Rsyslog日誌服務器搭建、loganalyzer安裝使用

公司使用CactiEz作爲網絡監控平臺，能夠實時監控網絡設備及出口流量外加郵件報警，雖然有一個延遲但基本夠用。

除此以外，還須要一個日誌服務器。由於設備比較多，設備若是斷電重啓，問題排除還需藉助日誌。

華爲交換機端配置以下：

info-center source default channel 2 log level warning #日誌級別，設置爲warning警告最爲合適

info-center loghost source Vlanif1101 # 源vlan

info-center loghost 192.168.2.2 #syslog服務器地址

CentOS6.8環境下安裝rsyslog 與loganalezer日誌分析工具

一、作本地源、yum安裝相應包、關閉防火牆、安裝http

# 作本地yum源

[root@localhost yum.repos.d]# mv *.repo back/

vim /etc/yum.repos.d/media.repo

[media]

name=media

baseurl=file:///media

enabled=1

gpgcheck=0

# 更新本地源

yum clean all

yum makecache

yum repolist

# 關閉Selinux，修改配置文件；關閉iptables

[root@localhost yum.repos.d]# vim/etc/selinux/config 

SELINUX=disabled

[root@localhost yum.repos.d]# getenforce

Enforcing

[root@localhost yum.repos.d]# setenforce 0

[root@localhost yum.repos.d]# getenforce

Permissive

[root@localhost yum.repos.d]#services iptables stop

[root@localhost yum.repos.d]# chkconfig iptables off

# 安裝軟件包

yum install mysql-server mysql-devel libcurl-devel net-snmp-devel php php-gd php-xml php-mysql httpd –y

# 檢查相關包

[root@bogon html]# rpm -qa | grep rsyslog 

|rsyslog-gssapi-5.8.10-10.el6_6.x86_64

rsyslog-mysql-5.8.10-10.el6_6.x86_64

rsyslog-relp-5.8.10-10.el6_6.x86_64

rsyslog-pgsql-5.8.10-10.el6_6.x86_64

rsyslog-gnutls-5.8.10-10.el6_6.x86_64

rsyslog-5.8.10-10.el6_6.x86_64

# 啓動http

[root@localhost yum.repos.d]#/etc/init.d/httpd start

[root@localhost yum.repos.d]#chkconfig httpd on

正在啓動 httpd：httpd: Could not reliably determine the server's fully qualifieddomain name, using localhost.localdomain for ServerName

#測試http運行環境

[root@localhost yum.repos.d] cd /var/www/html/

[root@TS html]# cat > index.php <<EOF 
> <?php 
> phpinfo(); 
> ?> 
> EOF

打開瀏覽器打開瀏覽器訪問：http://192.168.2.2/index.php

#啓動數據庫

[root@localhost yum.repos.d]#/etc/init.d/mysqld start

[root@localhost yum.repos.d]#chkconfig mysqld on

#設置mysql密碼，查看數據庫表

[root@bogon html]# cd /usr/share/doc/rsyslog-mysql-5.8.10/

[root@bogon rsyslog-mysql-5.8.10]# mysql -uroot -pqaz,123 < createDB.sql

[root@bogon ~]# mysql -uroot -p

Enter password: 

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 4

Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;

+--------------------+

| Database           |

+--------------------+

| information_schema |

| Syslog             |

| mysql              |

| test               |

+--------------------+

4 rows in set (0.00 sec)

mysql> use Syslog

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;

+------------------------+

| Tables_in_Syslog       |

+------------------------+

| SystemEvents           |

| SystemEventsProperties |

+------------------------+

2 rows in set (0.00 sec)

# 受權rsyslog往裏讀寫權限並提交更改

mysql> grant all on Syslog.* to rsyslog@localhost identified by 'adminqaz';

Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

mysql> exit

Bye

# 修改rsyslog配置文件，開啓UDP端口；並使用mysql與rsyslog相關聯，

[root@bogon ~]# vim /etc/rsyslog.conf

#新增下面兩行

$ModLoad ommysql 
*.* :ommysql:localhost,Syslog,rsyslog,adminqaz

說明：localhost 表示本地主機，Syslog 爲數據庫名，rsyslog 爲數據庫的用戶，adminqaz爲該用戶密碼。

#開啓相關模塊

# vi /etc/rsyslog.conf

$ModLoad immark    #immark是模塊名，支持日誌標記

$ModLoad imudp    #imupd是模塊名，支持udp協議

$UDPServerRun 514    #容許514端口日誌

# 重啓rsyslog服務

 /etc/init.d/rsyslog restart

若是正常的話，/var/log/messages下能夠接收服務器、交換機的配置信息。

二、安裝LogAnalyzer

[root@bogon home]# ls

loganalyzer-3.6.5  loganalyzer-3.6.5.tar.gz

[root@bogon home]# tar xzvf loganalyzer-3.6.5.tar.gz 

[root@bogon home]# cd loganalyzer-3.6.5

[root@bogon loganalyzer-3.6.5]#mkdir -p /var/www/html/loganalyzer

[root@bogon loganalyzer-3.6.5]# rsync -a src/* /var/www/html/loganalyzer/

# 打開瀏覽器http://192.168.2.2/loganalyzer，點擊here

#點擊next

#調整權限，recheck從新配置

# touch /var/www/html/loganalyzer/config.php

# chmod 666 /var/www/html/loganalyzer/config.php

#點擊 next

#配置基本信息

#點擊next

#點擊next

第6步：建立用戶名密碼用於管理loganalyzer 此處無圖

#選擇日誌源sql表，用於與syslog關聯

# 點擊next

# 從新登錄會看到日誌

界面以下：

三、關於日誌輪循相關內容，linux中的日誌輪循是使用logrotate

# 查看logrotate相關配置文件

[root@bogon ~]# rpm -ql logrotate

/etc/cron.daily/logrotate

/etc/logrotate.conf

/etc/logrotate.d

/usr/sbin/logrotate

/usr/share/doc/logrotate-3.7.8

/usr/share/doc/logrotate-3.7.8/CHANGES

/usr/share/doc/logrotate-3.7.8/COPYING

/usr/share/man/man5/logrotate.conf.5.gz

/usr/share/man/man8/logrotate.8.gz

/var/lib/logrotate.status

# 編緝logrotate配置文件

vim /etc/logrotate.conf

[root@bogon ~]# cat /etc/logrotate.conf 

# see "man logrotate" for details

# rotate log files weekly

weekly

# keep 4 weeks worth of backlogs

rotate 4

# create new (empty) log files after rotating old ones

create

# use date as a suffix of the rotated file

dateext

# uncomment this if you want your log files compressed

#compress

# RPM packages drop log rotation information into this directory

include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here

/var/log/wtmp {

    monthly

    create 0664 root utmp

minsize 1M

    rotate 1

}

/var/log/btmp {

    missingok

    monthly

    create 0600 root utmp

    rotate 1

}

# 以周爲單位輪循，4次：messages1.....messages4 massages1.....massages4......，往前覆蓋

/var/log/messages {

    weekly 

    rotate 4

    dateext

    compress

    missingok

    create 644 root root

    postrotate

    /usr/bin/killall -HUP rsyslogd  #平滑重啓rsyslog或者使用/var/run/syslogd.pid更準確

    endscript

}

# system-specific logs may be also be configured here.

# 以時間爲結尾，以下：