ078.png "style=" float: none; "title=" 7.png "alt=" Wkiol1bvrfhjcc8oaahjjuw52sq078.png "/>

Seventh step, configure the log source

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7C/AA/wKiom1bVQ9zxIRymAAFxBlU3nO4113.png "style=" float: none; "title=" 8.png "alt=" Wkiom1bvq9zxirymaafxblu3no4113.png "/>

Login Http://172.18.2.125/loganalyzer

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/7C/A9/wKioL1bVRiXgNqAqAAKW8sUsuVw295.png "title=" 11.png "alt=" Wkiol1bvrixgnqaqaakw8susuvw295.png "/>

This article is from the "No Technology Madness" blog, please be sure to keep this source http://s8576.blog.51cto.com/9510968/1746320

loganalyzer--Syslog-based log management and audit platform