一、LogAnalyzer介绍
LogAnalyzer工具提供了一个易于使用,功能强大的前端,用于搜索,查看和分析网络活动数据,包括系统日志,事件日志和其他许多日志源。由于它只是将数据展示到我们用户的面前,所以数据本身需要由另一个程序收集,比如syslogd,rsyslog(现在是发行版的默认的syslogd),WinSyslog或MonitorWare代理。LogAnalyzer同样适用于Linux和Windows。它主要是用PHP编写的自由软件,基于GPL的开源应用程序。数据可以从数据库,也可以从纯文本文件而获得。
本案例规划图:
二、在rsyslog服务器上部署 LAMP环境。
1.安装httpd
[root@rsyslog ~]# yum install httpd -y [root@rsyslog ~]# systemctl start httpd [root@rsyslog ~]# systemctl enable httpd
2.安装mysql
[root@rsyslog ~]# yum install mysql mysql-server -y [root@rsyslog ~]# systemctl start mariadb [root@rsyslog ~]# systemctl enable mariadb Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service. [root@rsyslog ~]# mysqladmin -u root password 'rsyslog.ppp'
测试下登陆,无问题后,安装php
3.安装php
[root@rsyslog ~]# yum install php php-mysql php-gd -y [root@rsyslog ~]# cat /var/www/html/test.php <?php phpinfo(); ?>
打开客户端浏览器,进行访问测试http://192.168.30.67/test.php
4.安装rsyslog,并加入开机启动
[root@rsyslog ~]# wget -O /etc/yum.repos.d/rsyslog.repo http://rpms.adiscon.com/v8-stable/rsyslog.repoc [root@rsyslog ~]# yum install rsyslog-* --skip-broken -y [root@rsyslog ~]# systemctl enable rsyslog
5.rsyslog建库脚本,路径在/usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql,现在我们登陆数据库创建个rsyslogdb库,并导入建库脚本
[root@rsyslog ~]# more /usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql CREATE DATABASE rsyslogdb; USE rsyslogdb; [root@rsyslog ~]# mysql -uroot -p < /usr/share/doc/rsyslog-mysql-8.18.0/createDB.sql Enter password:
登陆测试一下库建好了没
[root@rsyslog ~]# mysql -uroot -p rsyslogdb Enter password: .... MariaDB [rsyslogdb]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | rsyslogdb | +--------------------+ 4 rows in set (0.00 sec) 创建用户并授权 MariaDB [rsyslogdb]> GRANT ALL ON rsyslogdb.* TO rsyslogdbadmin@localhost IDENTIFIED BY 'rsyslog.ppp'; Query OK, 0 rows affected (0.00 sec) MariaDB [rsyslogdb]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [rsyslogdb]> exit 最后测试下该用户的登陆 [root@rsyslog ~]# mysql -ursyslogdbadmin -p rsyslogdb
6.修改rsyslog.conf文件,修改后如下:
[root@rsyslog ~]# egrep -v '^$|^#' /etc/rsyslog.conf $ModLoad ommysql $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $ModLoad immark # provides --MARK-- message capability $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514 $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" :fromhost-ip, !isequal, "127.0.0.1" ?Remote $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state *.info;mail.none;authpriv.none;cron.none /data/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log *.* :ommysql:127.0.0.1,rsyslogdb,rsyslogdbadmin,rsyslog.ppp