Deploy rsyslog + loganalyzer Log Server

1. Brief Description

Logs record all operations on the server system. Therefore, managing server logs is a daily task of every O & M personnel and an effective means to evaluate the security of servers, but how to manage the logs of many servers? If you want to watch it on one machine, you may be tired and tired.

Therefore, we need to build a log server and store all the server logs to this remote log server. In this way, we can not only centrally manage and evaluate the security status of each server, it can also reduce the disk usage of each server.

Even if the logs of all servers are stored in MySQL (which can be stored on a local disk) on one server, how to manage and analyze these logs is also a problem. Fortunately, loganalyzer is a log analysis tool, it makes log analysis so easy!

Server Description: 192.168.200.106 is the rsyslog log server. All other servers are rsyslog clients.

2. Deploy rsyslog + loganalyzer Log Server

Our first task is to configure the rsyslog server, and the next task is to deploy the log analysis tool loganalyzer. This is a lamp, which can be directly installed in Yum and configured with parameters. However, during the deployment at the company, several problems were encountered, which caused the log server to fail to normally obtain the log data of each server. Therefore, you must be careful during the deployment process, next we will go to the topic.

1. Configure the rsyslog Log Server

(1) install the software package

Because rsyslog stores logs in MySQL, a MySQL server and a rsyslog configuration file are required to load Modules connected to MySQL.

[[email protected] ~]# yum -y install rsyslog mysql-server rsyslog-mysql

(2) configure the database

[[Email protected] ~] # Rpm-QL rsyslog-mysql # first check the files generated by rsyslog-MySQL/lib64/rsyslog/ommysql. so/usr/share/doc/rsyslog-mysql-5.8.10/usr/share/doc/rsyslog-mysql-5.8.10/createdb. SQL # This SQL file is the data file to be imported to the database # [[email protected] ~] # Service mysqld start # Start the mysqld service [[email protected] ~] # MySQL # connect mysqlwelcome to the MySQL monitor. commands end with; or \ G. your MySQL connection ID is 2 server version: 5.1.73 source distributioncopyright (c) 2000,201 3, Oracle and/or its affiliates. all rights reserved. oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. other names may be trademarks of their respectiveowners. type 'help; 'or' \ H' for help. type '\ C' to clear The current input statement. mysql> show databases; + -------------------- + | database | + ------------------ + | information_schema | MySQL | test | + -------------------- + 3 rows in SET (0.00 Sec) # At this time, only 3 libraries # mysql> source/usr/share/doc/rsyslog-mysql-5.8.10/createdb. SQL; # import the rsyslog data file mysql> show databases; + ---------------------- + | database | + -------------------- + | information_schema | SY Slog | MySQL | test | + ------------------ + 4 rows in SET (0.01 Sec) mysql> Use syslog; # syslog is the database reading table information for completion of table and column namesyou can turn off this feature to get a quicker startup with-adatabase changedmysql> show tables; + ---------------------- + | tables_in_syslog | + ------------------------ + | systemevents | systemeventsproperties | + --------------- --------- + 2 rows in SET (0.00 Sec) # Next, authorize the rsyslog server. Here must be the IP address of the rsyslog server # If the IP address of each server is written, mysql> grant all on syslog is wrong. * To 'syslogroot' @ '127. 0.0.1 'identified by 'syslogpass'; query OK, 0 rows affected (0.00 Sec) mysql> grant all on syslog. * To 'syslogroot' @ '192. 168.200.106 'identified by 'syslogpass'; query OK, 0 rows affected (0.04 Sec) mysql> flush privileges; query OK, 0 rows affected (0.00 Sec) mysql> \ qbye

(3) modify the rsyslog log server configuration file

[[Email protected] ~] # Grep-V "^ $"/etc/rsyslog. conf | grep-V "^ #" $ modload imuxsock $ modload imklog $ modload imudp # Load UDP modules $ udpserverrun 514 # allow receiving logs from UDP 514 ports $ modload imtcp # load the TCP module $ inputtcpserverrun 514 # Allow to receive logs from the TCP 514 port $ modload ommysql # load the MySQL module $ actionfiledefadefatemplatersyslog_traditionalfileformat $ includeconfig/etc/rsyslog. d /*. conf *. *: ommysql: 192.168.200.106, syslog, syslogroot, syslogpass # Add this row. All the logs of all facilities are recorded in the syslog database of the database server, syslogpass password access database local7. */var/log/boot. log $ template spicetmpl, "% timestamp %. % timestamp: Date-subseconds % syslogtag % syslogseverity-text %: % MSG ::: sp-if-no-1st-sp % MSG ::: drop-last-lf % \ n ": programname, startswith, "spice-vdagent"/var/log/spice-vdagent.log; spicetmpl

(4) restart the rsyslog service after the modification is completed.

[[email protected] ~]# service rsyslog restartShutting down system logger:                               [  OK  ]Starting system logger:                                    [  OK  ]

2. Configure the rsyslog Client

(1) modify the configuration file

[[email protected] ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imklog   # provides kernel logging support (previously done by rklogd)$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf*.*       @192.168.200.106*.*       :ommysql:192.168.200.106,Syslog,syslogroot,syslogpass$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n":programname, startswith, "spice-vdagent"   /var/log/spice-vdagent.log;SpiceTmpl

(2) restart the rsyslog service after the modification is completed.

[[email protected] ~]# service rsyslog restartShutting down system logger:                               [  OK  ]Starting system logger:                                    [  OK  ]

Verify the storage of client log files

(1) Use logger to generate a log

[[email protected] ~]# logger -p info "I‘m mariadb"

(2) verification on the rsyslog Server

[[Email protected] ~] # Mysqlmysql> Use syslog; mysql> select * From systemevents \ G *************************** 279. row ************************** ID: 279 customerid: NULL receivedat: 20: 07: 39 devicereportedtime: 20:07:40 facility: 1 Priority: 6 fromhost: mariadb message: I'm mariadb # When I was doing this, it was because the second part of 1 (2) in MySQL authorization, the Client IP address is written, and data cannot be obtained here. Ntseverity: NULL # therefore, during database authorization, the IP importance: NULL eventsource: NULL eventuser: NULL eventcategory: NULL eventid: NULL eventbinarydata: null maxavailable: NULL currusage: NULL minusage: NULL maxusage: NULL infounitid: 1 syslogtag: Root: eventlogtype: NULL genericfilename: NULL systemid: NULL processid: Checksum: 0279 rows in SET (0.00 Sec)

Now, the rsyslog log server is deployed, but the log is in the MySQL database of the rsyslog log server, which is not easy to view and manage. Therefore, we deploy a loganalyzer log analyzer, to reduce the complexity of log management.

3. Deploy loganalyzer

1. Install the lamp Environment

[[email protected] ~]# yum -y install httpd php php-mysql php-gd[[email protected] ~]# mkdir /var/www/html/loganalyzer/mkdir: created directory `/var/www/html/loganalyzer/‘

2. decompress the loganalyzer source package

[[Email protected] ~] # Tar xf loganalyzer-3.6.5.tar.gz [[email protected] ~] # Cd loganalyzer-3.6.5 [[email protected] loganalyzer-3.6.5] # [[email protected] loganalyzer-3.6.5] # lschangelog contrib copying Doc install SRC [[email protected] loganalyzer-3.6.5] # mv src/*/var/ WWW/html/loganalyzer/# SRC is the PHP Web file [[email protected] loganalyzer-3.6.5] # ls contrib/configure. sh secure. sh [[email protected] loganalyzer-3.6.5] # mv contrib/*/var/www/html/loganalyzer/# two scripts under the contrib directory, can open look at # [[email protected] loganalyzer-3.6.5] # cd/var/www/html/loganalyzer/[[email protected] loganalyzer] # sh configure. sh # execute the script

3. Configure httpd

Modify the root directory of the DocumentRoot webpage

[[email protected] ~]# vim /etc/httpd/conf/httpd.conf DocumentRoot "/var/www/html/loganalyzer"#[[email protected] ~]# service httpd start

4. Configure httpd and MySQL to start up

[[email protected] ~]# chkconfig mysqld on[[email protected] ~]# chkconfig httpd on

5. Create a loganalyzer database and authorize

[[email protected] ~]# mysqlEnter password:mysql> create database loganalyzer;Query OK, 1 row affected (0.04 sec)mysql> grant all on loganalyzer.* to [email protected]‘192.168.200.106‘ identified by ‘dianyi123‘;Query OK, 0 rows affected (0.00 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)

6. Install loganalyzer

(1) Installation Interface

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/D3/wKioL1PsIlfiOLZeAABquvXDTC4299.png "Title =" 1.png" alt = "wkiol1psilfiolzeaabquvxdtc4299.png"/>

(2) Step 1

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/D2/wKiom1PsIVTTUlnbAADM3WKzmDk997.png "Title =" 2.png" alt = "wkiom1psivttulnbaadm3wkzmdk997.png"/>

(3) Step 2

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/D3/wKioL1PsIonz2zexAADqKOiUPOM107.png "Title =" 3.png" alt = "wkiol1psionz2zexaadqkoiupom107.png"/>

(4) setp 3

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/D2/wKiom1PsIYaixqQbAAEZ8AIpcvc759.png "Title =" 4.png" alt = "wkiom1psiyaixqqbaaez8aipcvc759.png"/>

(5) setp 4

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/D3/wKioL1PsIraDnTUFAADZM7ZNkGk359.png "Title =" 5.png" alt = "wkiol1psiradntufaadzm7znkgk359.png"/>

(6) setp 5

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/D4/wKioL1PsIs7RkNMTAAKJgP4gbwE940.png "Title =" 6-1.png "alt =" wkiol1psis7rknmtaakjgp4gbwe940.png "/>

(7) Step 6

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/D4/wKioL1PsIumTCKMbAAB_sTB70ns683.png "Title =" 7.png" alt = "wkiol1psiumtckmbaab_stb70ns683.png"/>

(8) setp 7

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/D4/wKioL1PsIv_ADEgwAADnh60ziIo232.png "Title =" 8.png" alt = "wkiol1psiv_adegwaadnh60ziio232.png"/>

(9) setp 8

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/D2/wKiom1PsIf3SUHv8AABN8J_yFCY473.png "Title =" 9.png" alt = "wkiom1psif3suhv8aabn8j_yfcy473.png"/>

(10) start to report an error

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/D4/wKioL1PsIynRWp_OAAEdNAQ1GfY306.png "Title =" 10-error.png "alt =" wkiol1psiynrwp_oaaednaq1gfy306.png "/>

Troubleshooting stage

1. reinstall

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/D4/wKioL1PsI1XjP7MxAABIUlA92OQ550.png "Title =" 11.png" alt = "wkiol1psi1xjp7mxaabiula92oq550.png"/>

2. Modify the table name to the correct table name.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/D4/wKioL1PsI2jhZr3gAADcNzodDiY820.png "Title =" 12.png" alt = "wkiol1psi2jhzr3gaadcnzoddiy820.png"/>

3. The installation is complete. Enjoy it

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/D4/wKioL1PsI4Xzsae8AAJd-IwfiuI760.png "Title =" 13.png" alt = "wKioL1PsI4Xzsae8AAJd-IwfiuI760.png"/>

This article is from the "nmshuishui blog", please be sure to keep this source http://nmshuishui.blog.51cto.com/1850554/1539784