Set up rsyslog log server in CentOS
Functions provided by the software:
1. rsyslog is a log service of RHEL or centos 6. x, replacing the syslog service of the previous system. In this architecture, the rsyslog service is mainly used to collect logs, classify logs, and write them into the database.
2. mysql is a simple database. In this architecture, the main task is to store the collected log information so that it can be displayed to the loganalyzer software.
3. loganalyzer is a log analysis tool, which is relatively simple. In this architecture, data is extracted from the mysql database and displayed visually Based on bars and graphs, providing functions such as filtering, searching, categorization, and statistics.
4. evtsys runs on the windows platform and sends the collected logs to mysql for saving.
Requirements for the entire environment:
In the Framework, rsyslog, mysql, http, php, and other built-in rpm packages are used.
Loganalyzer is a source package file downloaded from the Internet. The address is http://download.adiscon.com/loganalyzer/loganalyzer-3.6.3.tar.gz.
The entire Log service is built on the LAMP architecture and requires some understanding of LAMP.
Two RHEL6.4 system hosts, one server and the other client, disable iptables and selinux.
Procedure:
1. Verify the LAMP architecture on the server first.
A. initialize the mysql service, go to the mysql database, and run "mysql-u username-D database name-p password" to verify whether mysql has any problems;
B. Enable the httpd service, open a browser, enter the local IP address, and verify the httpd service. Find the DirectoryIndex keyword and add index. php.
C. Modify the httpd. conf configuration file and add test index. php on the/var/www/html/page. Complete LAMP Testing.
Vi/var/www/html/index. php <? Php $ link = mysql_connect (localhost, root, 123456); # (host name, user name, password) if (! $ Link) echo "failed! "; Elseecho" successful! "; Mysql_close ();?>
Rsyslog configuration file: vim/etc/rsyslog. conf #### module of MODULES log #### $ ModLoadimuxsock # imuxsock is the module name and supports the module of local system logs $ ModLoadimklog # imklog is the module name, modules that support kernel logs # $ ModLoadimmark # immark is the module name and supports log marking # $ ModLoadimudp # imupd is the module name, support for udp # $ UDPServerRun514 # Allow port 514 to receive logs forwarded over UDP and TCP # $ ModLoadimtcp # imtcp is the module name, support for tcp # $ InputTCPServerRun514 ################## globaldireves ves ################ # define the global log format command $ actionfiledefadefatemplatersyslog_traditionalfi LeFormat # defines the default log format template $ IncludeConfig/etc/rsyslog. d /*. conf # Load rsyslog. d. All files ending with conf in the file #### RULES ####*. info; mail. none; authpriv. none; cron. none/var/log/messages #### record information of all log types at the info level and beyond the info level to/var/log/messages, but mail information, authpriv verification information and cron time # Except task-related information, authpriv. */var/log/secure ##### store all authentication information in/var/log/securemail. *-/var/log/maillog ##### store all mail Information in/var/log/maillog. Here there is a-symbol, indicating that it is recorded in asynchronous mode, because the log is usually large cr On. */var/log/cron #### information about scheduled tasks is stored in/var/log/cron *. emerg * (* indicates all users) ### record all information greater than or equal to the emerg level, and send it to every user logged on to the system in the wall mode, uucp, news. crit/var/log/spooler #### record uucp, news. crit and so on are stored in/var/log/spoolerlocal7. */var/log/boot. log #### all logs started by the local server are stored in/var/log/boot. ############################## rsyslog. conf ############### the format of the log rule defined in facitlity. priorityTarget # facility: Log Device (which can be understood as the log type ): ========================================================== ====== ====================== Auth # log generated by pam, authentication log authpriv # authentication information for login information such as ssh and ftp, authentication and authorization cron # Time task related kern # kernel lpr # print mail # mail mark (syslog) # information inside rsyslog service, news # newsgroup user # user information generated by the user program uucp # unixtounixcopy, communication between unix hosts local1 ~ 7 # custom log device ======================================== ======================================#priority: level Log Level: ========================================================== ====================================== debug # With debugging information, logs with a maximum of info # general information, the most common notice # The most important common condition information warning, warn # warning level err, error # error level, information crit that prevents a function or module from working properly # critical level, information that prevents the entire system or software from working properly alert # information that needs to be modified immediately emerg, panic # serious information such as kernel crash ### from top to bottom, the level is low to high, and fewer information is recorded. If the set log Content is err, the log will not record logs lower than the err level, but will only record more advanced than the err level Other logs include err logs. ========================================================== ====================================== Target: # file, such as/var/log/messages # user, root, * (indicating all users) # log server, @ 172.16.22.1 # pipeline | COMMAND
Log rolling service: All log files increase rapidly over time and the number of visits. Therefore, you must regularly clean up log files, to avoid unnecessary waste of disk space and speed up the time used by the Administrator to view logs. Therefore, logrotate is necessary. The Redhat system silently installs logrotate and uses logrotate to set the rapid growth of rsyslog logs. The execution of logrotate is implemented by the crond service. In the/etc/cron. daily directory, there is a logrotate, which is a shellscript used to start logrotate.
The logrotate program is started by cron at the specified time (/etc/crontab) every day.
Sed-e '/^ #/d'-E'/^ $/D'/etc/logrotate. confweekly # clear the log file rotate4 once a week # Save the four rotation logs create # while clearing the old logs, create a new empty log file dateext # use a rollback file with a date suffix # You can go to the/var/log directory to see include/etc/logrotate. d # contain/etc/logrotate. all configuration files in the d directory/var/log/wtmp {# follow the settings below to roll back the/var/log/wtmp log File monthly # rotate create0664rootutmp once a month # Set permissions for the wtmp log file, owner, group minsize1M # the log file must be larger than 1 MB before rotation (rollback) rotate1 # Save a rotation log}/var/log/btmp {missingok # monthlycreate0600rootutmprotate1} [r Oot @ demo ~] # Cat/etc/logrotate. d/syslog/var/log/cron # these files are rsyslog. path of the Target specified in the global configuration definition in the conf file/var/log/maillog/var/log/messages/var/log/secure/var/log/spooler {sharedscriptspostrotate # Rotation then restart the rsyslog service/bin/kill-HUP 'cat/var/run/syslogd. pid2>/dev/null' 2>/dev/null | trueendscript}
Sed-e '/^ #/d'-E'/^ $/D'/etc/logrotate. confweekly # clear the log file rotate4 once a week # Save the four rotation logs create # while clearing the old logs, create a new empty log file dateext # use a rollback file with a date suffix # You can go to the/var/log directory to see include/etc/logrotate. d # contain/etc/logrotate. all configuration files in the d directory/var/log/wtmp {# follow the settings below to roll back the/var/log/wtmp log File monthly # rotate create0664rootutmp once a month # Set permissions for the wtmp log file, owner, group minsize1M # the log file must be larger than 1 MB before rotation (rollback) rotate1 # Save a rotation log}/var/log/btmp {missingok # monthlycreate0600rootutmprotate1} [r Oot @ demo ~] # Cat/etc/logrotate. d/syslog/var/log/cron # these files are rsyslog. path of the Target specified in the global configuration definition in the conf file/var/log/maillog/var/log/messages/var/log/secure/var/log/spooler {sharedscriptspostrotate # Rotation then restart the rsyslog service/bin/kill-HUP 'cat/var/run/syslogd. pid2>/dev/null' 2>/dev/null | trueendscript}
Rsyslog creation:
Install the rsyslog service package. The rsyslog-mysql rpm package must be installed. It is a combination of logs and databases.
Configure the/etc/rsyslog. conf file
Vi/etc/rsyslog. confSYSLOGD_OPTIONS = "-c2-r-x-m180" # Add, KLOGD_OPTIONS = "-x" # Add, $ ModLoadimmark. so # Find, and remove the annotator. $ ModLoadimudp. so # search and remove the annotator. $ UDPServerRun514 # search and remove the annotator.
The parameters are described as follows:
-C indicates the running compatibility mode.
-R specifies the listening port. The default value is 514.
-X disables DNS lookup when receiving client messages. It must be used with the-r parameter.
-M indicates the timestamp. The Unit is minute. If it is 0, this function is disabled.
After the configuration file is modified, restart the rsyslog service.
Client:
Vi/etc/rsyslog. conf *. * @ 172.16.2.240 # Add and change the line. @ is followed by the server IP address. Vi/etc/bashrc # optional, which records: Who runs the exportPROMPT_COMMAND = '{msg =$ (history1 | {readxy; echo $ y;}); logger "[euid = $ (whoami)]": $ (whoami): ['pwd'] "$ msg ";} '## add source/etc/bashrcce ## take effect immediately after execution
Modify and save the configuration file and restart the rsyslog service.
Phase 1 verification test.
A. Enter logger-pinfo "test information" on the client ";
B. check whether this command is executed and the input result in the/var/log/messager file of the client.