Set up Rsyslog log server in Centos6.7
Preface:
With the increase of servers and network devices in the IDC room, log management and query have become a headache for system administrators.
System Administrators encounter the following common problems:
1. During routine maintenance, it is impossible to log on to every server and device to view logs;
2. The storage space on network devices is limited, and logs with Too Long dates cannot be stored. system problems may be caused by some operations that occurred a long time ago;
3. In some cases of illegal intrusion, intruders usually clear local logs to clear intrusion traces;
4. monitoring systems such as zabbix cannot replace log management, and cannot monitor projects such as system logon and scheduled task execution.
For the above reasons, it is necessary to set up an Rsyslog log server for centralized log management in the current network environment.
The Rsyslog Service has the following advantages:
1. Rsyslog servers can be supported by most network devices. Most of the system device options of network devices have remote log service configuration options. You only need to fill in the IP address and port (the default value for most devices is 514), and then click OK;
2. For a Linux server, you only need to add a simple line to the local Rsyslog service configuration to send logs to the log server. The deployment and configuration are very simple;
3. software (such as evtsys) can also support Windows servers. Deployment and configuration are not difficult, but some software is charged;
4. With the front-end loganalyzer and other software, you can easily manage and query logs in a graphical manner.
I. installation and configuration of Rsyslog Server1. Clear iptabels and disable selinux to avoid errors during installation.Clear iptables
iptables -Fservice iptables save
Disable selinux
setenforce 0vim /etc/selinux/conifg
Modify SELINUX = enforcing in the configuration file to SELINUX = disabled.
2. Install the LAMP environment in yum and the rsyslog and rsyslog mysql support modules.yum install -y mysql-server mysql-devel libcurl-devel net-snmp-devel php php-gd php-xml php-mysql httpd rsyslog rsyslog-mysql
3. Set mysqld and httpd to start and start the servicechkconfig mysqld onchkconfig httpd onservice mysqld startservice httpd start
4. Modify the mysql root PasswordMysqladmin-u root password "your password"
After changing the password, you can use the following command to log on to mysql
mysql -u root -p
5. Modify the mysql configuration file. uft8 is supported.Because mysql installed through yum does not support uft8, the collected logs cannot be correctly displayed when collecting Windows server logs and some devices that support Chinese characters, therefore, you must modify the mysql configuration file to support Chinese display.
The full text of the configuration file is as follows:
[mysqld]datadir=/var/lib/mysqlsocket=/var/lib/mysql/mysql.sockuser=mysql# Disabling symbolic-links is recommended to prevent assorted security riskssymbolic-links=0character_set_server=utf8init_connect='SET NAMES utf8'default-character-set=utf8[mysql]default-character-set=utf8[mysql.server]default-character-set=utf8[mysqld_safe]log-error=/var/log/mysqld.logpid-file=/var/run/mysqld/mysqld.piddefault-character-set=utf8[client]default-character-set=utf8
Restart the mysqld service
service mysqld restart
6. Import the Rsyslog database to mysqlThe default file of Rsyslog mysql database is:
/usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
You can use the following command to query the rsyslog-mysql Folder:
echo $(rpm -ql rsyslog-mysql | grep sql$)
Run the following command to import the file to mysql:
mysql -u root -p < $(rpm -ql rsyslog-mysql | grep sql$)
Enter the mysql password you set in step 1 to import the database. The database name is Syslog.
7. Set the character set of the Rsyslog DatabaseThe database imported in the previous step has only two tables: SystemEvents and SystemEventsProperties. The Syslog database and the default character set of these two tables are not uft8, and need to be modified.
# Modifying the Syslog database character set mysql> alter database 'syslog 'DEFAULT character set utf8 COLLATE utf8_general_ci; # modifying the character set of the corresponding data table mysql> alter table SystemEvents default character set = utf8; mysql> alter table SystemEventsPorperties default character set = utf8;
View the modified results:
# Check the character set of the database. Set mysql> show variables like 'character % '; # Check the character set of all tables in the audit log database. Set mysql> use Syslog; mysql> show table status from Syslog \ G;
8. Create Rsyslog database usersLog on to mysql to create the Rsyslog Database User logger
# Log on to mysqlmysql-u root-p # create a user mysql> grant all privileges on Syslog. * to 'rsyslog '@ 'localhost' identified by '000000'; mysql> flush privileges; mysql> exit;
9. Modify the rsyslog configuration filevim /etc/sysconfig/rsyslog
The configuration file is as follows:
# Options for rsyslogd# Syslogd options are deprecated since rsyslog v3.# If you want to use them, switch to compatibility mode 2 by "-c 2"# See rsyslogd(8) for more detailsSYSLOGD_OPTIONS="-c 2 -r -x -m 180"KLOGD_OPTIONS="-x"
Detailed description of each parameter:-c specifies the running compatibility mode. -R specifies the listening port. By default, 514-x disables DNS lookup when receiving client messages. It must be used with the-r parameter. -M indicates the timestamp. The Unit is minute. If it is 0, this function is disabled.
10. Configure the server to support the rsyslog-mysql module and enable the UDP Service port.vim /etc/rsyslog.conf
Add the two lines under #### MODULES ###
$ModLoad ommysql.so*.* :ommysql:localhost,Syslog,rsyslog,147258
Note: localhost indicates the local host, Syslog indicates the database name, rsyslog indicates the database user, and 147258 indicates the user password.
Uncomment the following three lines
$ModLoad immark$ModLoad imudp$UDPServerRun 514
Restart the rsyslog service:
service rsyslog restart
11. Add Server iptables firewall rulesIf the server needs to configure iptables rules, run the following command to open TCP and UDP ports 514:
iptables -I INPUT -p tcp --dport 514 -j ACCEPTiptables -I INPUT -p udp --dport 514 -j ACCEPTservice iptables save
Ii. Loganalyzer installation and configuration1. Download LoganalyzerDownload the installation file from the Loganalyzer official website to the/usr/local/src directory. The latest version is 4.1.3. The stable version is 3.6.6.
2. decompress the file and copy the source code to the loganalyzer directory of apache.cd /usr/local/srctar -zxvf loganalyzer-4.1.3.tar.gzcd loganalyzer-4.1.3mkdir -p /var/www/html/loganalyzer/cp -r src/* /var/www/html/loganalyzer/cp -r contrib/* /var/www/html/loganalyzer/
3. generate an empty configuration file and Set permissionscd /var/www/html/loganalyzer/touch config.phpchmod 666 config.php
4. Modify the php EnvironmentTo meet the requirements of LogAnalyzer for the php environment, modify the content in/etc/php. ini as follows:
memory_limit = 512M max_execution_time = 120
5. Create an apache log directory# mkdir -p /var/log/httpd/loganalyzer
6. Configure apacheThis part is based on the actual situation of apache. Take the default system as an example. The VM configuration files are stored in/etc/httpd/conf/httpd. conf.
The configuration file is modified as follows:
Listen 80ServerAdmin root@localhostServerName log_server:80DocumentRoot "/var/www/html/loganalyzer"<Directory /> Options FollowSymLinks AllowOverride All</Directory><Directory "/var/www/html/loganalyzer"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all</Directory>ErrorLog /var/log/httpd/loganalyzer/error.logLogLevel warnCustomLog /var/log/httpd/loganalyzer/access_log combinedServerSignature On
Restart the httpd service
service httpd restart
7. Loganalyzer Initialization ConfigurationEnter the web site in the browser and go to the installation wizard to access http: // serverip: 80 in total. Here, you only need to list the steps to be modified, and the rest only need "Next ".
Step 2: Select "Yes" for "Enable User Database ";
4th and 5 are two steps: Specify the user database information (the database is designated as Syslog) and create a user
Step 2: Select "MYSQL Native" for "Source Type" and download the configuration database information
After completing the installation, you can log on and view the log information.
3. Linux client ConfigurationRsyslog is installed in Centos by default.
1. Check whether the rsyslog service is enabled.chkconfig | grep rsyslog
If it is not set to boot, run the following command:
chkconfig rsyslog onservice rsyslog start
2. Configure the Rsyslog client to send local logs to the server.vim /etc/rsyslog.conf
Add a row to the last line:
*.* @192.168.7.201
Note: 192.168.7.201 is the IP address of the log server.
3. Restart the Rsyslog service.service rsyslog restart
At this time, you can see the relevant log information in the server refresh.
Iv. Windows client ConfigurationOn the official Loganalyzer website, we recommend that you use Winsyslog on Winodws to collect and send log data. However, this software is charged. Here we use an open-source software Evtsys, but this software also has a problem that it cannot be used in systems above Server 2012, and there is no problem in Server 2008.
The official website of Evtsy is deployed on google servers, so it cannot be accessed now. You can search and download it online. Decompress the downloaded file and place the evtsys.exe file in the c: \ windows \ System32 directory. Then run cmd to execute the following command:
evtsys -i -s 10 -h log-server-ip -p 514 net start evtsys
You only need to see that the last installation is successful. The detailed parameters of the command are attached below
Version: 4.4 (32-bit) Usage: evtsys.exe -i|-u|-d [-h host] [-b host] [-f facility] [-p port] [-s minutes] [-l level] [-n] -i Install service -u Uninstall service -d Debug: run as console program -h host Name of log host -b host Name of secondary log host (optional) -f facility Facility level of syslog message -l level Minimum level to send to syslog.\n", stderr); 0=All/Verbose, 1=Critical, 2=Error, 3=Warning, 4=Info -n Include only those events specified in the config file. -p port Port number of syslogd -q bool Query the Dhcp server to obtain the syslog/port to log to (0/1 = disable/enable) -s minutes Optional interval between status messages. 0 = Disabled Default port: 514 Default facility: daemon Default status interval: 0 Host (-h) required if installing.
Then, refresh Loganalyzer to view related logs.