rsyslog

基于loganalyzer展示数据库中的日志

Rsyslog

Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
and fine grain output format control. It is compatible with stock sysklogd
and can be used as a drop-in replacement. Rsyslog is simple to set up, with
advanced features suitable for enterprise-class, encryption-protected syslog
relay chains.

#解释
Rsyslog是一个增强的多线程syslog守护进程。
它支持MySQL, syslog/TCP, RFC 3195，允许发送者列表，过滤任何消息部分，
并对细纹输出格式进行控制。
它与库存sysklogd兼容
还可以作为临时替代品。
Rsyslog的设置很简单
适用于企业级加密保护syslog中继链的高级特性。

拓扑图

配置

测试机

rsyslog服务在CentOS中已经内置

• 测试机1

配置日志双份存储

1. 本地存储
2. 通过UDP协议远程存储至Rsyslog日志收集器中
3. 重启rsyslog服务

[root@centos8 ~]#vim /etc/rsyslog.conf

#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
*.info;mail.none;authpriv.none;cron.none                @10.0.0.6:514

• 测试机2

配置日志双份存储

1. 本地存储
2. 通过TCP协议远程存储至Rsyslog日志收集器中
3. 重启rsyslog服务

[root@centos8 ~]#vim /etc/rsyslog.conf

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
*.info;mail.none;authpriv.none;cron.none                @@10.0.0.6:514

[root@centos8 ~]#systemctl restart rsyslog

Rsyslog收集器

配置Rsyslog服务

开启TCP、UCP rsyslog 接收模块
启用ommysql模块
将指定级别的日志发送到远程的数据库中

[root@rsyslog-server ~]#vim /etc/rsyslog.conf

#### MODULES ####

module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket;
              # local messages are retrieved through imjournal now.
module(load="imjournal"         # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

module(load="ommysql")

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
*.info;mail.none;authpriv.none;cron.none                :ommysql:10.0.0.8,Syslog,rsyslog,123456

配置Rsyslog-mysql服务

[root@rsyslog-server ~]#yum install rsyslog-mysql -y

#拷贝rsyslog服务需要创建的数据库表模板到mysql主机
[root@rsyslog-server lib64]#scp /usr/share/doc/rsyslog/mysql-createDB.sql root@10.0.0.8:/root
mysql-createDB.sql                                                                                                   100% 1046   700.6KB/s   00:00

重启服务

[root@rsyslog-server ~]#systemctl restart rsyslog

mysql数据库

[root@rsyslog-mysql ~]#yum install mysql-server -y

#启动服务并加入开机自启
[root@rsyslog-mysql ~]#systemctl enable --now mysqld

#创建用于远程连接数据库的账号
mysql> create user rsyslog@'10.0.0.%' identified by '123456';
Query OK, 0 rows affected (0.01 sec)

mysql> grant all on Syslog.* to rsyslog@'10.0.0.%';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)

mysql> select user,host from mysql.user;
+------------------+-----------+
| user             | host      |
+------------------+-----------+
| lamp             | 10.0.0.%  |
| rsyslog          | 10.0.0.%  |
| mysql.infoschema | localhost |
| mysql.session    | localhost |
| mysql.sys        | localhost |
| root             | localhost |
+------------------+-----------+
6 rows in set (0.00 sec)

#创建Syslog数据库和表
#使用Rsyslog-mysql包中带的数据库模板文件进行创建
[root@rsyslog-mysql ~]#mysql < mysql-createDB.sql -uroot -p
Enter password:

#验证表是否创建
[root@rsyslog-mysql ~]#mysql -uroot -e'show tables from Syslog;' -p
Enter password:
+------------------------+
| Tables_in_Syslog       |
+------------------------+
| SystemEvents           |
| SystemEventsProperties |
+------------------------+

LAP展示

[root@localhost ~]#yum install -y httpd php-fpm php-mysqlnd php-gd
[root@localhost ~]#systemctl enable --now httpd php-fpm
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/php-fpm.service → /usr/lib/systemd/system/php-fpm.service.

#查看是否启用php
[root@localhost ~]#grep www.sock /etc/httpd/conf.d/php.conf
        SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"

#编写php测试界面
[root@localhost ~]#vim /var/www/html/info.php

浏览器测试httpd php是否正常工作
地址栏输入http://10.0.0.10/info.php
若界面显示php详细信息则成功

宿主机浏览器输入http://10.0.0.10/log配置loganalyzer展示

Done

测试

test1中写入一条日志，查看loganalyzer中是否展示

[root@centos8 ~]#logger "this test1 message from 10.0.0.5"

刷新网页日志，最上面那条就是刚刚的测试日志

mysql表中无数据排错

使用mysql来存放rsyslog日志时，服务都配置好之后，数据库中没有内容
查看rsyslog日志收集器中的日志文件

[root@rsyslog-server ~]#tail -f /var/log/messages
Jan 27 14:43:29 rsyslog-server rsyslogd[2378]: ommysql: db error (1290): The MySQL server is running with the --read-only option so it cannot execute this statement  [v8.2102.0-5.el8]
Jan 27 14:43:29 rsyslog-server rsyslogd[2378]: The error statement was: insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('action \'action-1-ommysql\' (module \'ommysql\') message lost, could not be processed. Check for additional error messages before this one. [v8.2102.0-5.el8 try https://www.rsyslog.com/e/2218 ]', 5, 'rsyslog-server', 3, '20220127144329', '20220127144329', 1, 'rsyslogd[2378]:') [v8.2102.0-5.el8 try https://www.rsyslog.com/e/2218 ]

之前做数据库主从实验时候将从库设置为只读。

解决方法：
修改数据库配置
注释掉read-only行

[root@centos8 ~]#vim /etc/my.cnf

#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]

#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
[mysqld]
#skip-grant-tables
server_id=7
#read-only

重启数据库

[root@centos8 ~]#systemctl restart mysqld

再次查看数据库中的表就有内容了

mysql> select * from SystemEvents\G;
*************************** 1. row ***************************
                ID: 1
        CustomerID: NULL
        ReceivedAt: 2022-01-27 14:47:10
DeviceReportedTime: 2022-01-27 14:47:10
          Facility: 3
          Priority: 6
          FromHost: rsyslog-server
           Message: Stopping System Logging Service...
        NTSeverity: NULL
        Importance: NULL
       EventSource: NULL
         EventUser: NULL
     EventCategory: NULL
           EventID: NULL
   EventBinaryData: NULL
      MaxAvailable: NULL
         CurrUsage: NULL
          MinUsage: NULL
          MaxUsage: NULL
        InfoUnitID: 1
         SysLogTag: systemd[1]:
      EventLogType: NULL
   GenericFileName: NULL
          SystemID: NULL

Note：
lastb命令查看尝试登录的信息
默认存放文件为/var/log/btmp