rsyslog是一個用來管理系統日誌的開源程序,是早前syslog的升級版,對原有的日誌系統進行了功能的擴展。
rsyslog守護進程可以被配置成兩種環境,一種是配置成日誌收集服務器,rsyslog進程可以從網絡中收集其它主機上的日誌數據,這些主機會將日誌配置爲發送到另外的遠程服務器。另外就是可以配置爲客戶端,用來過濾和發送內部日誌數據到本地文件夾(如/var/log)或一臺遠程rsyslog服務器上。
一、rsyslog特性
多線程
支持通過TCP,SSL,TLS,RELP協議實現日誌數據的可靠傳輸
支持輸出日誌到MySQL, PGSQL, Oracle等多種關係型數據中
強大的過濾器,可實現過濾系統信息中的任意部分
自定義輸出格式
適用於企業級別日誌記錄需求
二、rsyslog配置
rsyslog的主配置文件:/etc/rsyslog.conf
1、定義過濾和輸出規則的格式爲:
facility.priority Target
⑴facility:設施,產生日誌消息的子系統,從功能或程序上分類
可選值:auth,authpriv,cron,daemon,ftp,kern,lpr,mail,mark,news,security,syslog,user,uucp,local0~local7
指定設施時可以使用通配符:
*:所有
f1,f2,f3,...:列表
!:取反
⑵priority:日誌級別
從低到高依次爲:debug(7),info(6),notice(5),warning(4),err(3),crit(2),alert(1),emerg(0)
通配符:
*:所有級別
none:沒有任何級別
示例:
mail.info:info級別及比info級別更高級別的日誌消息都會被記錄
mail.=info:僅記錄info級別
mail.!info:除了info級別的都會被記錄
*.info:所有facility的info(及以上)級別
mail.*:mail的所有級別
mail.notice;news.info:
mail,news.info:mail和news的info(及以上)級別
⑶Target:
文件路徑:例如/var/log/messages
系統日誌是比較重要的信息,一般是同步寫入磁盤,但這樣也會影響性能,路徑前若帶有“-”則表示異步寫入
用戶:*,當前系統上所有已登錄的用戶
日誌服務器:@SERVER_IP
管道:| COMMAND
2、啓用日誌服務器功能
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
3、日誌消息的格式
時間 主機 進程(PID): 事件
配置日誌服務器示例:
[root@node2 ~]# rpm -q rsyslog #linux系統上默認已安裝rsyslog rsyslog-5.8.10-10.el6_6.x86_64 [root@node2 ~]# rpm -ql rsyslog /etc/logrotate.d/syslog /etc/pki/rsyslog /etc/rc.d/init.d/rsyslog #服務腳本 /etc/rsyslog.conf #主配置文件 /etc/rsyslog.d /etc/sysconfig/rsyslog /lib64/rsyslog ... [root@node2 ~]# vim /etc/rsyslog.conf ... #### MODULES #### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp #啓用imudp和imtcp模塊,並監聽514端口 $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 ... ... #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog #前面的“-”表示異步寫入磁盤 # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.lo ... [root@node2 ~]# service rsyslog restart #重啓rsyslog服務 Shutting down system logger: [ OK ] Starting system logger: [ OK ] [root@node2 ~]# netstat -tuanp | grep 'rsyslogd' tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 5063/rsyslogd tcp 0 0 :::514 :::* LISTEN 5063/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 5063/rsyslogd udp 0 0 :::514 :::* 5063/rsyslogd
[root@node3 ~]# vim /etc/rsyslog.conf #在另一臺客戶機上將target指向日誌服務器地址 ... *.info;mail.none;authpriv.none;cron.none @192.168.30.20 ... [root@node3 ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] [root@node3 ~]# yum -y install tree #測試:執行一個安裝操作 ...
[root@node2 ~]# tail /var/log/messages #在日誌服務器上已能看到對應的日誌信息 ... Feb 20 23:56:06 node3 kernel: imklog 5.8.10, log source = /proc/kmsg started. Feb 20 23:56:06 node3 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="5442" x-info="http://www.rsyslog.com"] start Feb 20 23:56:19 node3 yum[5447]: Installed: tree-1.5.3-3.el6.x86_64
4、rsyslog支持將日誌存儲於MySQL服務器中:
①安裝rsyslog-mysql包;
②創建rsyslog依賴的數據庫:
# mysql < /usr/share/doc/rsyslog-5.8.10/createDB.sql
③啓用相關模塊
在#### Modules #####段啓用模塊:
$ModLoad ommysql
在####rules####段中定義記錄日誌信息於數據庫中
facility.priority :ommysql:SERVER_IP,DATABASE,USERNAME,PASSWORD
④重啓rsyslog服務
[root@node2 ~]# yum -y install rsyslog-mysql ... [root@node2 ~]# rpm -ql rsyslog-mysql /lib64/rsyslog/ommysql.so /usr/share/doc/rsyslog-mysql-5.8.10 /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql [root@node2 ~]# mysql < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql [root@node2 ~]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 4 Server version: 5.5.36-MariaDB-log MariaDB Server Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | Syslog | | mysql | | performance_schema | | test | | vsftpd | +--------------------+ 6 rows in set (0.26 sec) MariaDB [(none)]> use Syslog Database changed MariaDB [Syslog]> show tables; +------------------------+ | Tables_in_Syslog | +------------------------+ | SystemEvents | | SystemEventsProperties | +------------------------+ 2 rows in set (0.00 sec) MariaDB [Syslog]> grant all on Syslog.* to [email protected] identified by 'logpass'; Query OK, 0 rows affected (0.24 sec) MariaDB [Syslog]> grant all on Syslog.* to loguser@localhost identified by 'logpass'; Query OK, 0 rows affected (0.00 sec) MariaDB [Syslog]> flush privileges; Query OK, 0 rows affected (0.08 sec) MariaDB [Syslog]> exit [root@node2 ~]# vim /etc/rsyslog.conf ... #### MODULES #### ... $ModLoad ommysql ... #### RULES #### ... *.info;mail.none;authpriv.none;cron.none :ommysql:127.0.0.1,Syslog,loguser,logpass ... [root@node2 ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
[root@node3 ~]# yum -y remove tree #測試:執行一個卸載操作 ...
[root@node2 ~]# mysql ... MariaDB [(none)]> use Syslog Database changed MariaDB [Syslog]> select * from SystemEvents\G #日誌信息已記錄至mysql中 ... *************************** 3. row *************************** ID: 3 CustomerID: NULL ReceivedAt: 2016-02-19 01:29:14 DeviceReportedTime: 2016-02-21 00:59:50 Facility: 1 Priority: 6 FromHost: node3 Message: Erased: tree NTSeverity: NULL ...
5、loganalyzer:一款通過webGUI展示日誌信息的工具
# yum -y install httpd php php-mysql php-gd
# tar xf loganalyzer-3.6.5.tar.gz
# mkdir /var/www/html/loganalyzer
# cp -r loganalyzer-3.6.5/src/* /var/www/html/loganalyzer/
# cp -r loganalyzer-3.6.5/contrib/* /var/www/html/loganalyzer/
# cd /var/www/html/loganalyzer/
# chmod +x configure.sh secure.sh
# ./configure.sh
# ./secure.sh
# chmod 666 config.php
# chown -R apache.apache ./* #編譯安裝的httpd其服務進程是以daemon用戶的身份運行的
訪問:http://SERVER_IP/loganalyzer/
[root@node2 ~]# tar xf loganalyzer-3.6.5.tar.gz [root@node2 ~]# ls loganalyzer-3.6.5 ChangeLog contrib COPYING doc INSTALL src [root@node2 ~]# less loganalyzer-3.6.5/INSTALL ... Installation in Detail ---------------------- 1. Upload all files from the loganalyzer/src/ folder to you webserver. The other files are not needed on the webserver. 2. If your webserver has write access to the LogAnalyzer folder, you can skip the following step: Upload the scripts configure.sh and secure.sh from the contrib folder to your webserver, into the same folder where you uploaded the other LogAnalyzer files into. Then set the execution flag to them (chmod +x configure.sh secure.sh). Now run ./configure.sh, this will create a blank config.php, and will also set write access to everyone to it. You can of course do this manually if you want. ... [root@node2 ~]# mkdir /web/htdocs/loganalyzer #本例中web服務器的站點根目錄爲/web/htdocs [root@node2 ~]# cp -r loganalyzer-3.6.5/src/* /web/htdocs/loganalyzer/ [root@node2 ~]# cp -r loganalyzer-3.6.5/contrib/* /web/htdocs/loganalyzer/ [root@node2 ~]# cd /web/htdocs/loganalyzer/ [root@node2 htdocs]# ls admin chartgenerator.php convert.php details.php favicon.ico index.php lang reports.php statistics.php userchange.php asktheoracle.php classes cron doc p_w_picpaths install.php login.php search.php templates BitstreamVeraFonts configure.sh css export.php include js reportgenerator.php secure.sh themes [root@node2 htdocs]# chmod +x configure.sh secure.sh [root@node2 htdocs]# ./configure.sh [root@node2 htdocs]# ./secure.sh [root@node2 htdocs]## ls #執行以上兩個腳本後會生成文件config.php admin chartgenerator.php configure.sh css export.php include js reportgenerator.php secure.sh themes asktheoracle.php classes convert.php details.php favicon.ico index.php lang reports.php statistics.php userchange.php BitstreamVeraFonts config.php cron doc p_w_picpaths install.php login.php search.php templates [root@node2 htdocs]# chmod 666 config.php [root@node2 htdocs]# chown -R daemon.daemon ./* #本例中的httpd是編譯安裝的,其服務進程以daemon用戶身份運行