******************理论部分*****************
前言:
在数据为王的时代,日志管理是一个绕不开的话题,相应的开源软件有不少,比如热门的三件套:Logstash、ElasticSearch、Kibana,虽然功能强大,但是配置复杂。相比较而言,rsyslog更容易快速上手。
Rsyslog:
rsyslog是一款自由软件,GPL(General Public License)的lincesed增强的syslogd.功能强大,有开源web loganalyzer支持,同时可以将收集日志存在mysql中,方便分析、审计。具体功能可以查看官网.
日志:
历史日志
历史事件:时间,事件
日志级别:事件的关键性程度,loglevel.
系统日志服务:
syslog:(CentOS 5.x)
守护进程:
syslogd: system 记录系统日志
klogd: kernel 记录内核日志
rsyslog:(CentOS6以后)
守护进程:
syslogd
klogd
注:rsyslog是syslog的下一代版本.
Rsyslog的特性:
a.多线程;
b.使用的协议:UDP, TCP, SSL, TLS, RELP
c.可用于实现日志存储的数据库:MYSQL, PGSQL, ORACLE等;
d.强大的过滤器,可实现过滤日志信息中任何部分;
日志收集方:
facility: 设施,从功能或程序上对日志进行分类:
auth, authrive, cron, daemon, kern, lpr, mail, mark, news, security, user, uucp, local0-local7, syslog
priority:
info, debug, notice, warning, error,crit(critical), alert, emerg(pamic)
指定级别:
*:所有级别
none:没有级别
priority:此级别及更高级别的日志信息;
facility.priority /var/log/message
程序环境:
主程序:rsyslogd
配置文件:/etc/rsyslog.conf
服务脚本:/etc/rc.d/init.d/rsyslog
rsyslog.conf
RULES:
facility.priority target
target:
文件路径:记录于指定的日志文件中,通常应该在/var/log目录下; 文件路径前的“-”表示异步写入;
用户:将日志通知给指定用户
*:所有用户;
日志服务器:@host
host: 必须要监听在tcp或udp协议514端口上提供服务;
管道; |COMMAND
文件记录的日志格式:
事件产生的日期时间 主机 进程(pid): 事件内容
有些日志记录二进制格式: /var/log/wtmp, /var/log/btmp
/var/log/wtmp: 当前系统上成功登陆的日志;
last
/var/log/btmp:
lastb
lastlog命令: 显示当前系统每一个用户最近一次的登陆时间;
******************实操部分*****************
实验要求:
a.配置简单的rsyslog服务器,增加一台客户端机器,由rsyslog服务器收集客户端生成的日志信息;
b.配置rsyslog+loganalyzer+mysql组合型日志服务器,要求客户端生成的日志,由rsyslog服务器收集,并由mysql数据库记录rsyslog服务器的日志,最后由loganalyzer工具在前端界面展示出来.
实验环境:
系统:CentOS 6.7 x3
主机名及服务器作用:
CentOS 6.7:
7-200: rsyslog Server
7-201: Client
7-202: Mysql
1.1 安装rsyslog服务器:
[[email protected] ~]# rpm -qa rsyslog rsyslog-5.8.10-10.el6_6.x86_64
1.2 打开rsyslog的指定模块,监听在指定套接字:
[[email protected] ~]# vim /etc/rsyslog.conf ... 12 # Provides UDP syslog reception 13 $ModLoad imudp 14 $UDPServerRun 514 15 16 # Provides TCP syslog reception 17 $ModLoad imtcp 18 $InputTCPServerRun 514 ... //13-14行表示监听UDP协议,打开对UDP协议的收集日志的模块的支持,让它监听在UDP协议的514端口. //17-18行表示监听TCP协议,打开对TCP协议的收集日志的模块的支持,让它监听在TCP协议的514端口.
注:对于开启UDP协议和TCP协议的选择上,UDP更快,TCP在日志信息记录时更可靠,此处都打开.
1.3 启动rsyslogd服务,查看监听端口:
[[email protected] ~]# service rsyslog start Starting system logger: [ OK ] 3059/rsyslogd [[email protected] ~]# netstat -tunlp |grep rsyslogd tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 3059/rsyslogd tcp 0 0 :::514 :::* LISTEN 3059/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 3059/rsyslogd udp 0 0 :::514 :::* 3059/rsyslogd [[email protected] ~]#
//可以看到514端口都已监听在TCP和UDP上,此时其他主机就可以往该日志服务器发日志了.
1.4 开启Client服务器7-201,往日志服务器7-200发送日志:
[[email protected] ~]# rpm -qa rsyslog rsyslog-5.8.10-10.el6_6.x86_64
1.5 配置rsyslog.conf:
[[email protected] ~]# vim /etc/rsyslog.conf 42 #*.info;mail.none;authpriv.none;cron.none /var/log/messages 43 *.info;mail.none;authpriv.none;cron.none @10.68.7.200 //备份第43行,修改日志服务器地址.
1.6 重启客户端日志服务器程序:
[[email protected] ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] [[email protected] ~]#
1.7 在7-201客户端服务器安装vsftp服务,然后在7-200服务器端/var/log/messages查看:
[[email protected] ~]# yum -y install vsftpd;date ... Installed: vsftpd.x86_64 0:2.2.2-14.el6 Complete! Sun Aug 21 22:43:21 EDT 2016
[[email protected] ~]# tail /var/log/messages Aug 21 22:43:21 7-201 yum[3187]: Installed: vsftpd-2.2.2-14.el6.x86_64
客户端日志在rsyslog服务端收集,保存在mysql 数据库中,然后通过前端页面展示工具展示出来:
2.1 在7-200服务端安装rsyslog-mysql软件:
[[email protected] ~]# yum -y install rsyslog-mysql [[email protected] ~]# rpm -ql rsyslog-mysql /lib64/rsyslog/ommysql.so /usr/share/doc/rsyslog-mysql-5.8.10 /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql //注意该文件. [[email protected] ~]#
2.2 用二进制方式安装mariadb服务器并完成相关操作:
[[email protected] ~]# groupadd -r -g 306 mysql [[email protected] ~]# useradd -r -g 306 -u 306 mysql [[email protected] ~]# tar xf mariadb-5.5.46-linux-x86_64.tar.gz -C /usr/local [[email protected] ~]# ln -sv /usr/local/mariadb-5.5.46-linux-x86_64/ /usr/local/mysql `/usr/local/mysql‘ -> `/usr/local/mariadb-5.5.46-linux-x86_64/‘ [[email protected] ~]# cd /usr/local/mysql [[email protected] mysql]# chown -R root:mysql ./* [[email protected] mysql]# scripts/mysql_install_db --datadir=/mydata/data --user=mysql WARNING: The host ‘7-202‘ could not be looked up with resolveip. This probably means that your libc libraries are not 100 % compatible with this binary MariaDB version. The MariaDB daemon, mysqld, should work normally with the exception that host name resolving will not work. This means that you should use IP addresses instead of hostnames when specifying MariaDB privileges ! Installing MariaDB/MySQL system tables in ‘/mydata/data‘ ... 160824 4:11:59 [Note] ./bin/mysqld (mysqld 5.5.46-MariaDB) starting as process 2538 ... OK Filling help tables... 160824 4:12:01 [Note] ./bin/mysqld (mysqld 5.5.46-MariaDB) starting as process 2547 ... OK To start mysqld at boot time you have to copy support-files/mysql.server to the right place for your system PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER ! To do so, start the server, then issue the following commands: ‘./bin/mysqladmin‘ -u root password ‘new-password‘ ‘./bin/mysqladmin‘ -u root -h 7-202 password ‘new-password‘ Alternatively you can run: ‘./bin/mysql_secure_installation‘ which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers. See the MariaDB Knowledgebase at http://mariadb.com/kb or the MySQL manual for more instructions. You can start the MariaDB daemon with: cd ‘.‘ ; ./bin/mysqld_safe --datadir=‘/mydata/data‘ You can test the MariaDB daemon with mysql-test-run.pl cd ‘./mysql-test‘ ; perl mysql-test-run.pl Please report any problems at http://mariadb.org/jira The latest information about MariaDB is available at http://mariadb.org/. You can find additional information about the MySQL part at: http://dev.mysql.com Support MariaDB development by buying support/new features from MariaDB Corporation Ab. You can contact us about this at [email protected] Alternatively consider joining our community based development effort: http://mariadb.com/kb/en/contributing-to-the-mariadb-project/ [[email protected] mysql]# cp support-files/mysql.server /etc/rc.d/init.d/mysqld [[email protected] mysql]# chkconfig --add mysqld [[email protected] mysql]# chkconfig --list mysqld mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off [[email protected] mysql]# [[email protected] mysql]# mkdir /etc/mysql [[email protected] mysql]# cp support-files/my-large.cnf /etc/mysql/my.cnf [[email protected] mysql]# vim /etc/mysql/my.cnf ... 在thread_concurrency = 8 这一行下面添加如下三行 datadir = /mydata/data innodb_file_per_table = on skip_name_resolve = on ... [[email protected] mysql]# service mysqld start Starting MySQL... SUCCESS! [[email protected] mysql]# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 Server version: 5.5.46-MariaDB-log MariaDB Server Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement. mysql> mysql> GRANT all on Syslog.* to ‘syslog‘@‘10.68.7.%‘ Identified by ‘syslog‘; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql> exit Bye [[email protected] mysql]# [[email protected] mysql]# vim /etc/my.cnf ...添加如下两行: skip_name_resolv = on innodb_file_per_table = on
2.3 从rsyslog服务器上远程登录mysql服务器:
[[email protected] ~]# mysql -usyslog -h10.68.7.202 -psyslog Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 Server version: 5.5.46-MariaDB-log MariaDB Server Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement. mysql>
2.4 将软件rsyslog-mysql生成的sql语句导入数据库:
[[email protected] ~]# rpm -ql rsyslog-mysql /lib64/rsyslog/ommysql.so /usr/share/doc/rsyslog-mysql-5.8.10 /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql [[email protected] ~]# mysql -usyslog -h10.68.7.202 -p </usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql Enter password: [[email protected] ~]#
//此时,可以登录到数据库查看到Syslog库及对应的表.
2.5 配置rsyslog能使用mysql服务器:
... 20 $ModLoad ommysql //增加该项,添加到MonLoad区域附近. 42 *.info;mail.none;authpriv.none;cron.none :ommysql:10.68.7.202,Syslog,syslog,syslog //在第42行处添加,注意右边的格式
2.6 重启rsyslog服务:
[[email protected] ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] [[email protected] ~]#
2.7 然后在rsyslog服务器安装vsftpd服务,Client 7-201服务器安装samba服务,生成的日志在mysql数据库中查看:
[[email protected] ~]# yum -y install samba ... Running Transaction Installing : samba-3.6.23-20.el6.x86_64 1/1 Verifying : samba-3.6.23-20.el6.x86_64 1/1 Installed: samba.x86_64 0:3.6.23-20.el6 Complete!
[[email protected] ~]# yum -y install vsftpd ... Installed: vsftpd.x86_64 0:2.2.2-14.el6 Complete! [[email protected] ~]# mysql -usyslog -h10.68.7.202 -psyslog Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 16 Server version: 5.5.46-MariaDB-log MariaDB Server Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement. mysql> use Syslog; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +------------------------+ | Tables_in_Syslog | +------------------------+ | SystemEvents | | SystemEventsProperties | +------------------------+ 2 rows in set (0.00 sec) mysql> select * from SystemEvents\G; *************************** 1. row *************************** ID: 1 CustomerID: NULL ReceivedAt: 2016-08-24 04:26:53 DeviceReportedTime: 2016-08-24 04:26:53 Facility: 0 Priority: 6 FromHost: 7-200 Message: imklog 5.8.10, log source = /proc/kmsg started. NTSeverity: NULL Importance: NULL EventSource: NULL EventUser: NULL EventCategory: NULL EventID: NULL EventBinaryData: NULL MaxAvailable: NULL CurrUsage: NULL MinUsage: NULL MaxUsage: NULL InfoUnitID: 1 SysLogTag: kernel: EventLogType: NULL GenericFileName: NULL SystemID: NULL *************************** 2. row *************************** ID: 2 CustomerID: NULL ReceivedAt: 2016-08-24 04:26:53 DeviceReportedTime: 2016-08-24 04:26:53 Facility: 5 Priority: 6 FromHost: 7-200 Message: [origin software="rsyslogd" swVersion="5.8.10" x-pid="2367" x-info="http://www.rsyslog.com"] start NTSeverity: NULL Importance: NULL EventSource: NULL EventUser: NULL EventCategory: NULL EventID: NULL EventBinaryData: NULL MaxAvailable: NULL CurrUsage: NULL MinUsage: NULL MaxUsage: NULL InfoUnitID: 1 SysLogTag: rsyslogd: EventLogType: NULL GenericFileName: NULL SystemID: NULL *************************** 3. row *************************** ID: 3 CustomerID: NULL ReceivedAt: 2016-08-24 04:27:27 DeviceReportedTime: 2016-08-24 04:27:27 Facility: 1 Priority: 6 FromHost: 7-200 Message: Installed: vsftpd-2.2.2-14.el6.x86_64 NTSeverity: NULL Importance: NULL EventSource: NULL EventUser: NULL EventCategory: NULL EventID: NULL EventBinaryData: NULL MaxAvailable: NULL CurrUsage: NULL MinUsage: NULL MaxUsage: NULL InfoUnitID: 1 SysLogTag: yum[2397]: EventLogType: NULL GenericFileName: NULL SystemID: NULL *************************** 4. row *************************** ID: 4 CustomerID: NULL ReceivedAt: 2016-08-24 04:30:03 DeviceReportedTime: 2016-08-24 04:30:03 Facility: 1 Priority: 6 FromHost: 7-201 Message: Installed: samba-3.6.23-20.el6.x86_64 NTSeverity: NULL Importance: NULL EventSource: NULL EventUser: NULL EventCategory: NULL EventID: NULL EventBinaryData: NULL MaxAvailable: NULL CurrUsage: NULL MinUsage: NULL MaxUsage: NULL InfoUnitID: 1 SysLogTag: yum[4787]: EventLogType: NULL GenericFileName: NULL SystemID: NULL 4 rows in set (0.00 sec) ERROR: No query specified mysql> //可以看到7-200主机安装的vsftpd服务日志和7-201主机安装的samba服务日志已经记录在mysql数据库中了.
3.1 配置rsyslog前端展示界面工具loganalyzer:
3.1.1 配置webserver,支持PHP
[[email protected] ~]# yum install httpd php php-mysql php-gd [[email protected] ~]# service httpd start [[email protected] ~]# vim /etc/httpd/conf/httpd.conf ... 402 DirectoryIndex index.php index.html index.html.var //此处添加index.php文件,使httpd服务支持php.
3.1.2 [[email protected] ~]# vim /var/www/html/index.php
//添加如下内容: <?php $conn=mysql_connect(‘10.68.7.202‘,‘syslog‘,‘syslog‘); if ($conn) echo "OK"; else echo "Not OK"; phpinfo(); ?> :wq
3.1.3 浏览器查看http与mysql、php的连接情况,即lamp环境:
//显示OK则说明http与mysql连接正常.
3.2 安装oganalyzer工具:
[[email protected] ~]# tar -zxvf loganalyzer-3.6.5.tar.gz -C /var/www/html/ [[email protected] ~]# cd /var/www/html/loganalyzer-3.6.5 [[email protected] loganalyzer-3.6.5]# [[email protected] loganalyzer-3.6.5]# mv src/ ../loganalyzer [[email protected] loganalyzer-3.6.5]# cp contrib/*.sh ../loganalyzer [[email protected] loganalyzer-3.6.5]# cd ../loganalyzer [[email protected] loganalyzer]# ls *.sh configure.sh secure.sh [[email protected] loganalyzer]# chmod +x *.sh [[email protected] loganalyzer]# ./configure.sh [[email protected] loganalyzer]# ./secure.sh [[email protected] loganalyzer]# chmod 666 config.php [[email protected] loganalyzer]# service httpd restart Stopping httpd: [ OK ] Starting httpd: httpd: apr_sockaddr_info_get() failed for 7-200 httpd: Could not reliably determine the server‘s fully qualified domain name, using 127.0.0.1 for ServerName [ OK ] [[email protected] loganalyzer]#
3.3 此时就可以在浏览器访问了,http://10.68.7.200/loganalyzer/install.php 第一次访问时需加install.php,之后就不用加了.
一直下一步:
一直下一步:
至此, rsyslog+loganalyzer+mysql组合型日志服务器已安装成功!