rsyslog特性
- 存儲日志信息于MySQL,PostgreSQL菌瘫,MongoDB,ElasticSearch等數(shù)據(jù)管理系統(tǒng)
- 通過 RELP + TCP 實現(xiàn)數(shù)據(jù)的可靠傳輸(基于此結合豐富的過濾條件可以建立一種 可靠的數(shù)據(jù)傳輸通道供其他應用來使用)
- 精細的輸出格式控制以及對消息的強大 過濾能力
- 高精度時間戳玄柠;隊列操作(內(nèi)存突梦,磁盤以及混合模式等); 支持數(shù)據(jù)的加密和壓縮傳輸?shù)?/li>
程序環(huán)境
主程序:rsyslogd
主配置文件:/etc/rsyslog.conf羽利,/etc/rsyslog.d/*.conf
服務腳本(centos6):/etc/rc.d/init.d/rsyslog
Unit File(centos7):/usr/lib/systemd/system/rsyslog.service
配置文件
#rsyslog v3 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
#### MODULES ####
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
#$ModLoad immark.so # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp.so
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
配置文件查看less /etc/rsyslog.conf宫患。Rsyslog的配置主要有以下模塊:
- modules,模塊这弧,配置加載的模塊娃闲,如:
ModLoad imudp.so配置加載UDP傳輸模塊 - global directives,全局配置匾浪,配置ryslog守護進程的全局屬性皇帮,比如主信息隊列大小(MainMessageQueueSize)
- rules蛋辈,規(guī)則(選擇器+動作)属拾,每個規(guī)則行由兩部分組成,selector部分和action部分冷溶,這兩部分由一個或多個空格或tab分隔渐白,selector部分指定源和日志等級,action部分指定對應的操作
常用的modules
- imudp逞频,傳統(tǒng)方式的UDP傳輸纯衍,有損耗
- imtcp,基于TCP明文的傳輸苗胀,只在特定情況下丟失信息襟诸,并被廣泛使用
- imrelp瓦堵,RELP傳輸,不會丟失信息歌亲,但只在rsyslogd 3.15.0及以上版本中可用
規(guī)則(rules)
規(guī)則的選擇器(selectors)
selector也由兩部分組成菇用,設施和優(yōu)先級,由點號.分隔陷揪。多個選擇器用;分隔刨疼,如:*.info;mail.none
facility:設施,從功能或程序上對日志收集進行分類
內(nèi)建的日志設施有:
auth(security), authpriv:認證授權和安全相關的消息
kern:來自Linux內(nèi)核的消息
mail:郵件服務系統(tǒng)的各種組件
mark:防火墻標記
cron:周期任務計劃相關的信息
daemon:守護進程產(chǎn)生的信息
news:網(wǎng)絡消息子系統(tǒng)
lpr:打印相關的日志信息
user:用戶進程相關的信息
local0 to local7:保留鹅龄,本地使用
priority:優(yōu)先級揩慕,日志級別(由低到高)
debug:包含詳細的開發(fā)情報的信息,通常只在調(diào)試一個程序時使用
info:情報信息扮休,正常的系統(tǒng)消息迎卤,比如騷擾報告,帶寬數(shù)據(jù)等玷坠,不需要處理
notice: 不是錯誤情況蜗搔,也不需要立即處理
warning: 警告信息,不是錯誤八堡,比如系統(tǒng)磁盤使用了85%等
err:錯誤樟凄,不是非常緊急,在一定時間內(nèi)修復即可
crit:重要情況兄渺,如硬盤錯誤缝龄,備用連接丟失
alert:應該被立即改正的問題,如系統(tǒng)數(shù)據(jù)庫被破壞挂谍,ISP連接丟失
emerg:緊急情況叔壤,需要立即通知技術人員
| 指定級別 | 功能 |
|---|---|
| * | 所有級別 |
| none | 沒有級別 |
| priority | 此級別及高于此級別的所有級別 |
| =priority | 僅此級別 |
動作 (action)
action是規(guī)則描述的一部分,位于選擇器的后面口叙,規(guī)則用于處理消息炼绘。總的來說妄田,消息內(nèi)容被寫到一種日志文件上俺亮,但也可以執(zhí)行其他動作,比如寫到數(shù)據(jù)庫表中或轉發(fā)到其他主機疟呐。
# The authpriv file has restricted access.
authpriv.* /var/log/secure
寫到mysql數(shù)據(jù)庫中
# modules, 要將日志寫到mysql中需要加載ommysql模塊
$ModLoad ommysql
# rule, send to mysql
#*.* :ommysql:database-server,database-name,database-userid,database-password
*.* :ommysql:127.0.0.1,Syslog,syslogwriter,topsecret
mysql和rsyslog服務搭建
安裝rsyslog-mysql
[root@promote ~]# yum install rsyslog-mysql
··· ···
Complete!
[root@promote ~]# rpm -ql rsyslog-mysql
/usr/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
啟動MySQL服務器
[root@promote ~]# vim /etc/my.cnf.d/server.cnf
添加如下:
[mysqld]
skip_name_resolve=ON
innodb_file_per_table=ON
[root@promote ~]# systemctl start mariadb.service
[root@promote ~]# mysql -uroot -hlocalhost -pcentos < /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| Syslog |
+--------------------+
1 rows in set (0.138 sec)
MariaDB [(none)]> use Syslog;
Database changed
MariaDB [Syslog]> SHOW TABLES;
+------------------------+
| Tables_in_Syslog |
+------------------------+
| SystemEvents |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.000 sec)
MariaDB [Syslog]> DESC SystemEvents;
+--------------------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+--------------------+------------------+------+-----+---------+----------------+
| ID | int(10) unsigned | NO | PRI | NULL | auto_increment |
| CustomerID | bigint(20) | YES | | NULL | |
| ReceivedAt | datetime | YES | | NULL | |
| DeviceReportedTime | datetime | YES | | NULL | |
| Facility | smallint(6) | YES | | NULL | |
| Priority | smallint(6) | YES | | NULL | |
| FromHost | varchar(60) | YES | | NULL | |
| Message | text | YES | | NULL | |
| NTSeverity | int(11) | YES | | NULL | |
| Importance | int(11) | YES | | NULL | |
| EventSource | varchar(60) | YES | | NULL | |
| EventUser | varchar(60) | YES | | NULL | |
| EventCategory | int(11) | YES | | NULL | |
| EventID | int(11) | YES | | NULL | |
| EventBinaryData | text | YES | | NULL | |
| MaxAvailable | int(11) | YES | | NULL | |
| CurrUsage | int(11) | YES | | NULL | |
| MinUsage | int(11) | YES | | NULL | |
| MaxUsage | int(11) | YES | | NULL | |
| InfoUnitID | int(11) | YES | | NULL | |
| SysLogTag | varchar(60) | YES | | NULL | |
| EventLogType | varchar(60) | YES | | NULL | |
| GenericFileName | varchar(60) | YES | | NULL | |
| SystemID | int(11) | YES | | NULL | |
+--------------------+------------------+------+-----+---------+----------------+
24 rows in set (0.063 sec)
MariaDB [Syslog]> DESC SystemEventsProperties;
+---------------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+------------------+------+-----+---------+----------------+
| ID | int(10) unsigned | NO | PRI | NULL | auto_increment |
| SystemEventID | int(11) | YES | | NULL | |
| ParamName | varchar(255) | YES | | NULL | |
| ParamValue | text | YES | | NULL | |
+---------------+------------------+------+-----+---------+----------------+
4 rows in set (0.001 sec)
MariaDB [Syslog]> GRANT ALL ON Syslog.* TO 'rsyslog'@'192.168.0.%' IDENTIFIED BY 'rsyspass';
Query OK, 0 rows affected (0.102 sec)
MariaDB [Syslog]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.044 sec)
編輯rsyslog.conf
#### MODULES ####
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$ModLoad ommysql //添加此行
#### RULES ####
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none :ommysql:192.168.0.104,Syslog,rsyslog,rsyspass //添加此行
[root@promote ~]# systemctl restart rsyslog.service
搭建loganalyzer
在rsyslog服務器上搭建loganalyzer:
[root@rsyslog ~]# wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.6.tar.gz
[root@rsyslog syslog]# yum install -y httpd php php-mysql php-gd
[root@rsyslog ~]# tar xf loganalyzer-4.1.6.tar.gz
[root@rsyslog ~]# cp -r loganalyzer-4.1.6/src/* /var/www/html/syslog
[root@rsyslog ~]# cp -r loganalyzer-4.1.6/contrib/*.sh /var/www/html/syslog/
[root@rsyslog ~]# cd /var/www/html/syslog/
[root@rsyslog syslog]# chmod +x *.sh
[root@rsyslog syslog]# ./configure.sh
[root@rsyslog syslog]# chmod 666 config.php
[root@rsyslog syslog]# systemctl start httpd.service
[root@promote syslog]# systemctl stop firewalld
[root@promote syslog]# setenforce 0
