<b> </b><b>日志主機安裝指南</b>
<b> </b>
<b>一.希望達到的目的</b>
1.伺服器日志集中存放到MySQL資料庫中;
2.每天發送一封E-MAIL, 報告異常日志條目;
3.實時報告異常系統事件;
4.WEB界面查詢日志;
<b>二.日志主機安裝和配置</b>
各個軟體的功能及互動圖
1.安裝syslog-ng:
安裝eventlog: # ./configure --prefix=/usr/local/eventlog && make && make install
安裝 libol: # ./configure –prefix=/usr/local/libol &&make && make install
安裝 syslog-ng: # export PKG_CONFIG_PATH=/usr/local/eventlog/pkgconfig/
# ./configure –prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol
# make && make install
配置 syslog-ng: # vi /usr/local/syslog-ng/etc/syslog-ng/syslog-ng.conf
options {
keep_hostname(yes);
long_hostnames(off);
sync(1);
log_fifo_size(1024);
create_dirs(yes); # if a dir does not exist create it
owner(root); # owner of created files
group(root); # group of created files
perm(0600); # permissions of created files
dir_perm(0700); # permissions of created dirs
};
source s_all {
udp(); # remote logs
# arriving at 514/udp
unix-stream("/dev/log"); # local system logs
file("/proc/kmsg"); # local kernel logs
internal(); # internal syslog-ng logs
};
destination single-file {
file("/var/log/syslog-ng/all-messages");
log {
source(s_all);
destination(single-file);
啟動 syslog-ng: # /etc/init.d/syslog stop
# /usr/local/syslog-ng/sbin/syslog-ng
驗證:ps –ef|grep syslog-ng
檢視檔案:/var/log/syslog-ng/all-messages
2. 安裝MySQL到 /usr/local/mysql 下,以存放日志。
3. 安裝 SQLSyslogd, 以便将日志寫入 MySQL 資料庫中:
安裝:# ln –s /usr/local/mysql/lib/mysql /usr/local/lib/mysql
# ln –s /usr/local/mysql/include/mysql \
/usr/local/include/lib
# make && cp sqlsyslogd /usr/local/sbin/
# cat “/usr/local/lib/mysql” >> /etc/ld.so.conf && ldconfig
驗證 sqlsyslogd 能正常運作:# sqlsyslogd
如果正常,你可以看到 sqlsyslogd 的幫助資訊。
修改 sqlsyslogd.sql 檔案: # vi sqlsyslogd.sql
create database sqlsyslogd;
use sqlsyslogd;
create table logs (
Id int(10) NOT NULL auto_increment,
Timestamp varchar(16),
Host varchar(50),
Prog varchar(50),
Mesg text,
PRIMARY KEY (id)
);
use mysql;
create user sqlsyslogd@localhost identified by ‘foo’;
grant all on sqlsyslogd.* to sqlsyslogd;
flush privileges;
# sql –u root –p < sqlsyslogd.sql
# vi /usr/local/etc/sqlsyslogd.conf
foo
修改 syslog-ng.conf 檔案,添加下面幾行:
destination mysql {
program(“/usr/local/sbin/sqlsyslogd –u sqlsyslogd \
–t logs sqlsyslogd –p”);
log {
source(all);
destination(mysql);
重新開機 syslog-ng: # pkill –SIGHUP syslog-ng
驗證:現在你應該可以通過 MySQL 用戶端軟體檢視日志了。
4.安裝 logcheck 和 newlogcheck:
安裝:# mkdir –p /usr/local/logcheck/bin \
/usr/local/logcheck/etc/ /usr/local/logcheck/tmp
# cd logcheck-<version>
修改 Makefile 檔案,将其中的 /usr/local 改
為 /usr/local/logcheck
# make linux
# cd newlogcheck-<version> && \
cp *\.* /usr/local/logcheck/etc/
配置:根據logcheck各個檔案的位置修改 /usr/local/logcheck/etc/
目錄下的 newlogcheck.sh 和 sort_logs.pl
# mkdir /usr/local/logcheck/tmp/host
測試:# /usr/local/logcheck/etc/newlogcheck.sh
如果安裝正常,你應該收到一封e-mail, 現在你可以安裝一個
crontab 來自動化logcheck日志
檢查: # crontab –e
…
10 2 * * * /usr/local/logcheck/etc/newlogcheck.sh
5.安裝 swatch:
按順序安裝下面的perl 子產品:Carp-Clan, Bit-Vector, Date-Calc,
Time-HiRes, File-Tail,TimeDate, swatch(使用3.0.8版本,
不要用3.0.12)
配置 swatch: #vi /etc/swatch.conf
watchfor /Failed password/
mail address=root, subject=warning: Failed password
throttle 01:00
watchfor /Invalid user/
mail address=root, subject=warning: Invalid user
watchfor /authentication failure/
mail address=root, subject=warning: authentication failure
watchfor /iptables:/
mail address=root, subject=warning: iptables operation
watchfor /Duplicate address/
mail address=root, subject=warning: Duplicate address
watchfor /file system full/
mail address=root, subject=warning: file system full
watchfor /(panic|halt)/
mail address=root, subject=warning: panic or halt happened
watchfor /Media Error/
mail address=root, subject=warning: disk error happened
……
運作swatch: # /usr/bin/swatch --config-file=/etc/swatch.conf \
--tail-file=/var/log/syslog-ng/all-messages &
驗證:ps –ef|grep swatch | grep –v grep
如果正常,你應該看到2個程序:
root ...... /usr/bin/perl /usr/bin/swatch \
--config-file=/etc/swatch.conf \
--tail-file=/var/log/syslog-ng/all-messages
root ...... /usr/bin/perl
/root/.swatch_script.17374 ß 你看到的将是其他數字
6.安裝 splunk:
解壓 splunk tarball 并将其移動到 /usr/local/splunk
修改 /usr/local/splunk/bin/setSplunkEvn
和 /usr/local/splunk/etc/init.d/redhat/splunk,将
其中的 $SPLUNK_HOME 設定為 /usr/local/splunk, 将
/usr/local/splunk/etc/init.d/redhat/splunk 拷貝到
/etc/init.d/目錄下,
# chmod 700 /etc/init.d/splunk && chkconfig splunk on
啟動splunk: /etc/init.d/splunk start
配置:
現在你可以搜尋日志了.
7.配置啟動:vi /etc/rc.local
…
/usr/local/syslog-ng/sbin/syslog-ng
/usr/bin/swatch –config-file=/etc/swatch.conf \
–tail-file=/var/syslog-ng/all-messages &
三.日志客戶機配置
這裡所說的日志客戶機指需要把自己的日志傳送給日志主機的伺服器。
我們在日志客戶機上的配置很簡單,隻需要兩步:
1. 在 /etc/syslog.conf 檔案添加一項,使日志客戶機把自己的嚴重程度在.info以上的日志也發送給日志主機:
# cat /etc/syslog.conf
...
*.info @log_host
2. 在 /etc/hosts 檔案裡面添加一項,使日志客戶機能解析上面的 log_host:
# cat /etc/hosts
x.x.x.x log_host
總結,配置一個日志主機,需要花費較大的功夫。但是,一旦你配置好了,它給你帶來的益處也很大,比如,你能夠随時查閱很久以前的日志,你能及時知道某台伺服器的硬碟有問題了,如果有黑客入侵了你的伺服器,不管他如何銷毀自己的蹤迹,你都能夠他在入侵過程中留下的痕迹,等等等等。是以,花大力氣建立這樣一個日志主機還是明智的。
本文轉自zkjian517 51CTO部落格,原文連結:http://blog.51cto.com/zoukejian/56828
![mysql使用source指令導入.sql檔案[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)