log:


日志:历史日志


级别:


syslog: syslogd, klogd 

rsyslog: syslogd, klogd


facility: 设施,从功能或程序上对日志进行分类,并由专门的工具负责记录其日志

auth

authpriv

cron

daemon

kern

lpr

mail

mark

news

security (same as auth)

syslog

user

uucp

local0 through local7: 8 customed facility


通配机制:

*:所有

,: 列表

!: 取反


priority: 级别

debug

info

notice

warning, warn (same as warning)

err, error (same as err)

crit

alert

emerg, panic (same as emerg)


Target:

文件,如/var/log/messages

用户,*

日志服务器,@172.16.100.1

管道        | COMMAND


facitlity.priority Target

mail.info /var/log/maillog

mail.=info        *

mail.!info

*.info

mail,news.info


日志信息格式:

时间   主机   进程(PID):事件


syslog: syslogd -r

rsyslog

syslog-ng



rsyslog: 

Why rsyslog?

Multi-threading

TCP, SSL, TLS, RELP

MySQL, PostgreSQL, Oracle and more

Filter any part of syslog message

Fully configurable output format

Suitable for enterprise-class relay chains


/etc/rsyslog.conf

rsyslogd

rklogd


日志收集、分析工具:


分析rsyslog产生的日志:

把日志记入mysql数据库

使用loganalyzer分析;


分httpd日志:

webanalyzer

awstats


日志放入MySQL数据库中:

/usr/share/doc/rsyslog*/


/etc/rsyslog.conf配置:

$ModLoad ommysql 


*.info :ommysql:127.0.0.1,Syslog,root,mypass

*.* :ommysql:172.16.100.1,Syslog,rsysloguser,rsyslogp@ss


$ModLoad imudp.so   # provides UDP syslog reception 

$UDPServerRun 514   # start a UDP syslog server at standard port 514 


yum -y install php php-mysql mysql-server mysql

vim /var/www/html/index.php 

<?php

phpinfo();

?>

service httpd restart

service mysqld start

chkconfig mysqld on

vim /var/www/html/index.php 

<?php

        $link = mysql_connect('127.0.0.1','root','');

        if ($link)

                echo "Success";

        else

                echo "Failure";

?>

wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.4.tar.gz


mkdir /var/www/html/loganalyzer

tar xvzf loganalyzer-3.6.4.tar.gz 

cd loganalyzer-3.6.4 

mv src/* /var/www/html/loganalyzer

mv contrib/* /var/www/html/loganalyzer

chmod u+x /var/www/html/loganalyzer/*.sh

cd /var/www/html/loganalyzer/ 

./configure.sh 

./secure.sh 

chmod 666 config.php 

chown -R apache.apache *


yum -y install rsyslog-mysql

cd /usr/share/doc/rsyslog-mysql-5.8.10/

mysql < createDB.sql

mysql> grant all on Syslog.* to 'loguser'@'localhost' identified by 'logpass';

mysql> grant all on Syslog.* to 'loguser'@'127.0.0.1' identified by 'logpass';         

mysql> flush privileges;


vim /etc/rsyslog.conf

$ModLoad imudp

$UDPServerRun 514

$ModLoad ommysql

*.info;mail.none;authpriv.none;cron.none                :ommysql:127.0.0.1,Syslog,loguser,logpass


service rsyslog restart 


登录web安装。 

http://192.168.130.61/loganalyzer



rsyslog: facility.priority

日志记录:ommysql

日志服务器: imudp, imtcp

514


:ommysql:SERVER_IP,DATABASE,user,password


loganalyzer


webanalyzer


总结:

$ModLoad ommysql 必须定义在Module一段中;

要安装rsyslog-mysql,并导入数据定义的脚本,/usr/share/doc/rsyslog-mysql/createDB.sql

# mysql < /usr/share/doc/rsyslog-mysql/createDB.sql

Web设置的时候数据库名都是小写,修改为SystemEvents