With the increase of server and network equipment in the room, log management and query become a headache for system administrators.
The common problems that system administrators encounter are as follows:
1, the Daily maintenance process is not possible to log on to each server and device up to view the log;
2, the network device storage space is limited, it is not possible to store a log of too long, and the system problems may be a long time ago some of the operations caused;
3, in some cases of illegal intrusion, the intruder will generally clear the local log, clear the traces of the invasion;
4, Zabbix and other monitoring system can not replace the log management, can not monitor such as system login, scheduled task execution and other projects.
Based on the above reasons, it is necessary to build a Rsyslog log server for centralized log management in the current network environment.
The advantages of the Rsyslog service are as follows:
1, Rsyslog server can be supported by most network devices, most of the system device options for network devices have remote Logging service configuration options. Only need to fill in the IP address and port (most devices are already 514 by default), and then OK;
2, Linux Server only need to add a simple line in the local Rsyslog service configuration can send logs to the log server, deployment and configuration is very simple;
3, through the software (such as Evtsys) can also support Windows Server, deployment and configuration is not very difficult, but some software is charged;
4, with the front-end Loganalyzer and other software, can easily achieve graphical management and query logs.
Second, the system environment and software version:
rsyslog_server:centos7.2
Rsyslog_server ip:192.168.253.160
rsyslog_client:centos7.2 + Windows7
The software used:
Rsyslog version:rsyslog-7.4.7-12.el7.x86_64
Loganalyzer version:loganalyzer-3.6.5.tar.gz
MySQL version:mysql5.7
HTTPD version:httpd-2.4.6-40.el7.centos.x86_64
PHP version:php-5.4.16-36.el7_1.x86_64
Three, the Environment preparation:
3.1 Turn off the firewall:
# Systemctl Stop Firewalld
3.2 Set SELinux to Disabled
# setenforce 0# sed-i ' s#selinux=enforcing#selinux=disabled#g '/etc/selinux/config
Four, configure the lamp environment:
4.1 Install MySQL, because CentOS7 installs the MARIADB by default, so use the official MySQL to provide a quick installation method, address: http://dev.mysql.com/doc/mysql-yum-repo-quick-guide/en/
# mkdir/home/rsyslog_server/tools-p #创建下载文件存放目录
# Cd/home/rsyslog_server/tools
# yum Install Wget-y
# wget http://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm
# RPM-UVH mysql57-community-release-el7-8.noarch.rpm #安装MySQL官方yum仓库
# yum Install mysql-community-server-y #安装MySQL
# Systemctl Start Mysqld.service
# SYSTEMCTL Status Mysqld.service
# grep ' temporary password '/var/log/mysqld.log #查看初始密码
# mysql-u Root-p
>alter USER ' root ' @ ' localhost ' identified by ' mynewpass4! '; #更改密码, passwords need to conform to the following rules: at least one uppercase letter, one lowercase letter, one number, one special character, and the password length requires more than 8 bits
4.2 Installing Apache and PHP
# yum install httpd-y# yum install php php-gd php-xml php-mysql-y
4.3 Start the service and join the boot-up:
# Systemctl start httpd.service# systemctl enable httpd.service# systemctl start mysqld.service# systemctl enable Mysqld.s Ervice
4.4 Testing the PHP environment
# VI index.php <?php phpinfo ()?>
Enter http://192.168.253.160/index.php in the browser and the configuration is successful if the following is displayed.
V. Check and install the Server software
5.1 Check if the Rsyslog software is installed
# Rpm-qa Rsyslog #CentOS7默认会安装rsyslog
5.2 Installing Rsyslog modules connected to MySQL database
# yum Install rsyslog-mysql-y #rsyslog使用此模块将数据传入MySQL数据库, must be installed
Vi. Configuring the server side
6.1 Importing Rsyslog-mysql database files
# cd/usr/share/doc/rsyslog-7.4.7/# mysql-uroot-p<mysql-createdb.sql# Enter Password:
6.2 Login Database View:
mysql> show databases;
Mysql> Show tables;
The import database operation created the Syslog library and created two empty tables systemevents and systemeventsproperties in the library.
6.3 Create a Rsyslog user under MySQL and authorize:
Mysql> Grant all on syslog.* to [e-mail protected] ' localhost ' identified by ' mynewpass4! '; Mysql> Flush Privileges;mysql> Exit
6.4 Configure the service side to support the Rsyslog-mysql module, and turn on the UDP service port to get other Linux system logs in the network;
# vi /etc/rsyslog.conf #按如下进行更改 #### MODULES #### $Modload ommysql *.* :ommysql:localhost,syslog,rsyslog,mynewpass4! # localhost indicates that the local host,syslog is the database name,rsyslog the user of the database, and 123456 is the user password. $ModLoad immark # immark is a module name that supports log tagging $ModLoad imudp #imupd是模块名, support for UDP $UDPServerRun 514 #允许514端口接收使用UDP和TCP协议转发过来的日志
6.5 Restart Rsyslog Service
# systemctl Restart Rsyslog.service
Vii. Configuring the Client
7.1 Check that the client has no installation Rsyslog
# Rpm-qa Rsyslog
7.2 Configuring the Rsyslog client to send local logs to the server
# vi/etc/rsyslog.conf * * @192.168.253.160:514 #在文件结尾处增加此内容
7.3 Restart Rsyslog Service
# systemctl Restart Rsyslog.service
7.4 Edit/ETC/BASHRC to write all commands executed by the client to the system log/var/log/messages
# VI/ETC/BASHRC Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; } ' #在结尾处加上此内容
Settings Make it effective
# SOURCE/ETC/BASHRC
Eight, test rsyslog_server can normally receive rsyslog_client log
Rsyslog_client perform the following actions:
Rsyslog_server View:
Indicates that the server can receive the client's logs normally.
Ix. installation of Loganalyzer
# cd/home/rsyslog_server/tools/# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz# tar zxf loganalyzer-3.6.5.tar.gz# CD loganalyzer-3.6.5# mkdir-p/var/www/html/loganalyzer# cp-a src/*/var/www/html/ loganalyzer/
Ten, install in the browser Loganalyzer
10.1 Open Browser, enter Http://192.168.253.160/loganalyzer
Prompt no configuration file, click here button to generate;
10.2 Click Next to test the system environment:
There is no config.php file here, and the configure.sh script in contrib can be used to generate;
# CD contrib/# CP configure.sh/var/www/html/loganalyzer/# cd/var/www/html/loganalyzer/# SH configure.sh
This section creates the config.php file under the/var/www/html/loganalyzer/directory and configures the permissions to 666, or it can be executed using the mkdir and chmod commands.
10.3 Continue to the next step, fill in the database information
Click Next to generate the tables in the database;
10.4 Setting up Administrators
10.5 Creating the first system log source
10.6 Complete
Rsyslog + Loganalyzer Log server is deployed and can be set as needed.
For more information, please contact Ding Feng Hu Jiashong
tel.18824258907
qq.2881064155
CentOS7 using Rsyslog+loganalyzer To configure the log server and Linux and Windows client configuration