Loading... <p>作为运维人员,熟悉系统日志是一项基本功。本文将介绍centos6的系统日志rsyslog及loganalyzer工具。</p> <p>简介</p> <p>系统日志:记录历史事件,通常都是按时间顺序将发生的事件予以记录,linux上的日志分为syslogd(系统进程相关日志)和klogd(内核事件日志)</p> <p>centos5:syslog</p> <p> 缺点:不能进行并行数据存储,效率低,不能实现放在专用数据管理文件中</p> <p>centos6:rsyslog</p> <p> 优点:</p> <p> 1、支持多线程</p> <p> 2、基于tcp,tls,relp放在远程日志服务器中,早期的syslog仅支持简单的文本传输模式实现日志发送,不安全</p> <p> 3、支持将日志放到mysql,pgsql,oracle等多种数据库中</p> <p> 4、强大的过滤器,可实现过滤系统信息中的任意部分</p> <p> 5、支持完整的输出格式配置(自定义格式),特别适合企业级需求</p> <p>facility:设施,从功能或程序上对日志进行分类,并由专门的工具负责记录其日志,不是syslog一个进程来接受,而是由代理人帮忙接受并记录下来</p> <p style="text-indent: 2em">auth:认证相关</p> <p style="text-indent: 2em">authpriv</p> <p style="text-indent: 2em">cron</p> <p style="text-indent: 2em">daemon:进程相关</p> <p style="text-indent: 2em">lpr:打印机相关</p> <p style="text-indent: 2em">mail:邮件相关</p> <p style="text-indent: 2em">kern:内核相关</p> <p style="text-indent: 2em">mark:防火墙标记相关</p> <p style="text-indent: 2em">news:新闻组</p> <p style="text-indent: 2em">security:安全</p> <p style="text-indent: 2em">syslog:系统日志</p> <p style="text-indent: 2em">user:用户相关</p> <p style="text-indent: 2em">uucp:unix to unix copy</p> <p style="text-indent: 2em">local0 through local7:8个自定义的设施</p> <p style="text-indent: 2em">指定设施可以使用通配符:</p> <p style="text-indent: 2em">*:所有设备</p> <p style="text-indent: 2em">f1;f2;f3:列表</p> <p style="text-indent: 2em">!:取反</p> <p style="text-indent: 0em">日志级别:</p> <p> debug</p> <p> notice</p> <p> warn|warning(此级别及以上级别都应该重视)</p> <p> error</p> <p> crit(蓝色警戒,再不处理就挂了)</p> <p> alert(橙色警戒)</p> <p> emerg|panic(红色警戒)</p> <p> 能使用的通配符:</p> <p> *:所有级别</p> <p> none:不记录</p> <p>target(将保存至的目标文件):</p> <p style="text-indent: 2em">文件:例如/var/log/message</p> <p style="text-indent: 2em">用户:*当前系统登录的所有用户</p> <p style="text-indent: 2em">日志服务器:@server_ip</p> <p style="text-indent: 2em">管道:| command</p> <p>事件格式:</p> <p> 时间 主机 进程 事件本身</p> <p>配置文件:/etc/rsyslog.conf或/etc/rsyslog.d/*</p> <pre class="brush:html;toolbar:false">配置文件段落: [root@stu etc]# grep '###' /etc/rsyslog.conf #### MODULES #### #### GLOBAL DIRECTIVES #### #### RULES #### # ### begin forwarding rule ### # ### end of the forwarding rule ###</pre> <p> 格式:facility.priority target</p> <p>例如:</p> <p style="text-indent: 2em">mail.info /var/log/maillog info及以上级别</p> <p style="text-indent: 2em">mail.=info /var/log/maillog 明确指定级别</p> <p style="text-indent: 2em">mail.!info 除了指定级别</p> <p style="text-indent: 2em">*.info 所有facility的info及以上级别</p> <p style="text-indent: 2em">mail.* mail的所有级别</p> <p style="text-indent: 2em">mail,news.info mail和news的info及以上级别</p> <p style="text-indent: 2em">mail.notice;news.info如果级别不同,使用;分隔</p> <p style="text-indent: 2em">*.info | command</p> <p style="margin-left: 28px"><span style="font-family:宋体">日志一般是同步的,只有产生日志,就从内存写到磁盘,若使用异步,则在</span>target<span style="font-family:宋体">前面加</span>–</p> <p>例1:日志服务器</p> <p>服务器端:</p> <pre class="brush:html;toolbar:false">去掉注释并重启即可打开日志服务器功能 # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 重启日志服务器 [root@stu etc]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] 查看端口: [root@stu etc]# netstat -tnulp | grep 514 tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 1398/rsyslogd tcp 0 0 :::514 :::* LISTEN 1398/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 1398/rsyslogd udp 0 0 :::514 :::* 1398/rsyslogd</pre> <p>客户端:</p> <pre class="brush:html;toolbar:false;">修改配置文件: #*.info;mail.none;authpriv.none;cron.none /var/log/messages *.info;mail.none;authpriv.none;cron.none @192.168.0.20 重启: [root@stu ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] 测试安装zsh: [root@stu ~]# yum -y install zsh 查看服务器日志: [root@stu log]# tail -l /var/log/messages Mar 13 10:00:49 stu ntpd[1211]: 0.0.0.0 c016 06 restart Mar 13 10:00:49 stu ntpd[1211]: 0.0.0.0 c012 02 freq_set kernel 11.318 PPM Mar 13 10:00:50 stu ntpd[1211]: 0.0.0.0 c615 05 clock_sync Mar 13 10:09:58 stu kernel: Kernel logging (proc) stopped. Mar 13 10:09:58 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1048" x-info="http://www.rsyslog.com"] exiting on signal 15. Mar 13 10:09:58 stu kernel: imklog 5.8.10, log source = /proc/kmsg started. Mar 13 10:09:58 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1398" x-info="http://www.rsyslog.com"] start Mar 13 10:12:11 stu kernel: imklog 5.8.10, log source = /proc/kmsg started. Mar 13 10:12:11 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1336" x-info="http://www.rsyslog.com"] start Mar 13 10:13:45 stu yum[1344]: Installed: zsh-4.3.11-4.el6.centos.x86_64</pre> <p>例2:将日志放到mysql中</p> <p>实现该功能需要用模块来实现,用驱动连接</p> <pre class="brush:html;toolbar:false">安装mysql-server,rsyslog-mysql: [root@stu log]# yum -y install mysql-server rsyslog-mysql 查看生成文件: [root@stu log]# rpm -ql rsyslog-mysql /lib64/rsyslog/ommysql.so #模块 /usr/share/doc/rsyslog-mysql-5.8.10 /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql #模板 启动mysql [root@stu ~]# service mysqld start 编辑/etc/rsyslog.conf 模块端添加: #log event to mysql $ModLoad ommysql roles端添加: *.info :ommysql:127.0.0.1,Syslog,rsysloguser,rsyslogpass 导入文件(即创建数据库): [root@stu ~]# mysql < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql 进入数据库: [root@stu ~]# mysql 查看数据库: mysql> SHOW DATABASES; +--------------------+ | Database | +--------------------+ | information_schema | | Syslog | | mysql | | test | +--------------------+ 4 rows in set (0.05 sec) 使用Syslog: mysql> USE Syslog; 查看表: mysql> SHOW TABLES; +------------------------+ | Tables_in_Syslog | +------------------------+ | SystemEvents | | SystemEventsProperties | +------------------------+ 2 rows in set (0.01 sec) 创建用户、密码 mysql> GRANT ALL ON Syslog.* TO rsysloguser@127.0.0.1 IDENTIFIED BY 'rsyslogpass'; Query OK, 0 rows affected (0.01 sec) mysql> GRANT ALL ON Syslog.* TO rsysloguser@localhost IDENTIFIED BY 'rsyslogpass'; Query OK, 0 rows affected (0.00 sec) 刷新权限: mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) 重启rsyslog: [root@stu ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]</pre> <p>客户端安装tree:</p> <pre class="brush:html;toolbar:false">[root@stu log]# yum -y install tree</pre> <p>查看客户端日志:</p> <pre class="brush:html;toolbar:false">[root@stu log]# tail -l /var/log/messages</pre> <p>查看服务器日志:</p> <pre class="brush:html;toolbar:false">[root@stu ~]# tail -l /var/log/messages Mar 13 10:24:15 stu kernel: Kernel logging (proc) stopped. Mar 13 10:24:15 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1398" x-info="http://www.rsyslog.com"] exiting on signal 15. Mar 13 10:24:16 stu kernel: imklog 5.8.10, log source = /proc/kmsg started. Mar 13 10:24:16 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1600" x-info="http://www.rsyslog.com"] start Mar 13 10:25:54 stu yum[1621]: Updated: mysql-libs-5.1.73-5.el6_6.x86_64 Mar 13 10:25:54 stu yum[1621]: Installed: mysql-5.1.73-5.el6_6.x86_64 Mar 13 10:31:35 stu ntpd[1177]: 0.0.0.0 0617 07 panic_stop +3285 s; set clock manually within 1000 s. Mar 13 10:32:18 stu ntpd[1211]: 0.0.0.0 0617 07 panic_stop +3285 s; set clock manually within 1000 s. Mar 13 10:34:31 stu kernel: Kernel logging (proc) stopped. Mar 13 10:34:31 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1600" x-info="http://www.rsyslog.com"] exiting on signal 15.</pre> <p>查看服务器mysql:</p> <pre class="brush:html;toolbar:false">mysql> USE Syslog; mysql> SELECT * FROM SystemEvents; +----+------------+---------------------+---------------------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+------------+--------------+-----------------+----------+ | ID | CustomerID | ReceivedAt | DeviceReportedTime | Facility | Priority | FromHost | Message | NTSeverity | Importance | EventSource | EventUser | EventCategory | EventID | EventBinaryData | MaxAvailable | CurrUsage | MinUsage | MaxUsage | InfoUnitID | SysLogTag | EventLogType | GenericFileName | SystemID | +----+------------+---------------------+---------------------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+------------+--------------+-----------------+----------+ | 1 | NULL | 2016-03-13 11:46:42 | 2016-03-13 11:46:42 | 0 | 6 | stu | Kernel logging (proc) stopped. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | kernel: | NULL | NULL | NULL | | 2 | NULL | 2016-03-13 11:46:42 | 2016-03-13 11:46:42 | 5 | 6 | stu | [origin software="rsyslogd" swVersion="5.8.10" x-pid="1673" x-info="http://www.rsyslog.com"] exiting on signal 15. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL | | 3 | NULL | 2016-03-13 11:46:43 | 2016-03-13 11:46:43 | 0 | 6 | stu | imklog 5.8.10, log source = /proc/kmsg started. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | kernel: | NULL | NULL | NULL | | 4 | NULL | 2016-03-13 11:46:43 | 2016-03-13 11:46:43 | 5 | 6 | stu | [origin software="rsyslogd" swVersion="5.8.10" x-pid="2794" x-info="http://www.rsyslog.com"] start | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL | | 5 | NULL | 2016-03-13 11:47:02 | 2016-03-13 11:47:02 | 5 | 6 | stu | [origin software="rsyslogd" swVersion="5.8.10" x-pid="1336" x-info="http://www.rsyslog.com"] rsyslogd was HUPed | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL | | 6 | NULL | 2016-03-13 11:48:40 | 2016-03-13 11:48:40 | 1 | 6 | stu | Installed: tree-1.5.3-3.el6.x86_64 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | yum[1620]: | NULL | NULL | NULL | +----+------------+---------------------+---------------------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+------------+--------------+-----------------+----------+ 6 rows in set (0.00 sec)</pre> <p>例3:通过loganalyzer展示</p> <p>此软件依赖于lamp平台</p> <p>安装lamp:</p> <pre class="brush:html;toolbar:false">[root@stu ~]# yum –y install httpd php php-mysql php-gd mysql-server</pre> <p>启动httpd:</p> <pre class="brush:html;toolbar:false">[root@stu ~]# service httpd start Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.0.20 for ServerName [ OK ]</pre> <p>编辑测试页:</p> <pre class="brush:html;toolbar:false">vim /var/www/index.php <?php phpinfo(); ?></pre> <p>访问web:</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703163830-84.png" title="1457848662322551.png" alt="blob.png" /></p> <p>删除测试页</p> <p>解压loganalyzer:</p> <pre class="brush:html;toolbar:false">[root@stu ~]# tar xf loganalyzer-3.6.5.tar.gz</pre> <p>创建log目录</p> <pre class="brush:html;toolbar:false">[root@stu ~]# mkdir /var/www/html/log</pre> <p>复制文件</p> <pre class="brush:html;toolbar:false">[root@stu log]# cp /root/loganalyzer-3.6.5/src/* . [root@stu log]# cp /root/loganalyzer-3.6.5/contrib/* . [root@stu log]# chmod +x ./configure.sh [root@stu log]# chmod +x ./secure.sh [root@stu log]# ./configure.sh [root@stu log]# ./secure.sh [root@stu log]# chmod 666 config.php [root@stu log]# chown -R apache.apache ./*</pre> <p>访问:</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703163831-7.png" title="1457849827872628.png" alt="blob.png" /></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703163831-66.png" title="1457849860710884.png" alt="blob.png" /></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703163831-83.png" title="1457849890267243.png" alt="blob.png" /></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703163832-52.png" title="1457849914627163.png" alt="blob.png" /></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703163832-99.png" title="1457850294808544.png" alt="blob.png" /></p> <p>红色框为之前填写的数据库名,表名,用户名,密码</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703163833-100.png" title="1457850346703839.png" alt="blob.png" /></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703163833-92.png" title="1457850367502161.png" alt="blob.png" /></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703163833-34.png" title="1457850499310784.png" alt="blob.png" /></p> <p></p> 最后修改:2021 年 12 月 10 日 10 : 53 AM © 允许规范转载 赞赏 如果觉得我的文章对你有用,请随意赞赏 赞赏作者 支付宝微信