RHEL6.4 Build rsyslog Log service Rsyslog+mysql+loganalyzer

Features provided by the software:

1, Rsyslog is Rhel or CentOS system 6.x version of the log service, instead of the previous Syslog service system. In this architecture, the Rsyslog service is mainly the function of collecting logs, classifying the logs and writing to the database.

2, MySQL is a simple database, in this architecture, the main task is to store the collected log information, in order to provide to the Loganalyzer software to display.

3, Loganalyzer is a log analysis tool, relatively simple. In this architecture, the data extracted from MySQL database is displayed visually by bar and graph, which provides the functions of filtering, searching, classifying and statistic.

4, Evtsys is running under the Windows platform, the system collected logs sent to MySQL, save.

Conditions required for the entire environment:

Throughout the framework, Rsyslog, MySQL, http, PHP, etc. use the system's own RPM package

Loganalyzer is a source package file downloaded from the Internet, address: http://download.adiscon.com/loganalyzer/loganalyzer-3.6.3.tar.gz.

The entire log service is built on the lamp architecture and needs to know about lamp.

Two RHEL6.4 system host, one is the server one is the client, the iptables and SELinux shut down.

Build steps:

1, first on the server to verify the lamp architecture.

A, initialize the MySQL service, enter the MySQL database, execute "mysql-u user name----database name-p password" to verify whether there is a problem with MySQL;

b, turn on httpd service, open the browser, enter the native IP address, verify the httpd service. Find the DirectoryIndex keyword and add index.php.

C, modify the httpd.conf configuration file, add the test index.php page in/var/www/html/. Perform the overall test of the lamp.

vi/var/www/html/index.php <?php $link =mysql_connect (localhost,root,123456); # # (hostname, username, password) if (! $link) echo "Failed!"; else echo "Success!"; Mysql_close ();?>

Rsyslog configuration file:vim /etc/rsyslog.conf#### modules  Log module ####  $ModLoad  imuxsock     #imuxsock是模块名, modules   $ModLoad  imklog      #imklog是模块名 that support the local system log,   Support for kernel log module  # $ModLoad  immark     #immark是模块名, log tagging  # $ModLoad  imudp       #imupd是模块名, support UDP protocol  # $UDPServerRun  514  # Allow 514 ports to receive logs forwarded over UDP and TCP protocols  # $ModLoad  imtcp      #imtcp是模块名, support TCP protocol  #$ inputtcpserverrun 514################# global directives ################ #定义全局日志格式的指令   $ActionFileDefaultTemplate  RSYSLOG_TraditionalFileFormat  #定义日志格式默认模板   $IncludeConfig   /etc/rsyslog.d/*.conf    all files ending with conf in #载入rsyslog. d file  #### RULES #### *.info; mail.none;authpriv.none;cron.none    /var/log/messages ##### Record the info level for all log types and information greater than info to/var/log/messages, but mail message information, AUTHPRIV authenticationInformation and Cron time # task-related information except  authpriv.*              /var/log/secure #### #authpriv验证相关的所有信息存放在/var/log/secure mail.*                 -/var/log/maillog #### #邮件的所有信息存放在/var/ log/maillog;  here is a--the symbol,  indicates that it is logged asynchronously using,  because the log will generally be relatively large  cron.*                 /var/log/cron ### #计划任务有关的信息存放在/var/log/cron  *.emerg                *   (* for all users)  ## #记录所有的大于等于emerg级别信息,  send wall to everyone who logs on to the system  uucp,news.crit         /var/log/spooler ### #记录uucp, News.crit, etc. stored in/var/log/spooler local7.*               /var/log/boot.log ### #本地服务器的启动的所有日志存放在/var/log/boot.log  ############################ #rsyslog. conf############## #中日志规则的定义的格式  facitlity.priority           Target  #facility:  Log device (can be interpreted as a log type):  ============================================================== auth           #pam产生的日志, authentication log  authpriv      #ssh, FTP and other login information verification information, authentication authorization authentication   cron          #时间任务相关  kern           #内核  lpr           #打印  mail           #邮件  mark (syslog)   #rsyslog服务内部的信息, time identification   news          #新闻组  user           #用户程序产生的相关信息  uucp          #unix  to  unix copy, unix MasterCommunication between the machines  local 1~7     #自定义的日志设备  =========================================== ====================  #priority:  level log level:  ======================================================= ============== debug            #有调式信息的, maximum log information  info             #一般信息的日志, most commonly used  notice            #最具有重要性的普通条件的信息  warning, warn     #警告级别  err, error       #错误级别 information that prevents a feature or module from working properly  crit              #严重级别 information that prevents the entire system or the entire software from working properly  alert             #需要立刻修改的信息  emerg, panic      #内核崩溃等严重信息  ## #从上到下, level from low to high, record less information, if the log is set to err, the log will not record a lower than the err level of the log, will only record higher than the err of the log, Also includes the ERR itself log.  ===================================================================== target:  #文件,  such as/var/log/messages  #用户 ,  root,* (for all users)   #日志服务器, @172.16.22.1# pipeline         |  COMMAND

Log scrolling service: All log files grow rapidly over time and in number of visits, so log files must be cleaned up regularly to avoid unnecessary waste of disk space and to speed up the time that administrators spend viewing logs. Thus logrotate is very necessary, Redhat system silently installed logrotate, the use of logrotate set related to the Rsyslog log rapid growth of the settings. The execution of the logrotate is implemented by the Crond service. In the/etc/cron.daily directory, there is a logrotate, a shellscript that is used to start logrotate.

The Logrotate program is started daily by Cron at a specified time (/etc/crontab).

sed -e  '/^#/d '   -e  '/^$/d '  /etc/logrotate.conf weekly        #每周清理一次日志文件  rotate 4     #保存四个轮换日志  create        #清除旧日志的同时, create a new empty log file  dateext      #使用日期为后缀的回滚文件     #可以去 The/var/log directory to see all the configuration files under  include /etc/logrotate.d   #包含/ETC/LOGROTATE.D directory  /var/ log/wtmp {       #对/var/log/wtmp This log file is rolled back according to the following settings log  monthly                     # Rotate once a month  create 0664 root utmp       #设置wtmp这个日志文件的权限, belong to the master, belong to group  minsize 1M                   #日志文件必须大于1M才会去轮换 (rollback)  rotate 1                     #保存一个轮换日志  } /var/log/btmp { missingok                  #如果文件丢失不报错  monthly create  0600 root utmp rotate 1} [[email protected] ~]# cat /etc/ logrotate.d/syslog /var/log/cron     #这些文件是rsyslog The path to the target specified in the global configuration definition in the. conf file  / Var/log/maillog /var/log/messages /var/log/secure /var/log/spooler { sharedscripts  postrotate   #  Restart Rsyslog service after rotation  /bin/kill -HUP  ' cat /var/run/ Syslogd.pid 2> /dev/null '  2> /dev/null | |  trueendscript }

sed -e  '/^#/d '   -e  '/^$/d '  /etc/logrotate.conf weekly        #每周清理一次日志文件  rotate 4     #保存四个轮换日志  create        #清除旧日志的同时, create a new empty log file  dateext      #使用日期为后缀的回滚文件     #可以去 The/var/log directory to see all the configuration files under  include /etc/logrotate.d   #包含/ETC/LOGROTATE.D directory  /var/ log/wtmp {       #对/var/log/wtmp This log file is rolled back according to the following settings log  monthly                     # Rotate once a month  create 0664 root utmp       #设置wtmp这个日志文件的权限, belong to the master, belong to group  minsize 1M                   #日志文件必须大于1M才会去轮换 (rollback)  rotate 1                     #保存一个轮换日志  } /var/log/btmp { missingok                  #如果文件丢失不报错  monthly create  0600 root utmp rotate 1} [[email protected] ~]# cat /etc/ logrotate.d/syslog /var/log/cron     #这些文件是rsyslog The path to the target specified in the global configuration definition in the. conf file  / Var/log/maillog /var/log/messages /var/log/secure /var/log/spooler { sharedscripts  postrotate   #  Restart Rsyslog service after rotation  /bin/kill -HUP  ' cat /var/run/ Syslogd.pid 2> /dev/null '  2> /dev/null | |  trueendscript }

Rsyslog established:

Install Rsyslog Service Pack, Rsyslog-mysql RPM package needs to be installed, is a combination of log and database package

Configuring the/etc/rsyslog.conf File

vi/etc/rsyslog.conf syslogd_options= "-C 2-r-x-m" # #添加, klogd_options= "-X" # #添加, $ModLoad im Mark.so # #查找 and remove the comment symbol. $ModLoad imudp.so # #查找, and remove the annotation symbol. $UDPServerRun 514 # #查找, and remove the annotation symbol.

The parameters are described as follows:

-c Specifies run compatibility mode.
-r Specifies the listening port. Default 514
-X disables DNS lookups when receiving client messages. Need to be used in conjunction with the-R parameter.
-M marks the timestamp. The unit is the minute, which is 0 o'clock, which means disabling the feature.

Restart the Rsyslog service after modifying the save configuration file.

Client:

vi/etc/rsyslog.conf *. * @172.16.2.240 # #添加改行, after @ is the server-side IP address. VI/ETC/BASHRC # #可选项, will record: the host by WHO in what directory execution what command export prompt_command= ' {msg=$ (History 1 | {read x y; echo $y;}); Logger "[euid=$ (WhoAmI)]": $ (Who am I): [' pwd '] "$msg"; } ' # #添加 Source/etc/bashrcce # #执行后立即生效

After modifying and saving the configuration file, restart the Rsyslog service.

The first phase of the validation test.

A, in the client input logger-pinfo "test information";

b, in the client's/var/log/messager file to see if there is execution of this command and the results of the input.

Integration with MySQL

This article is from the "Elimination" blog, please be sure to keep this source http://zhangxiaohua.blog.51cto.com/2321741/1561956

RHEL6.4 Build rsyslog Log service Rsyslog+mysql+loganalyzer