RHEL5.4部署中央日志伺服器之rsyslog+loganalyzer

1 系統需求

   mysql mysql-devel mysql-server php php-mysql php-pdo php-common php-gd httpd

2需要的源碼包軟體

   rsyslog-5.6.2.tar.gz

   loganalyzer-3.0.4.tar.gz

3安裝rsyslog

 #tar xvf rsyslog-5.6.2.tar.gz

 #./configure --enable-mysql

 #make && make install

 4 修改rsyslog 的主配置檔案

 修改如下

 #if you experience problems, check

# http://www.rsyslog.com/troubleshoot for assistance

# rsyslog v3: load input modules

# If you do not load inputs, nothing happens!

# You may need to set the module load path if modules are not found.

$ModLoad immark   # provides --MARK-- message capability

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imklog   # kernel logging (formerly provided by rklogd)

$ModLoad ommysql

*.*       :ommysql:localhost,Syslog,root,frank

     # 注 localhost 位元組是database-server

          Syslog 是資料中database-name 

          root 是database-userid 

          frank 是root使用者登入mysql的密碼

      #該行的格式

      #*.*       :ommysql:database-server,database-name,database-userid,database-password

#同樣要注意的是database-name 必須和/root/rsyslog-5.6.2/plugins/ommysql/creatDB.sql 中的相同

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none                -/var/log/messages

# The authpriv file has restricted access.

authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.

mail.*                                                  -/var/log/maillog

# Log cron stuff

cron.*                                                  -/var/log/cron

# Everybody gets emergency messages

*.emerg                                                 *

# Save news errors of level crit and higher in a special file.

uucp,news.crit                                          -/var/log/spooler

# Save boot messages also to boot.log

local7.*                                                /var/log/boot.log

# Remote Logging (we use TCP for reliable delivery)

# An on-disk queue is created for this action. If the remote host is

# down, messages are spooled to disk and sent when it is up again.

#$WorkDirectory /rsyslog/spool # where to place spool files

#$ActionQueueFileName uniqName # unique name prefix for spool files

#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)

#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown

#$ActionQueueType LinkedList   # run asynchronously

#$ActionResumeRetryCount -1    # infinite retries if host is down

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

#*.* @@remote-host:514

# ######### Receiving Messages from Remote Hosts ##########

# TCP Syslog Server:

# provides TCP syslog reception and GSS-API (if compiled to support it)

#$ModLoad imtcp.so # load module

#$InputTCPServerRun 514 # start up TCP listener at port 514

########## 下面的配置接受遠端主機的日志

UDP Syslog Server:

$ModLoad imudp.so # provides UDP syslog reception

$UDPServerRun 514 # start a UDP syslog server at standard port 514

5 關閉系統自帶的syslog 程序

     #service syslog stop

     #chkconfig syslog off

 6 因為rsyslog 沒有啟動腳本，并修改該腳本此時用的是syslog的啟動腳本，

 #cp /etc/init.d/{syslog,rsyslog}

 把腳本中syslog 替換成rsyslog

 #sed -i ‘s/syslog/rsyslog/g’ /etc/init.d/rsyslog

 #chmod 700 /etc/init.d/rsyslog

 #chkconfig –add rsyslog

 #chkconfig rsyslog on

 7 建立一下連結，不然在啟動rsyslog 時回報錯

     # ln -sv /usr/local/rsyslog/sbin/rsyslogd /sbin/rsyslogd

 8 導入資料庫

 #cd /root/rsyslog-5.6.2/plugins/ommysql

 #mysql -uroot –pfrank < createDB.sql

 9 啟動rsyslog 并驗證

   #service rsyslog restart

   #mysql –uroot -pfrank

   Mysql>use database Syslog;

Msql> select * from SystenEvents

 # 如果上面的配置無誤的情況可以檢視一些新日志資訊

 10 安裝loganalyzer 并修改權限

     #tar xvf loganalyzer-3.0.4.tar.gz

     #cd loganalyzer-3.0.4

     #cp -r src/     /var/www/html/loganalyzer

     #cp -r contrib/*     /var/www/html/loganalyzer

     #chown -R apache.apache /var/www/html/loganalyzer

 11   通過web 形式安裝loganalyzer ，在安裝之前必須先執行以下兩個腳本

       #bash   /var/www/html/loganalyzer/configure.sh

       #bash    /var/www/html/loganalyzer/secure.sh

      在浏覽器在中

       注：該IP 為您的日志伺服器

 12 安裝咯疙loganalyzer 

<a target="_blank" href="http://blog.51cto.com/attachment/201012/223711991.png"></a>

13

<a target="_blank" href="http://blog.51cto.com/attachment/201012/223801192.png"></a>

14 在安裝前先執行  

    #cd  /var/www/html/loganayzer

    #bash  configure.php  

    #chmod   666  config.php

<a target="_blank" href="http://blog.51cto.com/attachment/201012/223821419.png"></a>

15   注意資料庫名，為了安全，不要使用root使用者

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224139915.png"></a>

16   

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224118342.png"></a>

17  

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224202500.png"></a>

18  建立使用者

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224222555.png"></a>

19  注意資料庫和表明

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224548547.png"></a>

20

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224242213.png"></a>

21 建立使用者

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224341989.png"></a>

22  确認下面的配置資訊

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224422629.png"></a>

23  rsyslog+loganalyzer 的分析圖如下所示

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224611878.png"></a>

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224622470.png"></a>

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224631642.png"></a>

<a target="_blank" href="http://blog.51cto.com/attachment/201012/224642160.png"></a>

本文轉自 freehat08 51CTO部落格，原文連結：http://blog.51cto.com/freehat/461495，如需轉載請自行聯系原作者