Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3

As a system O & M engineer, I think it is a daily task to view and analyze LINUX system logs. However, after a long time, I find that every time I view the site logs, I have to go to the background one by one, several servers can do this, but if you manage hundreds of thousands of online servers, this method is too slow.

Later I thought that I could not have a log server to manage logs in a centralized manner, and showed the logs to the front-end for easy viewing in the form of WEB. The idea of code words suddenly came into being.

I have a habit of saving a memorandum of understanding for the LINUX system software that is recognized in the group or on the Internet, so that I can study it at leisure, some friends mentioned that rsyslog + loganalyzer was used to manage logs in a centralized manner some time ago, so today I just took the time to study the process despite twists and turns (various pitfalls of online documents fell ), finally, we can use one day to share our understanding and build it for your reference only.

This document uses rsyslog + loganalyzer + mysql to centralize the system logs of all LINUX servers in the network to the log server for management. All logs are saved in the mysql database table.

Note: loganalyzer has two storage modes for obtaining client logs. One is to directly read the logs in the/var/log/directory of the client and save them to the directory on the server, one is read and saved to the log server database. The latter is recommended in this document.

Related reading:

Rsyslog deployment log server for CentOS6.0: http://www.centoscn.com/CentosServer/log/2013/0721/382.html

Solution:

1. Environment deployment

Operating System: centos6.3 x64

Rsyslog: the default yum source.

Loganalyzer: loganalyzer-3.6.3

LAMP: httpd-2.4.4, mysql-5.6.10, php-5.4.13

Rsyslog server: 192.168.7.201 lamp.example.com

Rsyslog client: 192.168.7.74 www2.example.com

1. Install the LAMP Environment

Ben Bo Portal: http://showerlee.blog.51cto.com/2047005/1174141

2. Disable iptables and SELINUX.

# Service iptables stop

Note: To enable the iptables service to increase system security

The server needs to add the rsyslog UDP 514 port and the loganalyzer TCP 80 port passing rule.

# Iptables-a input-p udp-dport 514-j ACCEPT

# Iptables-P OUTPUT ACCEPT

# Iptables-a input-p TCP-dport 80-j ACCEPT

Clients only need to add OUTPUT rules

# Iptables-P OUTPUT ACCEPT

The rules show that the rsyslog server passively acquires data and the client actively sends data.

If you disable iptables, you can ignore it ..

# Setenforce 0

# Vi/etc/sysconfig/selinux

-----

SELINUX = disabled

-----

3. Synchronization time

# Ntpdate asia.pool.ntp.org

Ii. install and configure rsyslog

(Rsyslog server)

# Yum install rsyslog-mysql-y

Note: rsyslog-mysql transmits logs to a module of the mysql database for rsyslog. installation is required here.

# Cd/usr/share/doc/rsyslog-mysql-5.8.10/

# Mysql-uroot-p123456 <createDB. SQL

Note: here, the import database operation is finally studied by the real-time blogger, that is, the Syslog database is created and two empty tables are created in the database.

Create rsyslog user permissions in mysql

# Mysql-uroot-p123456

> Grant all privileges on Syslog. * to rsyslog @ localhost identified by "123456 ″;

> Flush privileges;

> Exit

Configure the server to support the rsyslog-mysql module, and enable the UDP Service port to obtain logs of other LINUX systems in the network.

# Vi/etc/rsyslog. conf

Add the two lines under #### MODULES ###

------

$ ModLoad ommysql. so

*. * Mmysql: localhost, Syslog, rsyslog, 123456

------

Note: localhost indicates the local host, Syslog indicates the database name, rsyslog indicates the database user, and 123456 indicates the user password.

Uncomment the following three lines

------

$ ModLoad immark

$ ModLoad imudp

$ UDPServerRun 514

------

Restart the service:

# Service rsyslog restart

(Rsyslog client)

# Yum install rsyslog-y

Configure the rsyslog client to send local logs to the server

# Vi/etc/rsyslog. conf

Add the following content to the last line:

-------

*. * @ 192.168.7.201

-------

Note: 192.168.7.201 is the IP address of the log server.

Restart the service:

# Service rsyslog restart