Set up Rsyslog log server in Centos6.7

Source: Internet
Author: User
Tags apache log rsyslog

Set up Rsyslog log server in Centos6.7
Preface:

With the increase of servers and network devices in the IDC room, log management and query have become a headache for system administrators.

System Administrators encounter the following common problems:

1. During routine maintenance, it is impossible to log on to every server and device to view logs;
2. The storage space on network devices is limited, and logs with Too Long dates cannot be stored. system problems may be caused by some operations that occurred a long time ago;
3. In some cases of illegal intrusion, intruders usually clear local logs to clear intrusion traces;
4. monitoring systems such as zabbix cannot replace log management, and cannot monitor projects such as system logon and scheduled task execution.

For the above reasons, it is necessary to set up an Rsyslog log server for centralized log management in the current network environment.

The Rsyslog Service has the following advantages:

1. Rsyslog servers can be supported by most network devices. Most of the system device options of network devices have remote log service configuration options. You only need to fill in the IP address and port (the default value for most devices is 514), and then click OK;
2. For a Linux server, you only need to add a simple line to the local Rsyslog service configuration to send logs to the log server. The deployment and configuration are very simple;
3. software (such as evtsys) can also support Windows servers. Deployment and configuration are not difficult, but some software is charged;
4. With the front-end loganalyzer and other software, you can easily manage and query logs in a graphical manner.

I. installation and configuration of Rsyslog Server1. Clear iptabels and disable selinux to avoid errors during installation.

Clear iptables

iptables -Fservice iptables save

Disable selinux

setenforce 0vim /etc/selinux/conifg

Modify SELINUX = enforcing in the configuration file to SELINUX = disabled.

2. Install the LAMP environment in yum and the rsyslog and rsyslog mysql support modules.
yum install -y mysql-server mysql-devel libcurl-devel net-snmp-devel php php-gd php-xml php-mysql httpd rsyslog rsyslog-mysql
3. Set mysqld and httpd to start and start the service
chkconfig mysqld onchkconfig httpd onservice mysqld startservice httpd start
4. Modify the mysql root Password
Mysqladmin-u root password "your password"

After changing the password, you can use the following command to log on to mysql

mysql -u root -p
5. Modify the mysql configuration file. uft8 is supported.

Because mysql installed through yum does not support uft8, the collected logs cannot be correctly displayed when collecting Windows server logs and some devices that support Chinese characters, therefore, you must modify the mysql configuration file to support Chinese display.

The full text of the configuration file is as follows:

[mysqld]datadir=/var/lib/mysqlsocket=/var/lib/mysql/mysql.sockuser=mysql# Disabling symbolic-links is recommended to prevent assorted security riskssymbolic-links=0character_set_server=utf8init_connect='SET NAMES utf8'default-character-set=utf8[mysql]default-character-set=utf8[mysql.server]default-character-set=utf8[mysqld_safe]log-error=/var/log/mysqld.logpid-file=/var/run/mysqld/mysqld.piddefault-character-set=utf8[client]default-character-set=utf8

Restart the mysqld service

service mysqld restart
  • 1
6. Import the Rsyslog database to mysql

The default file of Rsyslog mysql database is:

/usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
  • 1

You can use the following command to query the rsyslog-mysql Folder:

echo  $(rpm -ql rsyslog-mysql | grep sql$)

Run the following command to import the file to mysql:

mysql -u root -p < $(rpm -ql rsyslog-mysql | grep sql$) 

Enter the mysql password you set in step 1 to import the database. The database name is Syslog.

7. Set the character set of the Rsyslog Database

The database imported in the previous step has only two tables: SystemEvents and SystemEventsProperties. The Syslog database and the default character set of these two tables are not uft8, and need to be modified.

# Modifying the Syslog database character set mysql> alter database 'syslog 'DEFAULT character set utf8 COLLATE utf8_general_ci; # modifying the character set of the corresponding data table mysql> alter table SystemEvents default character set = utf8; mysql> alter table SystemEventsPorperties default character set = utf8;

View the modified results:

# Check the character set of the database. Set mysql> show variables like 'character % '; # Check the character set of all tables in the audit log database. Set mysql> use Syslog; mysql> show table status from Syslog \ G;
8. Create Rsyslog database users

Log on to mysql to create the Rsyslog Database User logger

# Log on to mysqlmysql-u root-p # create a user mysql> grant all privileges on Syslog. * to 'rsyslog '@ 'localhost' identified by '000000'; mysql> flush privileges; mysql> exit;
9. Modify the rsyslog configuration file
vim /etc/sysconfig/rsyslog

The configuration file is as follows:

# Options for rsyslogd# Syslogd options are deprecated since rsyslog v3.# If you want to use them, switch to compatibility mode 2 by "-c 2"# See rsyslogd(8) for more detailsSYSLOGD_OPTIONS="-c 2 -r -x -m 180"KLOGD_OPTIONS="-x"

Detailed description of each parameter:-c specifies the running compatibility mode. -R specifies the listening port. By default, 514-x disables DNS lookup when receiving client messages. It must be used with the-r parameter. -M indicates the timestamp. The Unit is minute. If it is 0, this function is disabled.

10. Configure the server to support the rsyslog-mysql module and enable the UDP Service port.
vim /etc/rsyslog.conf

Add the two lines under #### MODULES ###

$ModLoad ommysql.so*.* :ommysql:localhost,Syslog,rsyslog,147258

Note: localhost indicates the local host, Syslog indicates the database name, rsyslog indicates the database user, and 147258 indicates the user password.

Uncomment the following three lines

$ModLoad immark$ModLoad imudp$UDPServerRun 514

Restart the rsyslog service:

service rsyslog restart
11. Add Server iptables firewall rules

If the server needs to configure iptables rules, run the following command to open TCP and UDP ports 514:

iptables -I INPUT -p tcp --dport 514 -j ACCEPTiptables -I INPUT -p udp --dport 514 -j ACCEPTservice iptables save
Ii. Loganalyzer installation and configuration1. Download Loganalyzer

Download the installation file from the Loganalyzer official website to the/usr/local/src directory. The latest version is 4.1.3. The stable version is 3.6.6.

2. decompress the file and copy the source code to the loganalyzer directory of apache.
cd /usr/local/srctar -zxvf loganalyzer-4.1.3.tar.gzcd loganalyzer-4.1.3mkdir -p /var/www/html/loganalyzer/cp -r src/* /var/www/html/loganalyzer/cp -r contrib/* /var/www/html/loganalyzer/
3. generate an empty configuration file and Set permissions
cd /var/www/html/loganalyzer/touch config.phpchmod 666 config.php
4. Modify the php Environment

To meet the requirements of LogAnalyzer for the php environment, modify the content in/etc/php. ini as follows:

memory_limit = 512M  max_execution_time = 120
5. Create an apache log directory
# mkdir -p  /var/log/httpd/loganalyzer
6. Configure apache

This part is based on the actual situation of apache. Take the default system as an example. The VM configuration files are stored in/etc/httpd/conf/httpd. conf.

The configuration file is modified as follows:

Listen 80ServerAdmin root@localhostServerName log_server:80DocumentRoot "/var/www/html/loganalyzer"<Directory /> Options FollowSymLinks AllowOverride All</Directory><Directory "/var/www/html/loganalyzer"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all</Directory>ErrorLog /var/log/httpd/loganalyzer/error.logLogLevel warnCustomLog /var/log/httpd/loganalyzer/access_log combinedServerSignature On

Restart the httpd service

service httpd restart
7. Loganalyzer Initialization Configuration

Enter the web site in the browser and go to the installation wizard to access http: // serverip: 80 in total. Here, you only need to list the steps to be modified, and the rest only need "Next ".

Step 2: Select "Yes" for "Enable User Database ";

4th and 5 are two steps: Specify the user database information (the database is designated as Syslog) and create a user

Step 2: Select "MYSQL Native" for "Source Type" and download the configuration database information

After completing the installation, you can log on and view the log information.

3. Linux client Configuration

Rsyslog is installed in Centos by default.

1. Check whether the rsyslog service is enabled.
chkconfig | grep rsyslog

If it is not set to boot, run the following command:

chkconfig rsyslog onservice rsyslog start
2. Configure the Rsyslog client to send local logs to the server.
vim /etc/rsyslog.conf

Add a row to the last line:

*.* @192.168.7.201

Note: 192.168.7.201 is the IP address of the log server.

3. Restart the Rsyslog service.
service rsyslog restart
  • 1

At this time, you can see the relevant log information in the server refresh.

Iv. Windows client Configuration

On the official Loganalyzer website, we recommend that you use Winsyslog on Winodws to collect and send log data. However, this software is charged. Here we use an open-source software Evtsys, but this software also has a problem that it cannot be used in systems above Server 2012, and there is no problem in Server 2008.

The official website of Evtsy is deployed on google servers, so it cannot be accessed now. You can search and download it online. Decompress the downloaded file and place the evtsys.exe file in the c: \ windows \ System32 directory. Then run cmd to execute the following command:

evtsys -i -s 10 -h log-server-ip -p 514 net start evtsys

You only need to see that the last installation is successful. The detailed parameters of the command are attached below

Version: 4.4 (32-bit) Usage: evtsys.exe -i|-u|-d [-h host] [-b host] [-f facility] [-p port]        [-s minutes] [-l level] [-n]   -i           Install service   -u           Uninstall service   -d           Debug: run as console program   -h host      Name of log host   -b host      Name of secondary log host (optional)   -f facility  Facility level of syslog message   -l level     Minimum level to send to syslog.\n", stderr);            0=All/Verbose, 1=Critical, 2=Error, 3=Warning, 4=Info   -n           Include only those events specified in the config file.   -p port      Port number of syslogd   -q bool      Query the Dhcp server to obtain the syslog/port to log to                (0/1 = disable/enable)   -s minutes   Optional interval between status messages. 0 = Disabled Default port: 514 Default facility: daemon Default status interval: 0 Host (-h) required if installing. 

Then, refresh Loganalyzer to view related logs.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.