Shulou(Shulou.com)06/01 Report--

Logs: historical event log

Historical events:

  time, event

  time level (log level): the criticality of the event

Events: some events during system boot startup, application startup, and the running of applications, especially service applications:

Syslog service:

  syslog:

  syslogd:system

  klogd:kernel

When the event format is relatively simple, it can be uniformly logged by syslog:

Date-time host process generated by the event [pid]: event content

Support for Cramp S architecture: logging services can be provided through UDP or TCP protocols

Rsyslog:

  rsyslogd:

  features:

   multithreading

   UDP,TCP,SSL,TLS,RELP

   stores log information in mysql, pgsql, oracle and other data management systems.

   powerful filter to filter any part of the log information

   custom output format

Elk stack:elasticsearch,logstash,kibana

Terms in the rsyslog log collector:

  facility: facility for classifying log collection functionally or programmatically:

  auth,authpriv,cron,daemon,kern,lpr,mail,mark,news,security,user,uucp,local0-local7,syslog

  priority: priority, log level

Debug,info,notice,warn (warning), err (error), crit (critical), alert,emerg (panic)

Specify the level:

 : all levels

  None: no level

  priority: this level is above all levels above this level

  = priority: this level only

……

Program environment:

  main program: rsyslogd

  main configuration file: / etc/rsyslog.conf, / etc/rsyslog.d/.conf

  service script (centos6): / etc/rc.d/init.d/rsyslog

  Unit File (centos7): / usr/lib/system/system/rsyslog.service

Configuration file format rsyslog.conf

It mainly consists of three parts:

  MODULES

  GLOBAL DRICTIVES

  RULES

   RULES:

    facilty.priority target     target:

File: log events are recorded in the specified file; it should usually be located in the / var/log directory; the "-" before the file path indicates asynchronous write

User: notify the specified user of the log event; by sending information to the terminal of the user logged on to the system

Log server: @ host, send the log to the specified server host; br/ >     target:

File: log events are recorded in the specified file; it should usually be located in the / var/log directory; the "-" before the file path indicates asynchronous write

User: notify the specified user of the log event; by sending information to the terminal of the user logged on to the system

Log server: @ host, send the log to the specified server host

Pipeline: | COMMAND

Other log files:

  / var/log/wtmp: the log of the current system successfully logged in to the system; you need to use the last command to view

  / var/log/btmp: the current system attempts to log in to the log related to system failure; you need to use the lastb command to view

  Lastlog: displays the last time all users on the current system logged in to the system

  / var/log/dmesg: log information during system boot; you can also view it using the dmesg command

Rsyslog server:

  edit configuration file / etc/rsyslog.conf, enable the rsyslog server by enabling the option

  Provides UDP syslog reception

  $ModLoad imudp

  $UDPServerRun 514

  Provides TCP syslog reception

  $ModLoad imtcp

  $InputTCPServerRun 514

 

Example: to log in mysql, here are the general steps:

1. Mysql server: prepare the mysql server, create users, and authorize full access to the syslog database

two。 On rsyslog hosts: install the rsyslog-mysql package

3. On rsyslog hosts: create dependent databases and tables by importing createDB.sql scripts

Mysql-uUSER-hHOST-pPASSWORD

< /usr/share/doc/rsyslog-mysql-VERSION/createDB.sql 4.配置rsyslog使用ommysql模块 MODULES #### $ModLoad ommysql RULES #### Facility.priority :ommysql:DBHOST,DB,DBUSER,DBUSERPASSWORD 注意：重启rsyslog服务；5.Web展示接口：loganalyzer 1) 配置lamp Httpd，php，php-mysql，php-gd 2) 安装loganalyzer #tar xf loganalyzer-3.6.5.tar.gz #cp -r loganalyzer-3.6.5/src /var/www/html/loganalyzer #cp -r loganalyzer-3.6.5/contrib/*.sh /var/www/html/loganalyzer/ #cd /var/www/html/loganalyzer/ #chmod +x *.sh #./configure.sh #./secure.sh #chmod 666 config.php测试，通过url访问； 演示： 日志服务器：192.168.19.134 测试主机：192.168.19.138 Mysql主机：192.168.19.138 启用服务器功能；

Start the rsyslog service and test the port

The test edits / etc/rsyslog.conf on another host, pointing the target to the address of this log server

1) Edit the main configuration file of rsyslog on the 19.138 host

2) restart the service and execute an installer

3) Test whether there is a log on the log server

Log in mysql

1) authorize users to have full access to the Syslog database

Note: here, in addition to authorizing the permissions of the local machine, but also the permissions of the rsyslog host to access the mysql database, otherwise, remote access to mysql will fail.

2) install rsyslog-mysql package on rsyslog host

3) create dependent databases and tables by importing createDB.sql scripts on the rsyslog host

4) configure rsyslog to use ommysql module

Note: restart the rsyslog service

5) Test

Install php,php-mysql on the test host and query the contents of the Syslog table in the mysql server database

Web display API: loganalyzer

1) configure lamp combination

Httpd,php,php,mysql,php-gd

2) install loganalyzer

a. Decompression

b. Copy related files to the / var/www/html directory

c. Change the permissions of the .sh end file

d. Execute script

E. Config.php file permission modification

f. Test access

The visit page is as follows:

Ensure that config.php permissions are writable:

Step7, create a data source, and enter as follows:

Go to the page and view the log with the showevents option.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.