Shulou(Shulou.com)06/01 Report--

< lt 小于 >

= ge is greater than or equal to =

< le 小于等于filter方法说明： facility() //基于过滤消息发送功能。 数字 设备名 含义 0 kern 内核消息 1 user 用户相关消息 2 mail 邮件相关 3 daemon 系统相关 4 auth 认证相关 5 syslog syslog消息 6 lpr 打印机相关 7 news 网络新闻相关 8 uucp UUCP相关 9 cron 计划任务相关 10 authpriv 权限,授权相关的 11 ftp ftp相关 12 ntp NTP相关 13 security 安全相关的,与auth 类似 14 console 日志警告 15 solaris-cron clock daemon 16-23 local0..local7 在本地使用的设备(local0-local7) 例如： facility(user) facility(1) facility(local0..local5) filter() //调用另一个filter方法 host() //基于过滤消息发送主机。 inlist() //基于黑白名单过滤 in-list("", value("")); 例如： /etc/syslog-ng/programlist.list kernel sshd sudo filter f_whitelist { in-list("/etc/syslog-ng/programlist.list", value("PROGRAM")); }; level() or priority() //基于等级或优先级过滤 例如： level(warning) level(err..emerg) match() //使用正则表达式根据指定的标题或内容过滤消息字段。 message() //使用一个正则表达式基于内容过滤消息。 netmask() //基于过滤消息发送主机的IP地址。 program() //根据发送应用程序过滤消息。 source() //选择指定syslog-ng OSE的消息源语句。 tags() //选择消息指定的标签 4.配置syslog-ng 配置收集用户操作日志 192.168.1.87(日志操作) 192.168.1.88(日志收集) 4.1.logger命令说明： logger一个shell命令接口，往系统写日志 日志的级别分为七级，从紧急程度由高到底： emerg 系统已经不可用，级别为紧急 alert 警报，需要立即处理和解决 crit 既将发生，得需要预防。事件就要发生 warnig 警告 err 错误信息，普通的错误信息 notice 提醒信息，很重要的信息 info 通知信息，属于一般信息 debug 这是调试类信息 logger [-isd] [-f file] [-p pri] [-t tag] [-u socket] [message ...] -i 逐行记录logger的进程ID -s 记录信息到标准错误，同系统日志一起 -f 指定写入的文件 -p pri 输入消息的特定优先级. 优先级可以是自定义的数值或者诸如 "facility.level" 的格式. 举例： "-p local3.info" local3 facility这个设备的消息级别为info. 默认是 "user.notice." -t 每行记录一个指定的标志 -u 以特定的socket代替内嵌系统常规工作 -d 使用一个数据进程代替一个流连接到这个socket. - 结束参数列表. 这个允许消息以一个"-"开始 message 写入log文件的内容消息，可以与-f配合使用 logger 以0退出表示成功, 大于0表示失败. 4.2.在1.87上配置操作日志记录 4.2.1.配置系统收集环境 vim /etc/bashrc # Only display echos from profile.d scripts if we are no login shell # and interactive - otherwise just process them to set envvars for i in /etc/profile.d/*.sh; do if [ -r "$i" ]; then if [ "$PS1" ]; then . "$i" else . "$i" >

/ dev/null 2 > & 1 fi fi done unset i unset pathmunge fi # vim:ts=4:sw=4 add script cd / etc/profile.d/ vim oprate_cmd.sh #! / bin/bash declare-r USER_ALL= `/ usr/bin/who am i` USER under / etc/profile.d/ _ TTY= `echo $USER_ALL | awk'{print $2} '`REMOUTE_IP= `echo $USER_ALL | awk' {print $echo}'| awk-F' [()] +'{print $2} '`REMOUTE_USER= `echo $USER_ALL | awk' {print $1} '`echo [$USER= = root] Then declare-r PROMT= "#" else declare-r PROMT= "$" fi declare-r REAL_USER=$USER PROC_ID=$ (pstree-p | grep $$| awk-F'[()] +'{print $4}') export PROMPT_COMMAND=' {MSG=$ (history 1 | {read x y; echo $y;}) Logger "PPID=$PROC_ID"REMOUTE_USER=$REMOUTE_USER"tty=$USER_TTY"REMOUTE_IP=$REMOUTE_IP"[$REAL_USER@$HOSTNAME `pwd`]" $PROMT "$MSG";} 'load the latest configuration: source / etc/bashrc

4.2.2. Configure the syslog-ng collection profile:

# Default syslog-ng.conf file which collects all local logs into aversion # single file called / var/log/messages.##@version: 3.3@include "scl.conf" options {flush_lines (1) Flush-timeout; log-fifo-size (10000); chain-hostnames (no); use-dns (no); # use-dns (persist_only); use-fqdn (no); create-dirs (no); keep-timestamp (yes);}; source s_file {unix-stream ("/ dev/log"); internal ();} Filter sys_filter {not match ('ansible-command' value (' MESSAGE')) and not match ('logrotate' value (' MESSAGE')) and not match ('rsyncd' value (' MESSAGE')) and not match ('CROND' value (' MESSAGE')) and and not match ('syslog-ng' value (' MESSAGE')) and and not match ('sshd' value (' MESSAGE')); not facility (mail,authpriv,cron);} Destination d_file {file ("/ app/local/log/cmd_track.log");}; destination d_remote {tcp ("10.10.1.1" port (514);}; log {source (s_file); filter (sys_filter); destination (d_file);}; log {source (s_file); filter (sys_filter); destination (d_remote);}

4.2.3. Error resolution

# / etc/init.d/syslog-ng start Starting syslog-ng: / usr/local/syslog-ng/sbin/syslog-ng: symbol lookup error: / usr/local/syslog-ng/lib/libsyslog-ng-3.6.so.0: undefined symbol: g_malloc_n [FAILED]

Yum error:

[root@localhost] # yumThere was a problem importing one of the Python modulesrequired to run yum. The error leading to this problem was: / usr/lib64/python2.6/site-packages/_sqlitecache.so: undefined symbol: g_assertion_message_exprPlease install a package which provides this module, orverify that the module is installed correctly.It's possible that the above module doesn't match thecurrent version of Python, which is:2.6.6 (r266 The error leading to this problem was 84292, Nov 22 2013, 12:16:22) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] If you cannot solve this problem yourself Please go tothe yum faq at: http://yum.baseurl.org/wiki/Faq

The glib2 library version is not compatible with the current yum and pyton versions

Reinstall glibc

Tar-xf glib-2.28.8.tar.xzcd glib-2.28.8./configuremakemake install

Start syslog-ng

/ etc/init.d/syslog-ng start

The content of the syslog-ng script:

#! / bin/bash # # chkconfig:-60 27 # description: syslog-ng SysV script. . / etc/rc.d/init.d/functions syslog_ng=/usr/local/syslog-ng/sbin/syslog-ng prog=syslog-ng pidfile=/usr/local/syslog-ng/var/syslog-ng.pid lockfile=/usr/local/syslog-ng/var/syslog-ng.lock RETVAL=0 STOP_TIMEOUT=$ {STOP_TIMEOUT-10} start () { Echo-n $"Starting $prog:" daemon-- pidfile=$pidfile $syslog_ng $OPTIONS RETVAL=$? Echo [$RETVAL= 0] & & touch ${lockfile} return $RETVAL} stop () {echo-n $"Stopping $prog:" killproc-p $pidfile-d $STOP_TIMEOUT $syslog_ng RETVAL=$? Echo [$RETVAL = 0] & & rm-f $lockfile $pidfile} case "$1" in start) start;; stop) stop Status) status-p $pidfile $syslog_ng RETVAL=$?;; restart) stop start *) echo $"Usage: $prog {start | stop | restart | status}" RETVAL=2 esac exit $RETVAL

4.2.4. View the collected logs:

Tail / data/log/execute_log Jun 14 16:21:41 qmcent3 ckl: PPID=22668 REMOUTE_USER=ckl tty=pts/2 REMOUTE_IP=192.168.1.105 [ckl@qmcent3.com / home/ckl] $sudo-sJun 14 16:21:43 qmcent3 ckl: PPID=22668 REMOUTE_USER=ckl tty=pts/2 REMOUTE_IP=192.168.1.105 [ckl@qmcent3.com / home/ckl] $lsJun 14 16:21:44 qmcent3 ckl: PPID=22668 REMOUTE_USER=ckl tty=pts/2 REMOUTE_IP=192.168.1.105 [ckl@qmcent3.com / Home/ckl] $cd / root/Jun 14 16:21:44 qmcent3 ckl: PPID=22668 REMOUTE_USER=ckl tty=pts/2 REMOUTE_IP=192.168.1.105 [ckl@qmcent3.com / home/ckl] $lsJun 14 16:21:46 qmcent3 ckl: PPID=22668 REMOUTE_USER=ckl tty=pts/2 REMOUTE_IP=192.168.1.105 [ckl@qmcent3.com / data] $cd / data/Jun 14 16:21:46 qmcent3 ckl: PPID=22668 REMOUTE_USER=ckl tty=pts/2 REMOUTE_IP=192.168.1.105 [ckl@qmcent3.com / data] $ls

4.3. Configured on 1.88 (on the collection server)

Install syslog-ng as above

Configure syslog-ng:

Cat / usr/local/syslog-ng/etc/syslog-ng.conf # Default syslog-ng.conf file which collects all local logs into a# single file called / var/log/messages. # @ version: 3.6@include "scl.conf" options {flush_lines (10) Flush-timeout (5000); log-fifo-size (100000); chain-hostnames (no); use-dns (persist_only); use-fqdn (no); create-dirs (no); keep-timestamp (yes);}; source s_remote {tcp (ip (0.0.0.0) port (1000));} Destination d_file {file ("/ data/excute_log/cmd_$YEAR$MONTH$DAY.log");}; log {source (s_remote); destination (d_file);}

Start the service:

/ etc/init.d/syslog-ng start# netstat-ntpl | grep syslogtcp 0 0 0.0.0.0 grep syslogtcp 514 0.0.0.0 LISTEN 16329/syslog-ng

View the collected logs:

# cd / data/excute_log/# lscmd_20160614.log

5. Install loganalyzer and collect operation log

5.1. Install loganalyzr

Tar-xf loganalyzer-3.6.6.tar.gz-C / data/ckl-frontend/ cd / data/ckl-frontend/ rsync-a loganalyzer-3.6.6/src/* loganalyzer/ creates config.php touch config.php chmod 666 config.php

Click here

Next

Confirm the existence of config.php, permission 666

Configure database: custom database connection method

Create the database:

Syslog-ng@localhost: (none) 05:34:46 > create database loganalyzer

Create a user:

Select the source:

Complete

5.2. Configure nginx

Configure the nginx access path to point to loganalyzer/

There will be no explanation here.

5.3. Database configuration

5.3.1. Insert database accident user

There are no users after MySQL5.6 installation. Insert a user.

Insert into user (Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,ssl_cipher,x509_issuer,x509_subject) values ('localhost','syslog-ng',PASSWORD (' 629893'), 'Yizheng pageantry, yawning pencils, yawning pens, yawns, yawns,

Unable to log in after installing loganalyzer, indicating that there is no user, you must join a user:

Insert into logcon_users values (1 memorialsyslogcopyright ngmemorities54e4602701a3ccdae80bf951ae2c69fdmagic memori1meme 1meme2016)

To create a table to collect logs, it must be in the following format:

CREATE TABLE SystemEvents (ID int unsigned not null auto_increment primary key, CustomerID bigint, ReceivedAt datetime NULL, DeviceReportedTime datetime NULL, Facility smallint NULL, Priority smallint NULL, FromHost varchar (60) NULL, Message text, NTSeverity int NULL, Importance int NULL, EventSource varchar (60), EventUser varchar (60) NULL, EventCategory int NULL, EventID int NULL EventBinaryData text NULL, MaxAvailable int NULL, CurrUsage int NULL, MinUsage int NULL, MaxUsage int NULL, InfoUnitID int NULL, SysLogTag varchar (60), EventLogType varchar (60), GenericFileName VarChar (60), SystemID int NULL, processid varchar (60) NOT NULL DEFAULT'1, checksum int (11) UNSIGNED NOT NULL DEFAULT'0')

Note: the specified collection table must be in the above format, and the configuration association is as follows:

Vim config.php.... $CFG ['Sources'] [' Source1'] ['ID'] =' Source1';$CFG ['Sources'] [' Source1'] ['Name'] =' ckl log';$CFG ['Sources'] [' Source1'] ['ViewID'] =' SYSLOG';$CFG ['Sources'] [' Source1'] ['SourceType'] = SOURCE_DB;$CFG [' Sources'] ['Source1'] [' DBTableType'] = 'monitorware' $CFG ['Sources'] [' Source1'] ['DBType'] = DB_MYSQL;$CFG [' Sources'] ['Source1'] [' DBServer'] = 'localhost';$CFG [' Sources'] ['Source1'] [' Source1'] ['DBName'] =' loganalyzer';$CFG ['Sources'] [' Source1'] ['DBUser'] =' syslog-ng';$CFG ['Sources'] [' Source1'] ['DBPassword'] =' 629893'['Sources'] [' Source1'] ['DBTableName'] =' SystemEvents' / / specified table / / $CFG ['Sources'] [' Source1'] ['DBTableName'] =' systemevents';$CFG ['Sources'] [' Source1'] ['DBEnableRowCounting'] = false;....

5.4. Configure syslog-ng to collect data to mysql

Create a pipe file:

Mkfifo / var/log/mysql.pipe

Modify the configuration file:

Vim / usr/local/syslog-ng/etc/syslog-ng.conf@version:3.3@include "scl.conf" # syslog-ng configuration file.## This should behave pretty much like the original syslog on RedHat. But# it could be configured a lot smarter.## See syslog-ng (8) and syslog-ng.conf (5) for more information.#options {flush_lines (1); flush-timeout (100); time_reopen (10); log_fifo_size (1000000000); chain_hostnames (no); use_dns (no) Use_fqdn (no); create_dirs (no); keep_hostname (yes); stats_freq (600); log_msg_size (65536);}; source s_sys {file ("/ proc/kmsg" program_override ("kernel:")); unix-stream ("/ dev/log") Internal ();}; source cmd_src {tcp (ip (0.0.0.0) port (12800) log-fetch-limit (12800) log-iw-size (1000) max-connections (100000000) so-rcvbuf (12468)) }; destination cmd_dst {file ("/ app/local/log/oplog/cmdrecord/cmdrecord-$YEAR$MONTH$DAY.log");}; log {source (cmd_src); filter (sys_filter); destination (cmd_dst);} # sys filterfilter sys_filter {not match ('qmuser' value (' MESSAGE')) and not match ('logrotate' value (' MESSAGE')) and not match ('rsyncd' value (' MESSAGE')) and not match ('CROND' value (' CROND')) and not match ('syslog-ng' value (' MESSAGE')) and not match ("sshd" value ("MESSAGE"); not facility (mail,authpriv,cron);} # destination mysqldestination d_mysql {program ("/ usr/bin/mysql-usyslog-ng-p123245 loganalyzer < / var/log/mysql.pipe"); pipe ("/ var/log/mysql.pipe" template ("INSERT INTO SystemEvents (EventID,FromHost,SysLogTag,Facility,EventUser,EventSource,Message,Priority) VALUES") \ n ") template-escape (no);}; log {source (cmd_src); filter (sys_filter); destination (d_mysql);}

Start the process:

/ etc/init.d/syslog-ng restart

View data collection:

Warning:

/ etc/init.d/syslog-ng restartWARNING: the match () filter without the use of the value () option is deprecated and hinders performance, please update your configuration;start syslog-ng:WARNING: the match () filter without the use of the value () option is deprecated and hinders performance, please update your configuration

Resolve:

Match uses the following syntax: filter f_carriage_return {match ("\ x0d" value ("MESSAGE"));}

Error:

[syslog-ng] Broken TCP connection

Solution:

Yes, it is. You need to increase log_fetch_limit () and log_fifo_size () in this case. Keep your mind the log_fifo_size must be larger than the log_fetch_limit.

Link address:

Https://lists.balabit.hu/pipermail/syslog-ng/2010-January/013835.html

Https://tools.ietf.org/html/rfc5424#page-13

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.