Rsyslog+loganalyzer Building a log server

Log Introduction:

LOG: Historical events, recorded by time series of events, the log records the time of occurrence, time content, the criticality of the event, operations personnel can check the information of these records, find out the cause of the error, or look for the attack, the attacker left traces.

Syslog is the default log system prior to CentOS6;

SYSLOGD: Related logs for system processes

kloged: Kernel event-related logs

Rsyslog is The default logging system for CentOS6:

Support Multithreading

support for protocols such as TCP,SSL,TLS,relp, etc.

Support MySQL,pgsql,Oracle and Many other relational data types

Powerful filter to implement any part of the filtering system information

Support for custom output formats

Applies to enterprise-level logging requirements

Facllity: A facility that classifies logs from a feature or program and records their logs by a special tool annex

Auth: Certification related information

Authpriv: Information about certification authorizations

Cron: Information about recurring Scheduled Tasks

Daemon: daemons Related information

Kern: Kernel-related information

LPR: Printing related information

Mail: Send and receive mail related information

Mark: Firewall tag

News: Press-related information

Security: Safety-related information

Syslog: Own record

User: Related information

UUCP: Early riser System file sharing service

Local0. LOCAL7:8 custom facility

Wildcard characters can be used when specifying a facility:

*: All

! : Take counter

F1, F2,f3,... : List

Priority: Level

Debug: Debugging Information

Info: Basic description Information

Notice: Information to be aware of

Warn,warning: Warning message

Err,error: Wrong message

Crit: Blue alert

Alert: Orange alert

Emerg,panic: Red alert

You can use wildcard characters for levels:

*: All levels

None: No level

Target: Goal, develop how to store logs

file path: For example,/var/log/messages

User:*

log server:@SERVER_IP

Pipeline: | COMMAND

Rsyslog configuration file:/etc/rslog.conf, its definition format;

Facility.priority Target

Mail.info/var/log/maillog

All levels higher than the specified level, including the specified level itself;

Mail.=info/var/log/maillog

Specify the level explicitly;

mail.! Info *

In addition to specifying levels

*.info | COMMAND

Info level for all facility

mail.*:

all levels of mail

Mail,news.info:

Log Information Format:

Time    Host Process ( PID): Event

Enable Logging Server features: module

Collect log information through 514/udp:

> # provides UDP syslog reception> $ModLoad imudp> $UDPServerRun 514

Collect log information through 514/tcp

> # provides TCP syslog reception> $ModLoad imtcp> $InputTCPServerRun 514

Example: Based on LAMP Platform Construction Rsyslog+loganalyzer Log Server

Lab Environment:

web-php server, same as log client:

IP:192.168.1.10

Operating System: CentOS6.7 x86_64

Database server:

IP:192.168.1.11

Operating System: CentOS6.7 x86_64

Log server:

IP:192.168.1.12

Operating System: CentOS6.7 x86_64

Loganalyzer:loganalyzer-3.6.6.tar.gz

Official website:http://www.loganalyzer.net/

Experimental process:

Connect the log server and client:

Edit the log server configuration file, start the log Server feature, and receive the client's logs:

# vim/etc/rsyslog.conf> $ModLoad imudp> $UDPServerRun 514>> $ModLoad imtcp> $InputTCPServerRun 514

Restart the Rsyslog service to view the port:

# service Rsyslog restart# SS-TUNL | grep:514

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/86/wKioL1Xlt_2xKlYiAABqNMpMsVQ904.jpg "title=" 1.jpg " alt= "Wkiol1xlt_2xklyiaabqnmpmsvq904.jpg"/>

Edit the log client configuration file, specify the log server, restart the rsyslog service;

# vim/etc/rsyslog.conf> *.info;mail.none;authpriv.none;cron.none @192.168.1.12# service Rsyslog restart

Log Server View log:

# tail-l/var/log/messages

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/72/86/wKioL1XluDegxfBcAACVsqoJnWY836.jpg "title=" 2.jpg " alt= "Wkiol1xludegxfbcaacvsqojnwy836.jpg"/>

The server has received a log from the client.

Log Server Connection database:

database Server Installation Services;

# yum Install MySQL Mysql-server

To start the MySQL service:

# chkconfig mysqld on# service mysqld start

log Server install mysql module:

# yum Install Rsyslog-mysql

To view the installation rsyslog-mysql module build file:

# RPM-QL Rsyslog-mysql

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/72/89/wKiom1XltlnwmB2RAABud0XTdZ0973.jpg "title=" 3.jpg " alt= "Wkiom1xltlnwmb2raabud0xtdz0973.jpg"/>

The resulting database file is routed to the database server:

# Scp/usr/share/doc/rsyslog-mysql-5.8.10/createdb.sql 192.168.1.11:/root

To import a file into the database:

# MySQL < Createdb.sql

authorizing rsyslog users

# mysqlmysql> GRANT all on syslog.* [email protected] ' 192.168.1.% ' identified by ' Rsyslogpass ';mysql> FLUSH privileg ES;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/72/86/wKioL1XluKnjcJVDAAFGbKTrGb4324.jpg "title=" 4.jpg " alt= "Wkiol1xluknjcjvdaafgbktrgb4324.jpg"/>

Edit Log server configuration file add ommysql module, log information to the database server, restart the service:

# vim/etc/rsyslog.conf> $ModLoad ommysql> *.info;mail.none;authpriv.none;cron.none:ommysql:192.168.1.11, syslog,rsysloguser,rsyslogpass# Service Rsyslog Restart

View MySQL information:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/72/89/wKiom1XltraSme8jAAGf-NJ4D_k975.jpg "title=" 5.jpg " alt= "Wkiom1xltrasme8jaagf-nj4d_k975.jpg"/>

The database has received log information.

installation Lamp Platform Deployment Loganalyzer :

installing the lamp platform:

# yum Install httpd php php-mysql

configuration loganalyzer:

# tar XF loganalyzer-3.6.6.tar.gz# mkdir-p/var/www/html/log# cp-a loganalyzer-3.6.6/src/*/var/www/html/log/# cp-a Loga nalyzer-3.6.6/contrib/*/var/www/html/log/# cd/var/www/html/log/# chmod +x configure.sh secure.sh#./configure.sh#./ secure.sh# chmod 666 config.php# chown-r apache:apache./*

Start the service:

# chkconfig httpd on# service httpd start

To access the site http://192.168.1.10/log configuration information:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/86/wKioL1XluQjAstdEAAF_W54k-v0506.jpg "title=" 6.jpg " alt= "Wkiol1xluqjastdeaaf_w54k-v0506.jpg"/>

Click here to continue;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/89/wKiom1XltvjT_RtRAALjigKAn0k854.jpg "title=" 7.jpg " alt= "Wkiom1xltvjt_rtraaljigkan0k854.jpg"/>

Click Next continue;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/72/86/wKioL1XluSiQefFTAAMbuBEAdmY817.jpg "title=" 8.jpg " alt= "Wkiol1xlusiqefftaambubeadmy817.jpg"/>

file can be written, click Next continue;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/89/wKiom1XltyTiBEd5AAPapxHk0no346.jpg "title=" 9.jpg " alt= "Wkiom1xltytibed5aapapxhk0no346.jpg"/>

Close the user database, Next continue;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/72/89/wKiom1XltzTxder2AAQWaHiahnY706.jpg "title=" 10.jpg "alt=" Wkiom1xltztxder2aaqwahiahny706.jpg "/>

Connect to the database, Next continue;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/72/86/wKioL1XluWWwHBx2AALuj4czmWM552.jpg "title=" 11.jpg "alt=" Wkiol1xluwwwhbx2aaluj4czmwm552.jpg "/>

Installation Complete:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/72/89/wKiom1Xlt1CwldBDAATdfBZwqBU596.jpg "title=" 12.jpg "alt=" Wkiom1xlt1cwldbdaatdfbzwqbu596.jpg "/>

Conclusion:

view logs, analysis log is an operations engineer's daily, Rsyslog+loganalyzer The log information can be reflected in the Web page, display more intuitive, easy to statistics, analysis, and can also be viewed remotely, management, building process is also very convenient; the above for I learn to organize content, if there are omissions and mistakes in the experiment, the gods are welcome to spray.

This article is from the "Pony Learning Record" blog, make sure to keep this source http://masachencer.blog.51cto.com/8683770/1690605

Rsyslog+loganalyzer Building a log server