Use Rsyslog to centrally collect system logs, user operation records, and related processing methods

I believe that the packages engaged in linux Server O & M are the same as those of me. They are dealing with various system logs and service logs every day. These logs record the status of the system or service that occurs every day. By observing logs, We can promptly resolve many system and service faults.

Today, rsyslog is used to centrally collect system logs and user operation records, and to process collected logs. For example, server exception monitoring and user behavior auditing.

Deployment architecture:

Roles: Application Server, log summary server, database, log monitoring, and log query

650) this. width = 650; "title =" image "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131228/0125113361-0.png "height =" 359 "/>

Here we will explain the following:

1. Summarize the logs on the application server to the log summary server.

2. Write the logs on the summary server to the database.

3. Process summary logs, such as log monitoring and Historical queries.

Lab environment:

Operating System: Centos 5.8 x86_64

1. Configure log collection

On the log summary server, perform the following operations:

Because Centos 5.8 x86_64 uses the syslog service by default, rsyslog must be manually installed on the log summary server.

service syslog stopchkconfig --del syslogyum -y install rsyslog

vim /etc/sysconfig/rsyslog    #SYSLOGD_OPTIONS="-m 0"    SYSLOGD_OPTIONS="-c 2 -r 514 -x -m 240"

Functions of parameters:

-C indicates the running compatibility mode.

-R specifies the listening port.

-X disables DNS lookup when receiving client messages. It must be used with the-r parameter.

-M indicates the timestamp. The Unit is minute. If it is 0, this function is disabled.

650) this. width = 650; "title =" image "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131228/0125114340-1.png "height =" 191 "/>

chkconfig rsyslog onservice rsyslog startps -ef|grep rsyslog

650) this. width = 650; "title =" image "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131228/012511Oa-2.png "height =" 163 "/>

Operate on the Application Server:

echo "*.* @192.168.154.128" >> /etc/syslog.confservice syslog restart

vim /etc/bashrc    export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):[`pwd`]"$msg"; }'

650) this. width = 650; "title =" image "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131228/01251111c-3.png "height =" 238 "/>

source /etc/bashrc

Run the following commands on the application server to check whether the logs are successfully received on the server.

Enter a few commands on the application server.

650) this. width = 650; "title =" image "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131228/0125114a4-4.png "height =" 183 "/>

Log summary Server:

tail -f /var/log/messages

650) this. width = 650; "title =" image "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131228/0125115291-5.png "height =" 141 "/>

Configure the log warehouse receiving part

Create a database and table structure:

cat /usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql

650) this. width = 650; "title =" image "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131228/01251150U-6.png "height =" 522 "/>

mysql < /usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql

grant all on Syslog.* to rsyslog_user@'%' identified by 'rsyslog_pass';flush privileges;

650) this. width = 650; "title =" image "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131228/0125116156-7.png "height =" 452 "/>

Operations on the log summary Server:

yum –y install rsyslog-mysql

vim /etc/rsyslog.conf    $ModLoad ommysql    *.* :ommysql:192.168.154.128,Syslog,rsyslog_user,rsyslog_pass

Format: *. *: ommysql: IP: Database Name: User: Password

650) this. width = 650; "title =" image "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131228/0125112M8-8.png "height =" 222 "/>

service rsyslog restart

Check whether the database is properly stored

650) this. width = 650; "title =" image "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" image "src =" http://www.bkjia.com/uploads/allimg/131228/0125112108-9.png "height =" 261 "/>

After completing the preceding steps, you can start log processing.

About log processing

Common log processing methods include:

1. Use nagios to monitor the log status. For example, if an error is found, a message is sent to the Administrator. The administrator can promptly handle server-related faults.

2. Analyze logs, such as loganalyzer log analysis tools.

3. query the log information in the database to search for operations performed by a user on a machine.

Write it here today. If you have any questions, please contact me.

This article from the "small Cui's growth path" blog, please be sure to keep this source http://cyr520.blog.51cto.com/714067/1214850