CentOS7环境下搭建 rsyslog 日志服务器,rsyslog+loganalyzer
程序员文章站
2022-05-10 19:05:32
...
1.系统环境部署
| ip | hostname |
|---|---|
| 192.168.200.182 | web |
| 192.168.200.184 | rsyslog-mysql |
关闭防火墙、selinux、下载epel源
[aaa@qq.com ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[aaa@qq.com ~]# getenforce
Disabled
[aaa@qq.com ~]# yum -y install epel-*
2.开始搭建
下载所需软件包
[aaa@qq.com ~]# yum -y install nginx php-fpm rsyslog
[aaa@qq.com ~]# yum -y install mariadb-server mariadb rsyslog
web服务器配置为 rsyslog-client
[aaa@qq.com ~]# vim /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514 # 可以指定一个udp端口,默认也是udp的,看需求安排
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none @192.168.200.184 # 指定rsyslog服务器
重启服务
[aaa@qq.com ~]# systemctl restart rsyslog
[aaa@qq.com ~]# systemctl enable rsyslog
测试效果
systemctl restart nginx
rsyslog-server 上验证,可以看到client端的日志
[aaa@qq.com ~]# tail /var/log/messages
Jul 25 10:05:09 web systemd: Stopped System Logging Service.
Jul 25 10:05:09 web systemd: Starting System Logging Service...
Jul 25 10:05:09 web rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-52.el7_8.2" x-pid="11801" x-info="http://www.rsyslog.com"] start
Jul 25 10:05:09 web systemd: Started System Logging Service.
Jul 25 10:05:23 web systemd: Stopping The nginx HTTP and reverse proxy server...
Jul 25 10:05:23 web systemd: Stopped The nginx HTTP and reverse proxy server.
Jul 25 10:05:23 web systemd: Starting The nginx HTTP and reverse proxy server...
Jul 25 10:05:23 web nginx: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 25 10:05:23 web nginx: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jul 25 10:05:23 web systemd: Started The nginx HTTP and reverse proxy server.
web1上安装数据库插件
[aaa@qq.com ~]# yum install rsyslog-mysql
查看是否安装
[aaa@qq.com ~]# rpm -ql rsyslog-mysql
/usr/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
rsyslog-mysql端数据库配置
[aaa@qq.com ~]# systemctl start mariadb && systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[aaa@qq.com ~]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.65-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> update user set password=password('admin123') where user='root'
-> ; # 修改root密码
Query OK, 4 rows affected (0.00 sec)
Rows matched: 4 Changed: 4 Warnings: 0
MariaDB [mysql]> GRANT ALL ON Syslog.* TO 'Syslog'@'192.168.%.%'IDENTIFIED BY 'admin123'; # 授权syslog
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> \q
Bye
上面的数据库名称和syslog数据库用户,可以通过web端上的/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql文件查看
[aaa@qq.com ~]# less /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
CREATE DATABASE Syslog;
USE Syslog;
CREATE TABLE SystemEvents
web端测试登录
[aaa@qq.com ~]# yum -y install mariadb
...
[aaa@qq.com ~]# mysql -uSyslog -h192.168.200.184 -p'admin123'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 7
Server version: 5.5.65-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> \q
Bye
数据库优化
[aaa@qq.com ~]# vim /etc/my.cnf
skip_name_resolve=on # 这个参数是禁止域名解析
innodb_file_per_table=on # 共享表空间转化为独立表空间
修改后需重启mariadb
[aaa@qq.com ~]# systemctl restart mariadb
重定向导入数据库
[aaa@qq.com ~]# mysql -uSyslog -h192.168.200.184 -p'admin123' < /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
修改配置文件
[aaa@qq.com ~]# vim /etc/rsyslog.conf
#### MODULES ####
$ModLoad ommysql
#### RULES ####
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
#*.info;mail.none;authpriv.none;cron.none @192.168.216.53
*.info;mail.none;authpriv.none;cron.none :ommysql:192.168.200.182,Syslog,Syslog,admin123
重启服务
[aaa@qq.com ~]# systemctl restart rsyslog
web端测试
[aaa@qq.com ~]# systemctl restart nginx
rsyslog-mysql上数据库看一下有没有写入,已经可以看到有数据了
[aaa@qq.com ~]# mysql -uroot -p'admin123'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 5.5.65-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Syslog |
| mysql |
| performance_schema |
| test |
+--------------------+
5 rows in set (0.00 sec)
MariaDB [(none)]> use Syslog;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [Syslog]> show tables;
+------------------------+
| Tables_in_Syslog |
+------------------------+
| SystemEvents |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.00 sec)
MariaDB [Syslog]> select count(*) from SystemEvents;
+----------+
| count(*) |
+----------+
| 127 |
+----------+
1 row in set (0.00 sec)
MariaDB [Syslog]> select *from SystemEvents;
+-----+------------+---------------------+---------------------+----------+----------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+-----------------------+--------------+-----------------+----------+
| ID | CustomerID | ReceivedAt | DeviceReportedTime | Facility | Priority | FromHost | Message | NTSeverity | Importance | EventSource | EventUser | EventCategory | EventID | EventBinaryData | MaxAvailable | CurrUsage | MinUsage | MaxUsage | InfoUnitID | SysLogTag | EventLogType | GenericFileName | SystemID |
+-----+------------+---------------------+---------------------+----------+----------+----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+-----------------------+--------------+-----------------+----------+
| 1 | NULL | 2020-07-25 11:56:48 | 2020-07-25 11:56:48 | 3 | 6 | web | Stopping System Logging Service... | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | systemd:
...
...
...
127 rows in set (0.00 sec)
MariaDB [Syslog]> select *from SystemEvents \G; # 建议用竖行显示查看
*************************** 1. row ***************************
ID: 1
CustomerID: NULL
ReceivedAt: 2020-07-25 11:56:48
DeviceReportedTime: 2020-07-25 11:56:48
Facility: 3
Priority: 6
FromHost: web
Message: Stopping System Logging Service...
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 2. row ***************************
...
...
...
*************************** 121. row ***************************
ID: 121
CustomerID: NULL
ReceivedAt: 2020-07-25 14:13:23
DeviceReportedTime: 2020-07-25 14:13:23
Facility: 3
Priority: 6
FromHost: web
Message: Stopping The nginx HTTP and reverse proxy server...
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 122. row ***************************
ID: 122
CustomerID: NULL
ReceivedAt: 2020-07-25 14:13:23
DeviceReportedTime: 2020-07-25 14:13:23
Facility: 3
Priority: 6
FromHost: web
Message: Stopped The nginx HTTP and reverse proxy server.
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 123. row ***************************
ID: 123
CustomerID: NULL
ReceivedAt: 2020-07-25 14:13:23
DeviceReportedTime: 2020-07-25 14:13:23
Facility: 3
Priority: 6
FromHost: web
Message: Starting The nginx HTTP and reverse proxy server...
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 124. row ***************************
ID: 124
CustomerID: NULL
ReceivedAt: 2020-07-25 14:13:23
DeviceReportedTime: 2020-07-25 14:13:23
Facility: 3
Priority: 6
FromHost: web
Message: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: nginx:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 125. row ***************************
ID: 125
CustomerID: NULL
ReceivedAt: 2020-07-25 14:13:23
DeviceReportedTime: 2020-07-25 14:13:23
Facility: 3
Priority: 6
FromHost: web
Message: nginx: configuration file /etc/nginx/nginx.conf test is successful
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: nginx:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
*************************** 126. row ***************************
ID: 126
CustomerID: NULL
ReceivedAt: 2020-07-25 14:13:23
DeviceReportedTime: 2020-07-25 14:13:23
Facility: 3
Priority: 6
FromHost: web
Message: Started The nginx HTTP and reverse proxy server.
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
web 上配置lnmp环境
修改nginx配置文件添加端口方式的虚拟主机
[aaa@qq.com ~]# yum install mysql-server mysql-devel httpd php-mysql php php-gd php-xml -y
配置loganalyzer
[aaa@qq.com ~]# wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.10.tar.gz
[aaa@qq.com ~]# ls
anaconda-ks.cfg loganalyzer-4.1.10.tar.gz
[aaa@qq.com ~]# tar -xf loganalyzer-4.1.10.tar.gz
[aaa@qq.com ~]# mkdir /loganalyzer
[aaa@qq.com ~]# cp -r /loganalyzer-4.1.10/src/* /loganalyzer
[aaa@qq.com ~]# cp loganalyzer-4.1.10/contri/* /loganalyzer
[aaa@qq.com ~]# cd /loganalyzer
[aaa@qq.com ~]# chmod +x *.sh
[aaa@qq.com ~]# ./configure.sh
[aaa@qq.com ~]# ./secure.sh
[aaa@qq.com ~]# chmod 666 config.php
修改nginx配置文件,添加虚拟主机
具体配置文件如下
[aaa@qq.com ~]# cat /etc/nginx/conf.d/default.conf
server {
listen 80;
server_name 192.168.200.182;
index index.html index.htm index.php;
charset utf-8;
root /loganalyzer;
location / {
#max_fails=6;
#fail_timeout=60;
root /loganalyzer;
}
location ~.*\.php$ {
fastcgi_connect_timeout 300;
root /loganalyzer;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
#max_fails=6;
#fail_timeout=60;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
#fastcgi_pass unix:/dev/shm/php-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
try_files $uri = 404;
}
location ~.*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp3|wma)$ {
expires 30d;
}
location ~.*\.(js|css)$ {
expires 12h;
}
}
server {
listen 81;
server_name 192.168.200.182;
index index.html index.htm index.php;
charset utf-8;
root /usr/share/zabbix;
location / {
#max_fails=6;
#fail_timeout=60;
root /usr/share/zabbix;
}
location ~.*\.php$ {
fastcgi_connect_timeout 300;
root /usr/share/zabbix;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
#max_fails=6;
#fail_timeout=60;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
#fastcgi_pass unix:/dev/shm/php-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
try_files $uri = 404;
}
location ~.*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp3|wma)$ {
expires 30d;
}
location ~.*\.(js|css)$ {
expires 12h;
}
}
修改后重启服务
[aaa@qq.com ~]# systemctl restart nginx && systemctl restart php-fpm
3.web端配置
访问192.168.200.182/install.php
下一步
如果出现如下报错,将config.php权限修改为666即可
[aaa@qq.com loganalyzer]# chmod 666 config.php
下一步,一些基础配置,默认就好
下一步,填写数据库信息,需注意大小写
指定库名、表名、用户名等
这里由于我表名未大写,导致步骤点完后展示界面报错:
Could not find the configured table, maybe misspelled or the table
解决方案:
修改config.php文件,将DBTableName栏的systemevents修改为SystemEvents
其他栏如库名,用户名等若出错,也可以在这里修改
$CFG['Sources']['Source1']['ID'] = 'Source1';
$CFG['Sources']['Source1']['Name'] = 'My Syslog Source';
$CFG['Sources']['Source1']['ViewID'] = 'SYSLOG';
$CFG['Sources']['Source1']['SourceType'] = SOURCE_DB;
$CFG['Sources']['Source1']['DBTableType'] = 'monitorware';
$CFG['Sources']['Source1']['DBType'] = DB_MYSQL;
$CFG['Sources']['Source1']['DBServer'] = '192.168.200.184';
$CFG['Sources']['Source1']['DBName'] = 'Syslog';
$CFG['Sources']['Source1']['DBUser'] = 'Syslog';
$CFG['Sources']['Source1']['DBPassword'] = 'admin123';
$CFG['Sources']['Source1']['DBTableName'] = 'SystemEvents';
$CFG['Sources']['Source1']['DBEnableRowCounting'] = false;
修改后重启rsyslog服务,问题解决
下一步,finish
展示界面
4.安全加固
-
config.php文件保持了数据库账号密码ip等信息,安装的时候需要加666权限,现在不在需要读权限了,改为644即可
-
chmod 644 /loganalyzer/config.php
上一篇: el-tree右键菜单及优化
下一篇: el-autocomplete 的使用