When the server encountered a problem, operations engineer will be based on the log to analyze the problem, when hackers invade the server, the basic will delete the log, so as not to leave clues, so that the log is important to the server, so many companies will have their own log server, Let's learn how to build a log server and log Analysis tool.
1. The client and server must first be installed Rsyslog this software:
[Email protected] ~]# yum-y install Rsyslog
2. The client modifies the configuration file (1.4 is the log server)
[Email protected] ~]# grep-v "^$"/etc/rsyslog.conf | Grep-v "^#"
$ModLoad Imuxsock # provides support for local system logging (e.g. via Logger command)
$ModLoad Imklog # provides kernel logging support (previously do by RKLOGD)
$ActionFileDefaultTemplate Rsyslog_traditionalfileformat
$IncludeConfig/etc/rsyslog.d/*.conf
* * @192.168.1.4
*. *: Ommysql:192.168.1.4,syslog,syslogroot,syslogpass
local7.*/var/log/boot.log
Restart the service and run automatically when the modification is complete
[Email protected] ~]# service Rsyslog restart
Turn off the system logger: [OK]
Start the system logger: [OK]
[Email protected] ~]# chkconfig rsyslog on
3. Server Modification configuration file
[Email protected] ~]# grep-v "^$"/etc/rsyslog.conf | Grep-v "^#"
$ModLoad Imuxsock # provides support for local system logging (e.g. via Logger command)
$ModLoad Imklog # provides kernel logging support (previously do by RKLOGD)
$ModLoad IMUDP
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$Modload Ommysql
$ActionFileDefaultTemplate Rsyslog_traditionalfileformat
$IncludeConfig/etc/rsyslog.d/*.conf
*. *: Ommysql:192.168.1.4,syslog,syslogroot,syslogpass
local7.*/var/log/boot.log
Restart the server and start the operation automatically
~]# Service Rsyslog Restart
~]# Chkconfig Rsyslog on
4. Install the configuration database
~]# yum-y Install Mysql-server rsyslog-mysql
(2) Configuration database
[[email protected] ~]# rpm-ql rsyslog-mysql #首先查看rsyslog-mysql installation generated those files
/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog-mysql-5.8.10
/usr/share/doc/rsyslog-mysql-5.8.10/createdb.sql #此sql文件就是需要导入到数据库中的数据文件
#
[Email protected] ~]# service mysqld start #启动mysqld服务
[email protected] ~]# MySQL #连接mysql
Welcome to the MySQL Monitor. Commands End With; or \g.
Your MySQL Connection ID is 2
Server version:5.1.73 Source Distribution
Copyright (c) and/or, Oracle, its affiliates. All rights reserved.
Oracle is a registered trademark of the Oracle Corporation and/or its
Affiliates. Other names trademarks of their respective
Owners.
Type ' help ', ' or ' \h ' for help. Type ' \c ' to clear the current input statement.
Mysql>
Mysql>
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| Information_schema |
| MySQL |
| Test |
+--------------------+
3 Rows in Set (0.00 sec) #此时, only 3 libraries
#
Mysql> Source/usr/share/doc/rsyslog-mysql-5.8.10/createdb.sql; #导入rsyslog的数据文件
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| Information_schema |
| Syslog |
| MySQL |
| Test |
+--------------------+
4 rows in Set (0.01 sec)
mysql> use Syslog; #Syslog即是记录日志文件的数据库
Reading table information for completion of table and column names
Can turn off this feature to get a quicker startup with-a
Database changed
Mysql> Show tables;
+------------------------+
| Tables_in_syslog |
+------------------------+
| SystemEvents |
| systemeventsproperties |
+------------------------+
2 rows in Set (0.00 sec)
#
#接下来, which is authorized for the Rsyslog server. This must be the IP of the Rsyslog server.
#如果写成各服务器的IP, that's wrong.
Mysql> Grant all on syslog.* to ' syslogroot ' @ ' 127.0.0.1 ' identified by ' liwai8888 ';
Query OK, 0 rows Affected (0.00 sec)
Mysql> Grant all on syslog.* to ' syslogroot ' @ ' 192.168.1.4 ' identified by ' liwai8888 ';
Query OK, 0 rows affected (0.04 sec)
mysql> flush Privileges;
Query OK, 0 rows Affected (0.00 sec)
Mysql> \q
Bye
5. Configuring the Lamp+loganalyzer Architecture
1. Install lamp environment
[[email protected] ~]# yum-y install httpd php php-mysql PHP-GD
[Email protected] ~]# mkdir/var/www/html/loganalyzer/
mkdir:created directory '/var/www/html/loganalyzer/'
2, decompression Loganalyzer source Package
[Email protected] ~]# Tar XF loganalyzer-3.6.5.tar.gz
[Email protected] ~]# CD loganalyzer-3.6.5
[Email protected] loganalyzer-3.6.5]#
[[email protected] loganalyzer-3.6.5]# ls
ChangeLog contrib COPYING Doc INSTALL src
[Email protected] loganalyzer-3.6.5]# mv src/*/var/www/html/loganalyzer/#src下是php的网页文件
[[email protected] loganalyzer-3.6.5]# ls contrib/
Configure.sh secure.sh
[[Email protected] loganalyzer-3.6.5]# mv contrib/*/var/www/html/loganalyzer/#contrib目录下的两个脚本, can open to see
#
[Email protected] loganalyzer-3.6.5]# cd/var/www/html/loganalyzer/
[Email protected] loganalyzer]# sh configure.sh #执行脚本
3, Configuration httpd
Modify DocumentRoot Web page root directory
[Email protected] ~]# vim/etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html/loganalyzer"
[[Email protected] ~]# service httpd start
4. Configure httpd and MySQL boot
[Email protected] ~]# chkconfig mysqld on
[Email protected] ~]# chkconfig httpd on
5. Create a Loganalyzer database and authorize
[[email protected] ~]# MySQL
Enter Password:
mysql> CREATE DATABASE Loganalyzer;
Query OK, 1 row affected (0.04 sec)
Mysql> Grant all on loganalyzer.* to [e-mail protected] ' 192.168.1.4 ' identified by ' liwai8888 ';
Query OK, 0 rows Affected (0.00 sec)
mysql> flush Privileges;
Query OK, 0 rows Affected (0.00 sec)
6. Configure the Installation interface
The main error in the case of the database and the database user name password, generally installed 2 times, the 2nd time must delete the inside of the config.php, and then run SH configure.sh in the next step to generate config.php. And then you can start using it. (I don't know why I can't copy pictures, so I can only talk about the errors and workarounds I've encountered).
This article is from the "innovation sharing gallop inside and out" blog, please be sure to keep this source http://10554846.blog.51cto.com/10544846/1679155
Rsyslog+loganalyzer+mysql+apache+php's lamp architecture to build a log server