分类: 系统运维
2011-03-02 09:49:33
利用loganalyzer、rsyslog、mysql建立日志审计系统
1、 概述:
选择rsyslog的N个理由,传说功能强大,有开源web loganalyzer支持,同时可以将收集日志存在mysql中,方面分析、审计,功能可以查看官网。
2、安装
安装rsyslog、mysql、apache等。
(1)、把源代码解压,并进入源代码树中执行:
执行:./configure --enable-mysql –enable-debug(可选)
执行:make和make install,正常安装结束,建议选择稳定版本。
(2)、配置rsyslog.conf
在源代码树下有一个示例文件,把它拷贝到/etc下。
更改配置文件:
# if you experience problems, check
# for assistance
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # kernel logging (formerly provided by rklogd)
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
#$ModLoad imtcp.so # load module
#$InputTCPServerRun 514 # start up TCP listener at port 514
# UDP Syslog Server:
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # start a UDP syslog server at standard port 514
$ModLoad ommysql
*.* :ommysql:localhost,Syslog,username,123456
其中:Syslog为创建的数据库名称,username用户名,123456为密码。
3、 在mysql中创建数据库Syslog(同上)
找到rsyslog-3.20.0\plugins\ommysql下的createDB.sql文件 ,同时记得需要数据库支持中文,需要更改createDB.sql文件。
支持中文方法:mysql安装时候要支持utf-8和gb2312编码。
创建数据库create,导入表要支持utf8格式,主要这三点注意事项。
4、 遇到问题:
1)、如果安装rsyslog有问题,可以换低版本软件包。
2)、rsyslog接收日子,但是没有写进数据库,可以打开—enable-debug模式,查看问题。
3)、如果连接mysql用户名和密码正确时候,出现: 这个要看自己的my.cnf配置文件,看具体mysql.sock在哪里,可以通过ln 连接方式解决此问题。