簡介RSYSLOG
用於日誌處理系統。它提供高性能,高安全×××和模塊化設計。
支持多線程,TCP,SSL,TLS,RELP
支持MySQL,PostgreSQL,Oracle數據庫
配置說明
配置文件格式rsyslog.conf
三部分組成:
MODULES
GLOBAL DRICTIVES
RULES
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log日誌記錄:先分類,後分級
authpriv 安全認證相關
cron at 與cron定時相關
daemon 後臺進程相關
kern 內核
lpr 打印系統
mail 郵件系統 -/var/log/maillog 減號緩存一定量再寫入
syslog 日誌服務本身
指定級別:
*:所有級別;
none:沒有級別;
priority:此級別以高於此級別的所有級別;
=priorty:僅此級別;
安裝
yum install rsyslog rsyslog-mysq -y
yum install httpd mod_ssl php php-gd php-xml php-mysql -y
yum install -y mariadb-server
systemctl start httpd.service
systemctl enable httpd.service
配置my.cnf
vim /etc/my.cnf
[mysqld]
innodb_file_per_table = 1
skip_name_resolve=1
log_bin=mysql-bin啓動mariadb
systemctl start mariadb.service
systemctl enable mariadb.service導入rsyslog-mysql 數據庫文件
cd /usr/share/doc/rsyslog-8.24.0/
mysql -uroot -p<mysql-createDB.sql創建數據庫
mysql> use Syslog;
mysql> show databases;
mysql> show tables;rsyslog用戶並授權
grant all on Syslog.* to rsyslog@'localhost' identified by 'Rsyslog;配置服務端支持rsyslog-mysql 模塊
vim /etc/rsyslog.conf #按如下進行更改
#### MODULES ####
$Modload ommysql
*.* :ommysql:localhost,Syslog,rsyslog,Rsyslog
$ModLoad immark # immark是模塊名,支持日誌標記
$ModLoad imudp # imupd是模塊名,支持udp協議
$UDPServerRun 514 #允許514端口接收使用UDP和TCP協議轉發過來的日誌安裝LogAnalyzer
wget -c http://download.adiscon.com/loganalyzer/loganalyzer-4.1.7.tar.gz
tar xf loganalyzer-4.1.7.tar.gz -C /tmp/
cd /tmp/loganalyzer-4.1.7/
mkdir -pv /var/www/html/loganalyzer
cp -a src/* /var/www/html/loganalyzer/
cp -a contrib/* /var/www/html/loganalyzer/
chmod +x /var/www/html/loganalyzer/*.sh./configure.sh 產生config.php文件
配置LogAnalyzer
修改 config.php
$CFG['Sources']['Source1']['DBTableName'] = 'SystemEvents';修改config.php文件權限644
./secure.sh 