Rsyslog + loganalyzer

Rsyslog is a modular architecture used to record log files. Supports multiple protocols, such as TCP, SSL, TLS, and RELP. It also supports MySQL, pgsql, Oracle, and other relational data. Rsyslog is an enhanced version of syslog. We can use it to record local log files, or record logs of other clients on a server host.

Loganalyzer: A log management system (a simple system log analysis tool) on the web interface, allowing you to manage logs through a browser, which is convenient, quick, and clear at a glance.

Main rsyslog configuration file:/etc/rsyslog. conf

Format of log information recorded by rsyslog:
Time host process (PID): Event

Purpose: 1. Use rsyslog to record log files of other clients.

2. Use rsyslog to store logs on the MySQL server.

3. Use loganalyzer to display log information through webgui.

 

1. Use rsyslog to record the log files of other clients:

Server: 192.168.1.156

Client: 192.168.1.157

First, install the rsyslog package to the log server (192.168.1.156) and the client (192.168.1.157 ),

# yum install rsyslog

Edit the main configuration file of rsyslog on the server (192.168.1.156):/etc/rsyslog. conf,

# vim /etc/rsyslog.conf

Enable UDP port 514 and TCP port 514:

# Provides UDP syslog resume tion
$ Modload imudp
$ Udpserverrun 514

# Provides TCP syslog restart tion
$ Modload imtcp
$ Inputtcpserverexecute 514

Enable *. Info; mail. None; authpriv. None; cron. None/var/log/messages in ### rules ####. Save and exit.

Start rsyslog;

# service rsyslog start

Verify that rsyslog is enabled

# ss –tunlp

Check whether TCP port 514 and UDP port 514 have been listened on

Edit the main configuration file of rsyslog of the client (192.168.1.157):/etc/rsyslog. conf

# vim /etc/rsyslog.conf

Enable *. Info; mail. None; authpriv. None; cron. None @ 192.168.1.156; Save and exit

Start rsyslog

# service rsyslog start

Execute an operation that can be recorded into the log file on the client (192.168.1.157) at will. Here we use Yum to install any package to view the log file.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/46/D6/wKioL1P02VGAD5hEAAAg0FpmrM8894.jpg "Title =" image 023.png" alt = "wkiol1p02vgad5heaaag0fpmrm8894.jpg"/>

Check whether logs exist in the log file/var/log/messages of the client (192.168.1.157) (the client certainly does not)

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/46/D4/wKiom1P02Ezz-IaTAALGOlLOUGQ126.jpg "Title =" image 025.png" alt = "wKiom1P02Ezz-IaTAALGOlLOUGQ126.jpg"/>

Check whether logs exist in the log file/var/log/messages of the server (192.168.1.156 ).

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/46/D6/wKioL1P02XijiFzWAALe5pgKjxg391.jpg "Title =" image 026.png" alt = "wkiol1p02xijifzwaale5pgkjxg391.jpg"/>

Verify the result.

 

 

 

2. Use rsyslog to store logs on the MySQL server:

Log Server: 192.168.1.156 (also a database server)

Client: 192.168.1.157

To use rsyslog to store logs in a relational database, rsyslog itself must be able to connect to the database as a client, and a driver must support rsyslog connection to the database. Rsyslog driver is implemented through its own module, which is rsyslog-MySQL and needs to be manually installed.

Install the driver rsyslog-MySQL,

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/46/D4/wKiom1P02HWCnupOAAB4kjtjkBw417.jpg "Title =" image 027.png" alt = "wkiom1p02hwcnupoaab4kjtjkbw417.jpg"/>

Write log information in the main configuration file:/etc/rsyslog. conf of rsyslog on the server 192.168.1.156.

$ Modload ommysql

*. Info; mail. None; authpriv. None; cron. None: ommysql: 192.168.1.156, syslog, testuser, testpass

Database write table, with input redirection # mysql </usr/share/doc/rsyslog-mysql-5.8.10/createdb. SQL

# Mysql> show databases; check whether the table syslog already exists> Use syslog> show tables; check whether the table content already exists> grant all on syslog. * To [email protected] identified by 'testpass';> flush privileges; # service rsyslog restart

Install the RPM package on the client: 192.168.1.157

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/46/D6/wKioL1P02ZyyhARsAAAdhY_x7Y4173.jpg "Title =" image 029.png" alt = "wkiol1p02zyyharsaaadhy_x7y4173.jpg"/>

Check that no log records exist in/var/log/messages on the server 192.168.1.156.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/46/D6/wKioL1P02bDjw-36AAJyrq1PY9o634.jpg "Title =" image 030.png" alt = "wKioL1P02bDjw-36AAJyrq1PY9o634.jpg"/>

View in MySQL

# mysql>  use Syslog>  SELECT * FROM SystemEvents;

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/46/D4/wKiom1P02KfzXXgJAAFkGIWB3tA779.jpg "Title =" image 032.png" alt = "wkiom1p02kfzxxgjaafkgiwb3ta779.jpg"/>

Verification result.

 

 

 

3. Use loganalyzer to display log information through webgui

# yum -y install httpd php php-mysql php-gd         # tar xf loganalyzer-3.6.5.tar.gz         # mkdir /var/www/html/loganalyzer        # cp loganalyzer-3.6.5/src/* /var/www/html/loganalyzer/        # cp loganalyzer-3.6.5/contrib/* /var/www/html/loganalyzer/        # cd /var/www/html/loganalyzer/        # chmod +x configure.sh secure.sh        # ./configure.sh        # ./secure.sh        # chmod 666 config.php        # chown -R apache.apache ./*# service httpd restart

Verify it in the browser.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/46/D4/wKiom1P02L3jF4cpAASjn7METNk392.jpg "Title =" image 033.png" alt = "wkiom1p02l3jf4cpaasjn7met392.jpg"/>

Successful.