rsyslog+logAnalyzer+MySQL日志服务器

ryslog 是一个快速处理收集系统日志的程序，提供了高性能、安全功能和模块化设计。rsyslog 是syslog的升级版，它将多种来源输入输出转换结果到目的地，据官网介绍，现在可以处理100万条信息

LogAnalyzer 是一款syslog日志和其他网络事件数据的Web前端。它提供了对日志的简单浏览、搜索、基本分析和一些图表报告的功能。数据可以从数据库或一般的syslog文本文件中获取，所以LogAnalyzer不需要改变现有的记录架构。基于当前的日志数据，它可以处理syslog日志消息，Windows事件日志记录，支持故障排除，使用户能够快速查找日志数据中看出问题的解决方案。

LogAnalyzer 获取客户端日志会有两种保存模式，一种是直接读取客户端/var/log/目录下的日志并保存到服务端该目录下，一种是读取后保存到日志服务器数据库中，推荐使用后者。

LogAnalyzer 采用php开发，所以日志服务器需要php的运行环境，本文采用LAMP/LNMP

实验环境

centos6.9_x64

server:192.168.1.128  rsyslog+logAnalyzer

client:192.168.1.135  rsyslog

实验软件

loganalyzer-3.6.5.tar.gz

软件安装

yum clean all

yum makecache -y

yum install rsyslog-mysql –y

yum install -y httpd* mysql mysql-devel mysql-server php php-gd php-xml php-mysql

vim/etc/httpd/conf/httpd.conf 

#ServerNamewww.example.com:80

ServerName       *:80

#AddTypeapplication/x-tar .tgz

AddTypeapplication/x-tar .tgz

AddTypeapplication/x-httpd-php .php

service mysqld restart

service httpd restart

chkconfig --level 35 mysqld on

chkconfig --level 35 httpd on 

mysqladmin  -uroot password 数据库密码

mysql -uroot -p数据库密码

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 3

Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>  

touch /var/www/html/test.php

vim /var/www/html/test.php 

<?php

phpinfo();

?>

service httpd reload

http://192.168.1.128/test.php

mysql -uroot -p数据库密码 < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

mysql -uroot -p数据库密码

mysql> show databases;

+--------------------+

| Database           |

+--------------------+

| information_schema |

| Syslog             |

| mysql              |

| test               |

+--------------------+

4 rows in set (0.00 sec)

mysql> use Syslog;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;

+------------------------+

| Tables_in_Syslog       |

+------------------------+

| SystemEvents           |

| SystemEventsProperties |

+------------------------+

2 rows in set (0.00 sec) 

mysql> grant all on Syslog.* to rsyslog@localhost identified by '123456';

Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

mysql> exit

Bye

mysql -ursyslog -p数据库密码

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 8

Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

vim /etc/rsyslog.conf

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imklog   # provides kernel logging support (previously done by rklogd)

#$ModLoad immark  # provides --MARK-- message capability

$ModLoad immark  # provides --MARK-- message capability 修改为

$ModLoad ommysql

*.* :ommysql:localhost,Syslog,rsyslog,123456 添加两行配置

# Provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514   修改为

# Provides TCP syslog reception

$ModLoad imtcp

$InputTCPServerRun 514

service rsyslog restart

netstat -tuplna | grep rsyslog

udp        0      0 0.0.0.0:48048               0.0.0.0:*                               2687/rsyslogd   

ps -aux | grep rsyslog

Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ

root      2687  0.0  0.1 189956  1568 ?        Sl   11:06   0:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5

root      2695  0.0  0.0 103332   884 pts/0    S+   11:07   0:00 grep rsyslog

chkconfig --level 35 rsyslog on    以上所有操作为 server端操作

rpm -qa | grep rsyslog  client端操作

yum install -y rsyslog

vim /etc/rsyslog.conf

*.* @192.168.1.128     最后一行添加 192.168.1.128 server端ip

service rsyslog restart

chkconfig --level 35 rsyslog on 

netstat -tuplna | grep rsyslog

udp        0      0 0.0.0.0:48048               0.0.0.0:*                               2687/rsyslogd   

ps -aux | grep rsyslog

Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ

root      2687  0.0  0.1 189956  1568 ?        Sl   11:06   0:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5

root      2695  0.0  0.0 103332   884 pts/0    S+   11:07   0:00 grep rsyslog

vim /etc/bashrc

export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):[`pwd`]"$msg"; }' 最后一行写入

source /etc/bashrc 

service端测试

tailf  /var/log/messages

May 27 11:11:24 centos6 dhclient[1549]: DHCPACK from 192.168.1.254 (xid=0x41231c53)

May 27 11:11:26 centos6 dhclient[1549]: bound to 192.168.1.128 -- renewal in 835 seconds.

May 27 11:11:37 centos6-1 dhclient[1553]: DHCPREQUEST on eth0 to 192.168.1.254 port 67 (xid=0x15f81e3e)

May 27 11:11:37 centos6-1 dhclient[1553]: DHCPACK from 192.168.1.254 (xid=0x15f81e3e)

May 27 11:11:39 centos6-1 dhclient[1553]: bound to 192.168.1.135 -- renewal in 769 seconds.

May 27 11:12:32 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]source /etc/bashrc

May 27 11:17:47 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]clear

May 27 11:18:47 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]dd

May 27 11:18:52 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]dd

May 27 11:18:55 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]de

May 27 11:18:56 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]deer

May 27 11:18:57 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]erwie

May 27 11:19:01 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]clare

May 27 11:19:03 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]clear

May 27 11:19:05 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]dei

May 27 11:19:12 centos6-1 root: [euid=root]:root pts/0 2017-05-27 09:15 (192.168.1.1):[/root]dadfe  说明服务端可以接受客户端的日志

client端测试

[root@centos6-1 ~]# dei

-bash: dei: command not found

[root@centos6-1 ~]# dadfe

-bash: dadfe: command not found

tar zxvf loganalyzer-3.6.5.tar.gz

cd loganalyzer-3.6.5

mkdir -p /var/www/html/loganalyzer

cp -rv src/* /var/www/html/loganalyzer/

http://192.168.1.128/loganalyzer   192.168.1.128为服务端ip

touch /var/www/html/loganalyzer/config.php

chmod 666 /var/www/html/loganalyzer/config.php

ll /usr/local/nginx/html/loganalyzer/lang/

total 12

drwxr-xr-x 2 root  root  4096 Jun 19 13:19 de

drwxr-xr-x 2 root  root  4096 Jun 19 13:19 en

官网安装包默认没有中文语言包，下载复制到此目录即可切换中文

ll /usr/local/nginx/html/loganalyzer/lang/

total 12

drwxr-xr-x 2 root root 4096 Jun 19 13:19 de

drwxr-xr-x 2 root root 4096 Jun 19 13:19 en

drwxrwxr-x 2 root root 4096 Jun 19 13:36 zh

本文转自 mailfile 51CTO博客，原文链接：http://blog.51cto.com/mailfile/1930167，如需转载请自行联系原作者