一、rsyslog服务说明:
1、rsyslog是一个C/S架构的服务,可监听于某套接字,帮其它主机记录日志信息
二、rsyslog特点
1、直接将日志写入到数据库
2、日志队列
3、灵活的模板机制,可以得到多种输出格式
4、插件式结构,多种多样的输入、输出模块
备注:rsyslog日志服务器优势:
3.1 日志统一,集中式管理
3.2 日志实时传送到一个更加安全的远端服务器上
#1、安装rsyslog
yum install rsyslog -y
#2、确认是否安装成功
rpm -qa |grep rsyslog
[root@localhost log]# rpm -qa |grep rsyslog
rsyslog-8.24.0-52.el7_8.2.x86_64
rsyslog-mysql-8.24.0-52.el7_8.2.x86_64
#3、安装rsyslog连接至mysql-server的驱动模块
yum install rsyslog-mysql -y
#4、查看rsyslog模块提供的启动mysql的模块还有createDB.sql,导入到mysql中
[root@localhost log]# rpm -ql rsyslog-mysql
/usr/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
#5、修改rsyslog配置
vim /etc/rsyslog.conf
#6、开启udp协议传输
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
#7、重启rsyslog
systemctl restart rsyslog
#8、查看端口
netstat -tunpl |grep 514
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:514 0.0.0.0:* 3581/rsyslogd
#9、mysql server准备rsyslog用户账号
grant all on Syslog.* to "rsyslog"@'localhost' identified by "123456";
#10、刷新权限
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
#11、导入模块中的数据,生成数据库和表
[root@localhost log]# mysql -ursyslog -p123456 -hlocalhost </usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
#12、查看是否导入成功,用rsyslog用户进入mysql,并查询库
MariaDB [(none)]> use Syslog;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [Syslog]> show tables;
+------------------------+
| Tables_in_Syslog |
+------------------------+
| SystemEvents |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.00 sec)
# 13、配置rsyslog加载ommysql模块
#new mysql-rsyslog module by lxm
$ModLoad ommysql
#配置RULES:格式:facility.priority TARGET
*.*:ommysql:127.0.0.1,Syslog,rsyslog,123456
#14、重启数据库和rsyslog服务
systemctl restart mariadb && systemctl restart rsyslog
#15、验证 ,进入数据库,查询表格
select * from SystemEvents\G;
*************************** 8. row ***************************
ID: 8
CustomerID: NULL
ReceivedAt: 2020-08-03 16:57:41
DeviceReportedTime: 2020-08-03 16:57:41
Facility: 10
Priority: 5
FromHost: localhost
Message: Registered Authentication Agent for unix-process:5086:983869 (system bus name :1.173 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
#日志信息已经进入数据库