文章目录
基于loganalyzer展示数据库中的日志
Rsyslog
Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
and fine grain output format control. It is compatible with stock sysklogd
and can be used as a drop-in replacement. Rsyslog is simple to set up, with
advanced features suitable for enterprise-class, encryption-protected syslog
relay chains.
#解释
Rsyslog是一个增强的多线程syslog守护进程。
它支持MySQL, syslog/TCP, RFC 3195,允许发送者列表,过滤任何消息部分,
并对细纹输出格式进行控制。
它与库存sysklogd兼容
还可以作为临时替代品。
Rsyslog的设置很简单
适用于企业级加密保护syslog中继链的高级特性。
拓扑图
配置
测试机
rsyslog服务在CentOS中已经内置
- 测试机1
配置日志双份存储
- 本地存储
- 通过UDP协议远程存储至Rsyslog日志收集器中
- 重启rsyslog服务
[root@centos8 ~]#vim /etc/rsyslog.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none @10.0.0.6:514
- 测试机2
配置日志双份存储
- 本地存储
- 通过TCP协议远程存储至Rsyslog日志收集器中
- 重启rsyslog服务
[root@centos8 ~]#vim /etc/rsyslog.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none @@10.0.0.6:514
[root@centos8 ~]#systemctl restart rsyslog
Rsyslog收集器
配置Rsyslog服务
开启TCP、UCP rsyslog 接收模块
启用ommysql
模块
将指定级别的日志发送到远程的数据库中
[root@rsyslog-server ~]#vim /etc/rsyslog.conf
#### MODULES ####
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
module(load="ommysql")
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none :ommysql:10.0.0.8,Syslog,rsyslog,123456
配置Rsyslog-mysql服务
[root@rsyslog-server ~]#yum install rsyslog-mysql -y
#拷贝rsyslog服务需要创建的数据库表模板到mysql主机
[root@rsyslog-server lib64]#scp /usr/share/doc/rsyslog/mysql-createDB.sql root@10.0.0.8:/root
mysql-createDB.sql 100% 1046 700.6KB/s 00:00
重启服务
[root@rsyslog-server ~]#systemctl restart rsyslog
mysql数据库
[root@rsyslog-mysql ~]#yum install mysql-server -y
#启动服务并加入开机自启
[root@rsyslog-mysql ~]#systemctl enable --now mysqld
#创建用于远程连接数据库的账号
mysql> create user rsyslog@'10.0.0.%' identified by '123456';
Query OK, 0 rows affected (0.01 sec)
mysql> grant all on Syslog.* to rsyslog@'10.0.0.%';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
mysql> select user,host from mysql.user;
+------------------+-----------+
| user | host |
+------------------+-----------+
| lamp | 10.0.0.% |
| rsyslog | 10.0.0.% |
| mysql.infoschema | localhost |
| mysql.session | localhost |
| mysql.sys | localhost |
| root | localhost |
+------------------+-----------+
6 rows in set (0.00 sec)
#创建Syslog数据库和表
#使用Rsyslog-mysql包中带的数据库模板文件进行创建
[root@rsyslog-mysql ~]#mysql < mysql-createDB.sql -uroot -p
Enter password:
#验证表是否创建
[root@rsyslog-mysql ~]#mysql -uroot -e'show tables from Syslog;' -p
Enter password:
+------------------------+
| Tables_in_Syslog |
+------------------------+
| SystemEvents |
| SystemEventsProperties |
+------------------------+
LAP展示
[root@localhost ~]#yum install -y httpd php-fpm php-mysqlnd php-gd
[root@localhost ~]#systemctl enable --now httpd php-fpm
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/php-fpm.service → /usr/lib/systemd/system/php-fpm.service.
#查看是否启用php
[root@localhost ~]#grep www.sock /etc/httpd/conf.d/php.conf
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
#编写php测试界面
[root@localhost ~]#vim /var/www/html/info.php
浏览器测试httpd php是否正常工作
地址栏输入http://10.0.0.10/info.php
若界面显示php详细信息则成功
宿主机浏览器输入http://10.0.0.10/log
配置loganalyzer
展示
Done
测试
test1中写入一条日志,查看loganalyzer中是否展示
[root@centos8 ~]#logger "this test1 message from 10.0.0.5"
刷新网页日志,最上面那条就是刚刚的测试日志
mysql表中无数据排错
使用mysql来存放rsyslog日志时,服务都配置好之后,数据库中没有内容
查看rsyslog日志收集器中的日志文件
[root@rsyslog-server ~]#tail -f /var/log/messages
Jan 27 14:43:29 rsyslog-server rsyslogd[2378]: ommysql: db error (1290): The MySQL server is running with the --read-only option so it cannot execute this statement [v8.2102.0-5.el8]
Jan 27 14:43:29 rsyslog-server rsyslogd[2378]: The error statement was: insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('action \'action-1-ommysql\' (module \'ommysql\') message lost, could not be processed. Check for additional error messages before this one. [v8.2102.0-5.el8 try https://www.rsyslog.com/e/2218 ]', 5, 'rsyslog-server', 3, '20220127144329', '20220127144329', 1, 'rsyslogd[2378]:') [v8.2102.0-5.el8 try https://www.rsyslog.com/e/2218 ]
之前做数据库主从实验时候将从库设置为只读。
解决方法:
修改数据库配置
注释掉read-only
行
[root@centos8 ~]#vim /etc/my.cnf
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
[mysqld]
#skip-grant-tables
server_id=7
#read-only
重启数据库
[root@centos8 ~]#systemctl restart mysqld
再次查看数据库中的表就有内容了
mysql> select * from SystemEvents\G;
*************************** 1. row ***************************
ID: 1
CustomerID: NULL
ReceivedAt: 2022-01-27 14:47:10
DeviceReportedTime: 2022-01-27 14:47:10
Facility: 3
Priority: 6
FromHost: rsyslog-server
Message: Stopping System Logging Service...
NTSeverity: NULL
Importance: NULL
EventSource: NULL
EventUser: NULL
EventCategory: NULL
EventID: NULL
EventBinaryData: NULL
MaxAvailable: NULL
CurrUsage: NULL
MinUsage: NULL
MaxUsage: NULL
InfoUnitID: 1
SysLogTag: systemd[1]:
EventLogType: NULL
GenericFileName: NULL
SystemID: NULL
Note:
lastb命令查看尝试登录的信息
默认存放文件为/var/log/btmp