The Loganalyzer is a web front end for syslog logs and other network event data. It provides simple browsing, searching, basic analysis, and some chart reporting functions for logs.
Data can be obtained from a database or a generic syslog text file, so Loganalyzer does not need to change the existing record schema.
Based on the current log data, it can handle syslog log messages, Windows event logging, support troubleshooting, and enable users to quickly find solutions to the problem seen in log data.
Loganalyzer Gets the client log there are two save modes, one is to read the log in the client/var/log/directory directly and save it to the server directory, one is to save the read to the Log servers database
The latter is used here for testing.
First, the service side
1. Initializing the database
initialize database, Createdb.sql script rsylog under Plugins/ommysql source code bundle
#mysql-uroot-p123.com </usr/local/src/rsyslog-5.6.2/plugins/ommysql/createdb.sql
#mysql-uroot-p
Mysql>grant all privileges on syslog.* to ' rsyslog ' @ ' localhost ' identified by ' 123456 ' with GRANT option;
Mysql>grant All privileges the syslog.* to ' rsyslog ' @ ' percent ' identified by ' 123456 ' with GRANT option;
Mysql>flush privileges;
can also generate initialization scripts on its own
Cat > createdb.sql << eof create database syslog default character set utf8; use syslog; Create table systemevents ( id int unsigned not null auto_increment primary key, Customerid bigint, receivedat datetime null, DeviceReportedTime datetime NULL, Facility smallint NULL, priority smallint null, fromhost varchar ( ) NULL, Message text, ntseverity int null, importance int null, eventsource varchar (&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;EVENTUSER&NBSP;VARCHAR) NULL, EventCategory int NULL, EventID int NULL, EventBinaryData text null, maxavailable int null, CurrUsage int NULL, minusage int null, maxusage int null, InfoUnitID int NULL , syslogtag varchar (, ) Eventlogtype varchar (, ) genericfilename varchar (, ) systemid int null) DEFAULT CHARSET=utf8; CREATE TABLE Systemeventsproperties ( id int unsigned not null auto_increment primary key, Systemeventid int null , paramname varchar ( 255) null , paramvalue text null) default charset=utf8; Eof
2.rsyslog installation Configuration
The service side needs to use the Rsyslog log service. So there are two kinds of service end, if it is more than 6 system, the system comes with the default log service is Rsyslog
2.1.6x System
#yum Install Rsyslog-mysql y
Rsyslog-mysql a module for Rsyslog to send logs to the MySQL database, which must be installed.
2.2.5.x System
1) Install Rsyslog by compiling
#tar-ZXVF rsyslog-5.6.2.tar.gz
#./configure--enable-mysql--prefix=/usr/local/rsyslog
#make && make Install
Modifying the Rsyslog configuration
#vim/usr/local/src/rsyslog-5.6.2/rsyslog.conf
//Configure service-side Support Rsyslog-mysql module
$ModLoad Ommysql
*. *: ommysql:172.18.2.124,syslog,rsyslog,123456
Description: localhost indicates a local host, syslog is the database name, Rsyslog is the user of the database, and 123456 is the user password.
turn on the UDP service port to get other Linux system logs in the network
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # Start a UDP syslog server at standard Port 514
#复制配置文件
#cp/usr/local/src/rsyslog-5.6.2/rsyslog.conf/etc/rsyslog.conf
#关闭现有的日志服务
#service syslog Stop
#chkconfig syslog off
#cp/etc/init.d/{syslog,rsyslog} #rsyslog没有启动脚本, copy the syslog script
#sed-I s/syslog/rsyslog/g/etc/init.d/rsyslog #修改syslog字符为rsyslog
#chmod 700/etc/init.d/rsyslog
#chkconfig--add Rsyslog #添加rsyslog服务
#chkconfig Rsyslog on
# Create Rsyslog Bin Ln
Ln-sv/usr/local/rsyslog/sbin/rsyslogd/sbin/rsyslogd #创建软连结, the Rsyslog script starts with the RSYSLOGD under/sbin
edit/ETC/BASHRC to write all the commands executed by the client to the system log/var/log/messages.
# VI/ETC/BASHRC
Add a line at the end of a file
Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; }‘
Set it in effect
# SOURCE/ETC/BASHRC
Restart Log service
#/etc/init.d/rsyslog Restart
2) Install Rsyslog via Yum
#yum install-y rsyslog rsyslog-mysql
Modifying the Rsyslog configuration
#vim/etc/rsyslog.conf
Configuring the service-side Support Rsyslog-mysql module
$ModLoad Ommysql
*. *: ommysql:172.18.2.124,syslog,rsyslog,123456
Description: localhost indicates a local host, syslog is the database name, Rsyslog is the user of the database, and 123456 is the user password.
Turn on the UDP service port to get other Linux system logs in the network
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # Start a UDP syslog server at standard Port 514
Edit/ETC/BASHRC to write all the commands executed by the client to the system log/var/log/messages.
# VI/ETC/BASHRC
Add a line at the end of a file
Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; }‘
Set it in effect
# SOURCE/ETC/BASHRC
To close an existing log service
#/etc/init.d/syslog stop
Start the Rsyslog Log service
#/etc/init.d/rsyslog Start
Edit/ETC/BASHRC to write all the commands executed by the client to the system log/var/log/messages.
# VI/ETC/BASHRC
Add a line at the end of a file
Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; }‘
Set it in effect
# SOURCE/ETC/BASHRC
To close an existing log service
#/etc/init.d/syslog stop
Start the Rsyslog Log service
#/etc/init.d/rsyslog Start
3) Verification Results
Viewing/var/log/message, you will find that command-line commands have been recorded in the message
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7C/AA/wKiom1bVQRWBk5GvAABnnLBY6aw555.png "title=" 1.png " alt= "Wkiom1bvqrwbk5gvaabnnlby6aw555.png"/>
Validating Database Results
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7C/A8/wKioL1bVQa-TbLIQAABkpUhMz6U035.png "title=" 2.png " alt= "Wkiol1bvqa-tbliqaabkpuhmz6u035.png"/>
Second, the client
Configuring the Rsyslog client to send local logs to the server
# vi/etc/rsyslog.conf
* * @172.18.2.125
At the end of the line, the above line is added, that is, the client sends the local log to the server.
Edit/ETC/BASHRC to write all the commands executed by the client to the system log/var/log/messages.
# VI/ETC/BASHRC
Add a line at the end of a file
Export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; }‘
Set it in effect
# SOURCE/ETC/BASHRC
Restart Log service
#/etc/init.d/rsyslog Restart
Enter any command on the client to view the message log on the server side
2015-12-24t16:38:54+08:00 test135 root: [Euid=root]:root pts/0 2015-12-24 14:59 (172.18.2.238): [/root]/etc/init.d/ Rsyslog restart
2015-12-24t16:39:04+08:00 test135 root: [Euid=root]:root pts/0 2015-12-24 14:59 (172.18.2.238): [/root]less/var/log/ Messages
2015-12-24t16:39:06+08:00 test135 root: [Euid=root]:root pts/0 2015-12-24 14:59 (172.18.2.238): [/root]ll
2015-12-24t16:41:04+08:00 test135 root: [Euid=root]:root pts/0 2015-12-24 14:59 (172.18.2.238): [/root]pwd
View the message log on the server and receive a message log from the client
Dec 11:40:30 t123 root: [Euid=root]:root pts/4 2015-12-24 16:50 (172.18.2.238): [/root]ls
There's a response record inside the MySQL library.
| 18 | NULL | 2015-12-25 11:40:57 | 2015-12-25 11:40:30 | 1 | 5 | t123 | [euid=root]:root PTS/4 2015-12-24 16:50 (172.18.2.238): [/root]ls &N Bsp , &NB Sp , &NB Sp , &NB Sp | NULL | NULL | NULL | NULL | null | null | NULL |   NULL | null | NULL | NULL | 1 | Root: | NULL | NULL | NULL |
Third, installation and use of Loganalyzer
1. Installation
#tar XVF loganalyzer-3.0.4.tar.gz
#cd loganalyzer-3.0.4
#cp-R src//var/www/html/loganalyzer
#cp-R contrib/*/var/www/html/loganalyzer
#执行脚本
#cd/var/www/html/loganalyzer/
#/bin/sh/var/www/html/loganalyzer/configure.sh
#/bin/sh/var/www/html/loganalyzer/secure.sh
#赋予权限
#chown-R Apache:apache/var/www/html/loganalyzer
#启动httpd
#service httpd Restart
#访问页面
Http://172.18.2.125/loganalyzer
2. Initialization
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/7C/A8/wKioL1bVREGjuagsAAGqmH6fex4929.png "style=" float: none; "title=" 1.png "alt=" Wkiol1bvregjuagsaagqmh6fex4929.png "/>
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7C/A8/wKioL1bVREPxciVbAAGRmoH4mTM108.png "style=" float: none; "title=" 2.png "alt=" Wkiol1bvrepxcivbaagrmoh4mtm108.png "/>
Because the script has been executed above, so here config.php already have writable permission
#/bin/sh/var/www/html/loganalyzer/configure.sh
#/bin/sh/var/www/html/loganalyzer/secure.sh
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/7C/A8/wKioL1bVREexxE5WAAJdMJPkM8w065.png "style=" float: none; "title=" 3.png "alt=" Wkiol1bvreexxe5waajdmjpkm8w065.png "/>
Step three configuring the data source
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7C/AA/wKiom1bVQ9OAVZMrAAHB3ApbqlQ498.png "style=" float: none; "title=" 4.png "alt=" Wkiom1bvq9oavzmraahb3apbqlq498.png "/>
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7C/A9/wKioL1bVREyDCQnoAAGLM5-Uo2o043.png "style=" float: none; "title=" 5.png "alt=" Wkiol1bvreydcqnoaaglm5-uo2o043.png "/>
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7C/A9/wKioL1bVRE7RP6_XAAFFlwgaOkY882.png "style=" float: none; "title=" 6.png "alt=" Wkiol1bvre7rp6_xaafflwgaoky882.png "/>
Sixth step, create an administrative user
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/7C/A9/wKioL1bVRFHjCc8oAAHjjUw52SQ078.png "style=" float: none; "title=" 7.png "alt=" Wkiol1bvrfhjcc8oaahjjuw52sq078.png "/>
Seventh step, configure the log source
650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/7C/AA/wKiom1bVQ9zxIRymAAFxBlU3nO4113.png "style=" float: none; "title=" 8.png "alt=" Wkiom1bvq9zxirymaafxblu3no4113.png "/>
Login Http://172.18.2.125/loganalyzer
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/7C/A9/wKioL1bVRiXgNqAqAAKW8sUsuVw295.png "title=" 11.png "alt=" Wkiol1bvrixgnqaqaakw8susuvw295.png "/>
This article is from the "No Technology Madness" blog, please be sure to keep this source http://s8576.blog.51cto.com/9510968/1746320
loganalyzer--Syslog-based log management and audit platform