用LINUX+SYSLOG-NG+PHP-SYSLOG-NG搭建日志服务器
转自:http://blog.sina.com.cn/s/blog_4a071ed80100cssu.html
日志服务器安装指南
一、希望达到的目的
1.服务器日志集中存放到日志服务器和MySQL数据库中;
2.每天发送一封E-MAIL, 报告异常日志条目;
3.实时报告异常系统事件;
4.WEB界面查询日志;
二、日志主机安装和配置
1.安装syslog-ng:
安装前准备:(操作系统为:centos 4.7)
#cd /usr/local/src
配置/etc/yum.repos.d/CentOS-Base.repo
添加:
[dag]
name=Dag RPM Repostory for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
gpgkey=http://apt.sw.be/packages/RPM-GPG-KEY.dag.txt
开始安装syslog-ng
#rpm -ivh libdb*
#rpm -ivh libevtlog0-0.2.8-1.i386.rpm
#rpm -ivh syslog-ng-2.1.3-1.i386.rpm
#rpm -ivh msttcorefonts-2.0-1.noarch.rpm
# mkdir -p /usr/share/fonts/truetype/msttcorefonts/
# cp /usr/X11R6/lib/X11/fonts/truetype/verdana* /usr/share/fonts/truetype/msttcorefonts/.
配置 syslog-ng:
# vi /etc/syslog-ng/syslog-ng.conf
options {
long_hostnames(off);
log_msg_size(8192);
sync(1);
log_fifo_size(20480);
time_reopen(10);
use_dns(yes);
dns_cache(yes);
use_fqdn(yes);
keep_hostname(yes);
chain_hostnames(no);
perm(0644);
stats(43200);
};
source s_internal { internal(); };
destination d_syslognglog { file(“/var/log/syslog-ng.log”); };
log { source(s_internal); destination(d_syslognglog); };
source s_local {
unix-dgram(“/dev/log”);
file(“/proc/kmsg” log_prefix(“kernel:”));
};
filter f_messages { level(info..emerg); };
filter f_secure { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
filter f_spooler { level(crit..emerg) and facility(uucp, news); };
filter f_local7 { facility(local7); };
destination d_messages { file(“/var/log/messages”); };
destination d_secure { file(“/var/log/secure”); };
destination d_maillog { file(“/var/log/maillog”); };
destination d_cron { file(“/var/log/cron”); };
destination d_console { usertty(“root”); };
destination d_spooler { file(“/var/log/spooler”); };
destination d_bootlog { file(“/var/log/boot.log”); };
log { source(s_local); filter(f_emerg); destination(d_console); };
log { source(s_local); filter(f_secure); destination(d_secure); flags(final); };
log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); };
log { source(s_local); filter(f_cron); destination(d_cron); flags(final); };
log { source(s_local); filter(f_spooler); destination(d_spooler); };
log { source(s_local); filter(f_local7); destination(d_bootlog); };
log { source(s_local); filter(f_messages); destination(d_messages); };
# Remote logging
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
destination r_console {file(“/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_secure {file(“/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_cron {file(“/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_spooler {file(“/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_bootlog {file(“/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_messages {file(“/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages” owner(“root”) group(“root”) perm(0640) dir_perm(0750) create_dirs(yes));};
log { source(s_remote); filter(f_emerg); destination(r_console); };
log { source(s_remote); filter(f_secure); destination(r_secure); flags(final); };
log { source(s_remote); filter(f_cron); destination(r_cron); flags(final); };
log { source(s_remote); filter(f_spooler); destination(r_spooler); };
log { source(s_remote); filter(f_local7); destination(r_bootlog); };
log { source(s_remote); filter(f_messages); destination(r_messages); };
启动 syslog-ng:
# /etc/rc.d/init.d/syslog-ng restart
验证:#netstat -an |grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:514 0.0.0.0:*
查看文件:
#tail –f /var/log/syslog-ng/日期/主机名(或IP地址)/message
2. 安装MySQL:
#yum install -y mysql-server
#/etc/rc.d/init.d/mysqld start
3. 安装php-syslog-ng,以便将日志写入 MySQL 数据库中:
下载最新版php-syslog-ng
#yum install php-gd php-mysql
#wget http://php-syslog-ng.gdd.net/current.tgz
#tar zxvf php-syslog-ng-2.9.8l.tgz –C /var/www/html/.
#cd /var/www/html/
#mv php-syslog-ng html
#chown –R apache:apache html
#cd scripts
替换脚本中的文件实际路径(方法:perl -i -pe \’s/\/www\/php-syslog-ng/\<newpath>/g\’ *)
#perl -i -pe \’s/\/www\/php-syslog-ng/\/var\/www\/html/g\’ *
修改 syslog-ng.conf 文件,在最后添加下面几行:
destination d_mysql {
program(“/usr/bin/mysql -usyslogadmin -psyslogadmin syslog”
template(“INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg)
VALUES ( \’$HOST\’, \’$FACILITY\’, \’$PRIORITY\’, \’$LEVEL\’, \’$TAG\’, \’$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC\’, \’$PROGRAM\’, \’$MSG\’ );\n”)
template-escape(yes));
};
log {
source(s_remote);
destination(d_mysql);
};
修改/etc/php.ini文件
将display_errors = Off更改为display_errors = On ;
将magic_quotes_gpc = Off更改为magic_quotes_gpc = On ;
将memory_limit = 8M更改为memory_limit = 256M ;
将max_execution_time = 30更改为max_execution_time = 90
然后重启httpd
# /etc/rc.d/init.d/httpd restart
在浏览器输入http://日志服务器ip地址/html
Screen 1: 点击next开始安装;
Screen 3: 输入数据库ROOT用户密码,其它可以保持默认 (你可以不选择 “install sample data” box) ,点击Next 继续;
Screen 5: 输入email地址和admin的密码外,其它可以保持默认,点击next继续;
Screen 6: 如果选择安装用于收集Cisco ERROR TABLE的数据,将会弹出如下安装对话框;
点击Install CEMDB继续… (如果点击install CEMDB不工作,请使用Firefox进行安装。)
你将看到如下对话框: 点击 “Start Import” 导入 CEMDB数据到数据库.
重启 syslog-ng:
# /etc/rc.d/init.d/syslog-ng restart
验证:现在你应该可以通过 MySQL 客户端软件查看日志了。
配置计划任务
使用php-syslog-ng对日志进行集中管理,其数据量可能是相当巨大的,使用计划任务实现日志循环的问题.
配置计划任务使用crontab -e加入
@daily php /var/www/html/scripts/logrotate.php >> /var/log/syslog-ng/logrotate.log
@daily find /var/www/html/html/jpcache/ -atime 1 -exec rm -f \'{}\’ \’;\’
*/10 * * * * php /var/www/html/scripts/reloadcache.php >> /var/log/syslog-ng/reloadcache.log
然后重启计划任务
# /etc/rc.d/init.d/crond restart
(1)logrotate.php
对php-syslog-ng中的表进行日志循环,其与系统的logrotate不同。该脚本的执行结果,是把每天的日志表备份起来,并创建一个新的日志表供读写。在crontab下,每天自动执行一次。
(2)reloadcache.php
该脚本的作用是,当有新的host加入syslog-ng后,更新mysql中的信息。在crontab下,每5分钟运行一次。
4.安装 logcheck:
从 http://sourceforge.net/project/showfiles.php?group_id=100960 下载 logcheck
安装:
# mkdir –p /usr/local/logcheck/bin /usr/local/logcheck/etc /usr/local/logcheck/tmp
#tar zvxf logcheck-1.1.2.tar.gz
# cd logcheck-1.1.2
修改logcheck.sh文件
将其中:
1).
SYSADMIN=root
改为:
SYSADMIN=root,***@163l.com
2).
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
改为:
$LOGTAIL /var/log/syslog-ng/all-messages > $TMPDIR/check.$$
3).
LOGTAIL=/usr/local/bin/logtail
TMPDIR=/usr/local/etc/tmp
HACKING_FILE=/usr/local/etc/logcheck.hacking
VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
IGNORE_FILE=/usr/local/etc/logcheck.ignore
改为:
LOGTAIL=/usr/local/bin/logtail
TMPDIR=/usr/local/etc/tmp
HACKING_FILE=/usr/local/etc/logcheck.hacking
VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
IGNORE_FILE=/usr/local/etc/logcheck.ignore
配置系统定时去监测发送邮件
#crontab -e
……
0 0 * * */usr/local/logcheck/etc/logcheck.sh > /dev/null 2>&1
5.安装 swatch:
按顺序安装下面的perl 模块:Carp-Clan, Bit-Vector, Date-Calc,Time-HiRes, File-Tail,TimeDate, swatch
配置 swatch:
#vi /etc/swatch.conf
watchfor /Failed password/
mail address=root, subject=warning: Failed password
throttle 01:00
watchfor /Invalid user/
mail address=root, subject=warning: Invalid user
throttle 01:00
watchfor /authentication failure/
mail address=root, subject=warning: authentication failure
throttle 01:00
watchfor /iptables:/
mail address=root, subject=warning: iptables operation
throttle 01:00
watchfor /Duplicate address/
mail address=root, subject=warning: Duplicate address
throttle 01:00
watchfor /file system full/
mail address=root, subject=warning: file system full
throttle 01:00
watchfor /(panic|halt)/
mail address=root, subject=warning: panic or halt happened
throttle 01:00
watchfor /Media Error/
mail address=root, subject=warning: disk error happened
throttle 01:00
……
运行swatch:
# /usr/bin/swatch –config-file=/etc/swatch.conf –tail-file=/var/log/syslog-ng/all-messages &
验证:
#ps –ef|grep swatch | grep –v grep
如果正常,你应该看到2个进程:
root …… /usr/bin/perl /usr/bin/swatch –config-file=/etc/swatch.conf –tail-file=/var/log/syslog-ng/all-messages
root …… /usr/bin/perl /root/.swatch_script.17374 ß //你看到的将是其他数字
6.配置启动:
#vi /etc/rc.local
/usr/bin/swatch –config-file=/etc/swatch.conf –tail-file=/var/syslog-ng/all-messages &
三、日志客户机配置
1、LINUX客户端配置
linux使用的syslog守护进程主要有两种,syslog和syslog-ng
(1)syslog
#vi /etc/syslog.conf
*.info @loghost
loghost为日志服务器的IP或者主机名,主机明必须能正确解析到日志服务器IP。
解析方法:
#vi /etc/hosts
X.X.X.X loghost
保存、退出后重新启动syslog服务:
#/etc/init.d/syslog restart
(2)syslog-ng
在配置文件syslog-ng.conf中加入两行:
destination d_udp { udp(“loghost” port(514)); };
log { source(src); destination(d_udp); };
重新启动syslog-ng服务
#/etc/init.d/syslog-ng restart
2、winodws服务器的配置
因为windows服务器不支持日志服务器,因此需要安装一个转换软件:
下载地址为:https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/
根据系统的版本下载32位和64位的程序。
解压后是两个文件evtsys.dll和evtsys.exe
把这两个文件拷贝到 c:\windows\system32目录下。
打开Windows命令提示符(开始->运行 输入CMD)
C:\>evtsys –i –h 192.168.10.100 #(日志服务器的IP地址)
-i 表示安装成系统服务
-h 指定log服务器的IP地址
如果要卸载evtsys,则:
net stop evtsys
evtsys -u
启动该服务:
C:\>net start evtsys
配置完成:)
附录:――mysql 数据备份和恢复方法
1、mysqldump命令常用实例
备份整个数据库
mysqldump -u root -ppassword databasename >data.sql
备份某个或多个表
mysqldump -u root -ppassword databasename table1name table2name >data.sql
只备份数据结构
mysqldump -u root -ppassword databasename –no-data >data.sql
恢复
mysql -u root -ppassword –database=databasename <data.sql
2、忘了mysql的root口令怎么办
#/etc/init.d/mysql stop
#mysqld_safe –skip-grant-tables &
#mysqladmin -u user –p password \’newpassword\’\’
#mysqladmin flush privileges