Outline:
First, Introduction
Second, store logs to the remote database
Three, Loganalyzer log analysis tool
First, Introduction
1. Overview
Rsyslog is a fast log processing system that provides high-performance, high-security, and modular design that can receive a wide variety of inputs and outputs to different destinations with super-fast processing speed.
2. New Features
multi-threading# multithreading TCP, SSL, TLS, relp# supported protocols MySQL, PostgreSQL, Oracle and more# support database type Filter any part of the syslog message# strong Large filter to implement any part of the filtering system information fully configurable output format# custom output format suitable for Enterprise-class relay chains# applicable to enterprise-level logging requirements
3. Advantages
(1) Log unified, centralized management; (2) Log real-time transmission to a more secure remote server, the real record of user behavior, so that the log of 2 changes in the possibility of greatly reduced, so that the log can be real replay, easy to track the problem.
4. Core composition
Rsyslog is composed of three parts: facility (facility), priority (level), Target (path)
Facility: A facility that classifies logs from a function or program and is responsible for recording the corresponding log information by a specialized tool (facility);
AUTH: Certification related authpriv: certification rights related cron: Scheduled task related daemon: daemon related kern: kernel-related lpr: print related mail: Mail related mark: Firewall tag News: News Security: Safety related syslog: Self log user : User-related Uucp:unix to Unix copy, early system file sharing service LOCAL0-LOCAL7: User-defined facility
Priority: Level
Debug: Debug Info: All information except debug Notice: Note Warn, warning: Warning err, error: Wrong message crit: Blue alarm alert: Orange alert Emerg, panic: Red alert Specifies the level of the way: *: All levels None: No level Priority: Log information at all levels higher than this level is logged =priority: Only the specified level is logged
Target: Path
File path: Log in the specified file, use "-" before the file path to indicate asynchronous write; User: Notify the file of log information *: All user log servers: @SERVER Pipeline: | COMMAND
5. Reference documents
Rsyslog Doc:http://www.rsyslog.com/doc/v8-stable/redhat Doc:https://access.redhat.com/documentation/en-us/red_ hat_enterprise_linux/7/html/system_administrators_guide/s1-basic_configuration_of_rsyslog.htmlother:http:// Xmodulo.com/configure-syslog-server-linux.html
Second, store logs to the remote database
1. Host address Assignment
The Rsyslog:192.168.1.106client:192.168.1.109rsyslog Central log server is responsible for receiving log information from other clients to the Rsyslog and transferring it to the local MySQL database.
2. Rsyslog operation
Rsyslog-mysql:rsyslog connection to the MySQL driver package module. # yum -y install mysql mysql-server rsyslog-mysql See what files are installed Rsyslog-mysql # Rpm -ql rsyslog-mysql/lib64/rsyslog/ommysql.so//om represents the Output module IM represents the input module/usr/share/doc/rsyslog-mysql-5.8.10/ usr/share/doc/rsyslog-mysql-5.8.10/createdb.sql# database initialization script, table structure # service mysqld start# mysql < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql# mysql -e ' use syslog; show tables; ' +------------------------+| tables_in_syslog |+----------------- -------+| systemevents | | systemeventsproperties |+------------------------+# mysql -e ' use syslog; select * from systemevents; ' # mysql -e ' use syslog; select * from systemeventsproperties; ' The return value of the above two commands is NULL, indicating that there is no content in the table. # mysql -e "GRANT&NBSP;ALL&Nbsp;privileges on syslog.* to ' rsysloguser ' @ ' 192.168.1.% ' identified by ' Rsyslogpass ';flush privileges; ' Modify the rsyslog.conf file # vim /etc/rsyslog.conf$modload imudp #通过UDP的514端口搜集日志信息, and you will be the log server $ udpserverrun 514$modload imtcp #通过TCP的514端口搜集日志信息, will be the log server $inputtcpserverrun 514$ modload ommysql# load MySQL module *.info;mail.none;authpriv.none;cron.none :ommysql:192.168.1.106, Syslog,rsysloguser,rsyslogpass# service rsyslog restart
3. Client operation
# Vim/etc/rsyslog.conf*.info;mail.none;authpriv.none;cron.none @192.168.1.109:514# Specify the address of the Rsyslog log server # Servi Ce rsyslog Restart
4. Testing
Write a message in the client's/var/log/messages file with the Logger command # logger-t DHCP "Zhengyansheng ' Log"
You will find the same record information in the/var/log/messages file on the Rsyslog, and also the records in the database.
[Email protected] ~]# tail-f/var/log/messages Oct 05:52:35 localhost Dhcp:zhengyansheng ' s log
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/4A/wKiom1YYcWWCcaQaAALN0CsPQqo470.jpg "title=" 1.png " alt= "Wkiom1yycwwccaqaaaln0cspqqo470.jpg"/>
Three, Loganalyzer log analysis tool
1. Introduction
The Loganalyzer is a web front-end for syslog logs and other network event data that provides a simple browsing, searching, basic analysis, and some chart-reporting capabilities for logs.
2. Install lamp environment
# yum-y Install httpd php php-mysql php-gd# service httpd start
3, Installation Loganalyzer
# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz# tar zxf loganalyzer-3.6.5.tar.gz # MV loganalyzer-3.6.5/src/var/www/html/loganalyzer# cd/var/www/html/loganalyzer/# Touch config.php# chmod 666 config.php
4. Browser Access Loganalyzer
http://192.168.1.102/loganalyzer/install.php
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/47/wKioL1YYcf3QKI1CAANhsPkhs70638.jpg "style=" float: none; "title=" 1.png "alt=" Wkiol1yycf3qki1caanhspkhs70638.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/4A/wKiom1YYcePBdiT5AAOhjfclcNM744.jpg "style=" float: none; "title=" 2.png "alt=" Wkiom1yycepbdit5aaohjfclcnm744.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/47/wKioL1YYcf6AIjd2AAUGcAD3rvE168.jpg "style=" float: none; "title=" 3.png "alt=" Wkiol1yycf6aijd2aaugcad3rve168.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/4A/wKiom1YYceSjFL8cAAQYL8YKJr8666.jpg "style=" float: none; "title=" 4.png "alt=" Wkiom1yycesjfl8caaqyl8ykjr8666.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/47/wKioL1YYcf6jvP9RAAOXkga5Uas340.jpg "style=" float: none; "title=" 5.png "alt=" Wkiol1yycf6jvp9raaoxkga5uas340.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/4A/wKiom1YYceTAJWJ0AAQSpK8Rfd0914.jpg "style=" float: none; "title=" 6.png "alt=" Wkiom1yycetajwj0aaqspk8rfd0914.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/47/wKioL1YYcf7CX-iXAASNxzQeScg002.jpg "style=" float: none; "title=" 7.png "alt=" Wkiol1yycf7cx-ixaasnxzqescg002.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/4A/wKiom1YYceWx3fS5AANIRsM1Oxk863.jpg "style=" float: none; "title=" 8.png "alt=" Wkiom1yycewx3fs5aanirsm1oxk863.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/47/wKioL1YYcf_iipQrAAsP5Ve5ysA533.jpg "style=" float: none; "title=" 9.png "alt=" Wkiol1yycf_iipqraasp5ve5ysa533.jpg "/>
Loganalyzer installation can refer to this article: http://tecadmin.net/setup-loganalyzer-with-rsyslog-and-mysql/
#Rsyslog支持tcp和udp的传输方式 * * @@192.168.1.106:514 #通过tcp传 *. * @192.168.1.106:514 #通过udp传 # Above the experiment is the client through T CP is transferred to the log file of the Rsyslog server and then dumped into the database, and if it doesn't feel necessary, the client can be stored directly in the remote database. The action is as follows to modify the client operation # Vim/etc/rsyslog.conf*.info;mail.none;authpriv.none;cron.none:ommysql:192.168.1.102,syslog, Rsysloguser,rsyslogpass above operation can be here I explain what *.info;mail.none;authpriv.none;cron.none means? Logs other than mail, Authpriv, and Cron are sent to the remote 192.168.1.102 database, followed by the user name and password of the database, with a level of info or higher than info.
This article is from the "Zheng" blog, make sure to keep this source http://467754239.blog.51cto.com/4878013/1701420
Easy deployment of Rsyslog and Loganalyzer