当服务器遇到问题时,运维工程师都会根据日志分析问题,当黑客入侵服务器时,基本都会删除日志,以免留下蛛丝马迹,由此可见日志对服务器来说多么重要,为此很多公司都会有自己的日志服务器,下面我们来一起学习如何搭建日志服务器和日志分析工具。
1.首先必须得客户机与服务器都安装rsyslog这个软件:
[[email protected] ~]# yum -y install rsyslog
2.客户机修改配置文件(1.4为日志服务器)
[[email protected] ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.* @192.168.1.4
*.* :ommysql:192.168.1.4,Syslog,syslogroot,syslogpass
local7.* /var/log/boot.log
修改完成后重启服务并开机自动运行
[[email protected] ~]# service rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[[email protected] ~]# chkconfig rsyslog on
3.服务器修改配置文件
[[email protected] ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$Modload ommysql
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.* :ommysql:192.168.1.4,Syslog,syslogroot,syslogpass
local7.* /var/log/boot.log
重启服务器并开机自动运行
~]# service rsyslog restart
~]# chkconfig rsyslog on
4.安装配置数据库
~]# yum -y install mysql-server rsyslog-mysql
(2)配置数据库
[[email protected] ~]# rpm -ql rsyslog-mysql #首先查看rsyslog-mysql安装生成了那些文件
/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog-mysql-5.8.10
/usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql #此sql文件就是需要导入到数据库中的数据文件
#
[[email protected] ~]# service mysqld start #启动mysqld服务
[[email protected] ~]# mysql #连接mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql>
mysql>
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3 rows in set (0.00 sec) #此时,只有3个库
#
mysql> source /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql; #导入rsyslog的数据文件
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Syslog |
| mysql |
| test |
+--------------------+
4 rows in set (0.01 sec)
mysql> use Syslog; #Syslog即是记录日志文件的数据库
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------------+
| Tables_in_Syslog |
+------------------------+
| SystemEvents |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.00 sec)
#
#接下来,即是为rsyslog服务器授权。此处一定是rsyslog服务器的IP
#如果写成各服务器的IP,那就错了
mysql> grant all on Syslog.* to ‘syslogroot‘@‘127.0.0.1‘ identified by ‘liwai8888‘;
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on Syslog.* to ‘syslogroot‘@‘192.168.1.4‘ identified by ‘liwai8888‘;
Query OK, 0 rows affected (0.04 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> \q
Bye
5.配置lamp+loganalyzer架构
1、安装LAMP环境
[[email protected] ~]# yum -y install httpd php php-mysql php-gd
[[email protected] ~]# mkdir /var/www/html/loganalyzer/
mkdir: created directory `/var/www/html/loganalyzer/‘
2、解压loganalyzer源码包
[[email protected] ~]# tar xf loganalyzer-3.6.5.tar.gz
[[email protected] ~]# cd loganalyzer-3.6.5
[[email protected] loganalyzer-3.6.5]#
[[email protected] loganalyzer-3.6.5]# ls
ChangeLog contrib COPYING doc INSTALL src
[[email protected] loganalyzer-3.6.5]# mv src/* /var/www/html/loganalyzer/ #src下是php的网页文件
[[email protected] loganalyzer-3.6.5]# ls contrib/
configure.sh secure.sh
[[email protected] loganalyzer-3.6.5]# mv contrib/* /var/www/html/loganalyzer/ #contrib目录下的两个脚本,可以打开看看
#
[[email protected] loganalyzer-3.6.5]# cd /var/www/html/loganalyzer/
[[email protected] loganalyzer]# sh configure.sh #执行脚本
3、配置httpd
修改DocumentRoot网页根目录
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html/loganalyzer"
[[email protected] ~]# service httpd start
4、配置httpd和mysql开机启动
[[email protected] ~]# chkconfig mysqld on
[[email protected] ~]# chkconfig httpd on
5、创建loganalyzer数据库,并授权
[[email protected] ~]# mysql
Enter password:
mysql> create database loganalyzer;
Query OK, 1 row affected (0.04 sec)
mysql> grant all on loganalyzer.* to [email protected]‘192.168.1.4‘ identified by ‘liwai8888‘;
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
6.配置安装界面
主要错误在数据库的大小写以及数据库的用户名密码,一般都要安装2次,第2次必须删除里面的config.php,然后再在下一步运行sh configure.sh生成config.php。然后你并可以开始使用它了。(不知道为啥复制不了图,所以只能这样谈谈我遇到的错误与解决方法)。