日志管理
2018-03-14 本文已影响1人
Miracle001
image.png
image.png
端口514
rpm -qi sysklogd(syslogd and klogd) centos5
rpm -qi rsyslog centos6/7
vim /etc/ssh/sshd_config 看一下即可
SyslogFacility AUTHPRIV
#LogLevel INFO info及以上级别的日志会被记录
man logger
man 3 syslog
facility 设施,从功能或程序上对日志进行归类
auth, authpriv, cron,...
Priority 优先级别,从低到高排序 level
debug, info, notice,...
日志定义的规则: facility Priority 定义到那个文件里
rpm -ql rsyslog
判断开机是否启动
systemctl is-enabled rsyslog centos7
systemctl status rsyslog centos7
chkconfig --list rsyslog centos6
配置文件格式:由三部分组成
MODULES:相关模块配置
GLOBAL DIRECTIVES:全局配置
RULES:日志记录相关的规则配置
vim /etc/rsyslog.conf 看一下RULES配置格式
RULES配置格式: facility.priority; facility.priority… target
logger "This is a test log"
tail /var/log/messages
tail -f /var/log/secure 显示用户登陆的事件信息
centos6: ssh 192.168.28.127
把登陆的日志信息重新写入我们自己指定的文件
vim /etc/ssh/sshd_config
#SyslogFacility AUTHPRIV 注释掉,并添加信息:
SyslogFacility local0
LogLevel INFO
systemctl restart sshd
vim /etc/rsyslog.conf
在最下面添加信息
local0.* /var/log/sshd.log
ll /var/log/sshd.log 目前未生成
centos6: ssh 192.168.28.127
ll /var/log/sshd.log 生成
用户登陆通知root和fgq用户
vim /etc/rsyslog.conf
local0.* root,fgq
systemctl restart rsyslog
ctrl+alt+f2: fgq登陆
centos6: ssh 192.168.28.127
此时centos7的root和fgq用户会收到centos6的登陆信息
恢复默认设置
网路的日志服务:日志记录在远程的服务器上
监听端口配置在服务器上,客户端端口随机的,不用配置
centos6的日志信息发送到centos7(服务器)上
配置rsyslog服务端
centos7
vim /etc/rsyslog.conf
把监听端口打开,去掉注释,使下面的信息生效
$ModLoad imudp 此时走的是udp协议
$UDPServerRun 514
systemctl restart rsyslog
ss -nul 514端口
配置rsyslog客户端
centos6
logger "this is a centos6 log"
cat /var/log/messages
vim /etc/rsyslog.conf
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none @192.168.29.127
service rsyslog restart
测试
centos6: logger "this is a centos6 log2"
centos7: tail -f /var/log/messages 出现centos6的信息,centos6本机不再记录其日志信息
centos6: logger "this is a centos6 log3"
centos6的日志信息发送到centos7(服务器)上,centos5登陆centos6的日志也会记录在centos7上
配置rsyslog客户端
centos6
vim /etc/ssh/sshd_config
#SyslogFacility AUTH
#SyslogFacility AUTHPRIV
#LogLevel INFO
SyslogFacility local1
vim /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
#*.info;mail.none;authpriv.none;cron.none @192.168.29.127
local1.* @@192.168.29.127 两个@@就是走的tcp协议
service rsyslog restart; service sshd restart
配置rsyslog服务端
centos7
vim /etc/rsyslog.conf
$ModLoad imtcp tcpd端口打开,udp先不关闭
$InputTCPServerRun 514
local1.* /var/log/sshd.log
systemctl restart rsyslog
ss -ntul tcp和udp的514端口都有
tail -f /var/log/sshd.log
centos6: service rsyslog restart; service sshd restart
测试
centos7: tail -f /var/log/sshd.log
centos5: ssh 192.168.29.126
centos7: tail -f /var/log/sshd.log
centos6: tail -f /var/log/sshd.log 也有centos5的登陆日志信息存在
tail -f /var/log/secure 显示用户登陆的事件信息
/var/log/secure:系统安装日志,文本格式,应周期性分析
/var/log/btmp:当前系统上,用户的失败尝试登录相关的日志信息,二进制格式,lastb命令进行查看
/var/log/wtmp:当前系统上,用户正常登录系统的相关日志信息,二进制格式,last命令可以查看
/var/log/lastlog: 每一个用户最近一次的登录信息,二进制格式,lastlog命令可以查看
/var/log/dmesg:系统引导过程中的日志信息,文本格式文本查看工具查看专用命令dmesg查看
/var/log/messages :系统中大部分的信息
/var/log/anaconda : anaconda的日志
centos6-3向centos6上发送日志
centos6 rsyslog服务器
vim /etc/rsyslog.conf
去掉注释,udp和tcp都开启,就可以接收其他主机往此机器上发送日志
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
service rsyslog restart
centos6-3(ip: 192.168.29.132) rsyslog客户端
vim /etc/rsyslog.conf
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none @192.168.29.126
service rsyslog restart
logger "this is a centos6-3 log"
logger "this is a centos6-3 log1"
logger "this is a centos6-3 log2"
logger "this is a centos6-3 log3"
centos6
tail /var/log/messages
不还原,为下面实验做铺垫
rsyslog将日志记录于MySQL中
mysql server centos7
rsyslog centos6
配置MySQL服务器
centos7
关闭防火墙
yum groupinstall mariadb mariadb-client
rpm -ql mariadb-server
rpm -ql mariadb 客户端
systemctl start mariadb
ss -ntlp 显示程序
mysql
grant all on Syslog.* to 'sysloguser'@'192.168.%.%' identified by '123456';
flush privileges; 授权即时生效
quit
vim /etc/my.cnf
[mysqld]添加信息
skip_name_resolve = on
innodb_file_per_table = on
systemctl restart mariadb.service
systemctl status mariadb.service
ss -ntl
mysql -usysloguser -p -h 192.168.29.127
quit
mysql_secure_installation 禁止匿名用户登陆
mysql -uroot -p
输入密码; quit
配置rsyslog端
centos6
关闭防火墙
yum install mysql -y
重启服务
yum list rsyslog*;
yum -y install rsyslog-mysql
rpm -ql rsyslog-mysql
less /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql 包含sql命令语句
mysql -usysloguser -p -h 192.168.29.127 可以登陆上
mysql -usysloguser -p -h 192.168.29.127 < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
centos7:
mysql -usysloguser -p -h 192.168.29.127
show databases;
use Syslog;
show tables;
不退出
配置rsyslog将日志保存到mysql中
centos6
vim /etc/rsyslog.conf
去掉注释,udp和tcp都开启
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
#### MODULES #### 添加下面信息
$ModLoad ommysql
#### RULES ####
#*.info;mail.none;authpriv.none;cron.none /var/log/messages 注释掉
*.info;mail.none;authpriv.none;cron.none :ommysql:192.168.29.127,Syslog,sysloguser,123456
service rsyslog restart
logger "this is a centos6 log3"
logger "this is a centos6 log4"
centos7:
未断开,接着做
select count(*) from SystemEvents;
select count(*) from SystemEventsProperties;
select * from SystemEvents;
select * from SystemEvents\G 看的更加清晰点
通过loganalyzer在前端展示数据库中的日志
centos7 做mysql的数据库,已做
centos6 做前端展示
centos6
(1) 在rsyslog服务器上准备amp或nmp组合
yum -y install httpd php php-mysql php-gd(图形显示日志文件)
vim /var/www/html/index.php
<?php
$conn = mysql_connect('192.168.29.127','sysloguser','123456');
if ($conn)
echo "OK";
else
echo "failure";
phpinfo();
?>
service httpd restart
浏览器:192.168.29.126 OK
(2) 安装LogAnalyzer
LogAnalyzer包下载地址:http://loganalyzer.adiscon.com/
cd /usr/local/src
rz 上传
tar xvf loganalyzer-4.1.6.tar.gz; ls
cd loganalyzer-4.1.6; ls
ll contrib/; ll src/
mv contrib/* src/; ls
cd /var/www/html/loganalyzer; ll
chmod +x *.sh
./configure.sh
./secure.sh
二者运行完成会生成config.php,但是为空
ll config.php install.php
chmod 666 config.php
(3) 配置loganalyzer
浏览器:192.168.29.126/loganalyzer/install.php 进行安装
next
next
next
MySQL Native, Syslog Fields, Monitorware
Database Host 192.168.29.127
Database Name Syslog
Database Tablename SystemEvents
Database User sysloguser
Database Password 123456
next
finish
菜单栏选项:
点击 Statistics
在centos6-3上:接着上面的实验
logger "this is a centos6-3 log10"
logger "this is a centos6-3 log11"
此时浏览器页面的Statistics的图形发生变化
image.png
image.png
