作为运维人员,熟悉系统日志是一项基本功。本文将介绍centos6的系统日志rsyslog及loganalyzer工具。
简介
系统日志:记录历史事件,通常都是按时间顺序将发生的事件予以记录,linux上的日志分为syslogd(系统进程相关日志)和klogd(内核事件日志)
centos5:syslog
缺点:不能进行并行数据存储,效率低,不能实现放在专用数据管理文件中
centos6:rsyslog
优点:
1、支持多线程
2、基于tcp,tls,relp放在远程日志服务器中,早期的syslog仅支持简单的文本传输模式实现日志发送,不安全
3、支持将日志放到mysql,pgsql,oracle等多种数据库中
4、强大的过滤器,可实现过滤系统信息中的任意部分
5、支持完整的输出格式配置(自定义格式),特别适合企业级需求
facility:设施,从功能或程序上对日志进行分类,并由专门的工具负责记录其日志,不是syslog一个进程来接受,而是由代理人帮忙接受并记录下来
auth:认证相关
authpriv
cron
daemon:进程相关
lpr:打印机相关
mail:邮件相关
kern:内核相关
mark:防火墙标记相关
news:新闻组
security:安全
syslog:系统日志
user:用户相关
uucp:unix to unix copy
local0 through local7:8个自定义的设施
指定设施可以使用通配符:
*:所有设备
f1;f2;f3:列表
!:取反
日志级别:
debug
notice
warn|warning(此级别及以上级别都应该重视)
error
crit(蓝色警戒,再不处理就挂了)
alert(橙色警戒)
emerg|panic(红色警戒)
能使用的通配符:
*:所有级别
none:不记录
target(将保存至的目标文件):
文件:例如/var/log/message
用户:*当前系统登录的所有用户
日志服务器:@server_ip
管道:| command
事件格式:
时间 主机 进程 事件本身
配置文件:/etc/rsyslog.conf或/etc/rsyslog.d/*
配置文件段落:[root@stu etc]# grep '###' /etc/rsyslog.conf#### MODULES ######## GLOBAL DIRECTIVES ######## RULES ##### ### begin forwarding rule #### ### end of the forwarding rule ###
格式:facility.priority target
例如:
mail.info /var/log/maillog info及以上级别
mail.=info /var/log/maillog 明确指定级别
mail.!info 除了指定级别
*.info 所有facility的info及以上级别
mail.* mail的所有级别
mail,news.info mail和news的info及以上级别
mail.notice;news.info如果级别不同,使用;分隔
*.info | command
日志一般是同步的,只有产生日志,就从内存写到磁盘,若使用异步,则在target前面加-
例1:日志服务器
服务器端:
去掉注释并重启即可打开日志服务器功能# Provides UDP syslog reception$ModLoad imudp$UDPServerRun 514# Provides TCP syslog reception$ModLoad imtcp$InputTCPServerRun 514重启日志服务器[root@stu etc]# service rsyslog restartShutting down system logger: [ OK ]Starting system logger: [ OK ]查看端口:[root@stu etc]# netstat -tnulp | grep 514tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 1398/rsyslogd tcp 0 0 :::514 :::* LISTEN 1398/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 1398/rsyslogd udp 0 0 :::514 :::* 1398/rsyslogd
客户端:
修改配置文件:#*.info;mail.none;authpriv.none;cron.none /var/log/messages*.info;mail.none;authpriv.none;cron.none @192.168.0.20重启:[root@stu ~]# service rsyslog restartShutting down system logger: [ OK ]Starting system logger: [ OK ]测试安装zsh:[root@stu ~]# yum -y install zsh查看服务器日志:[root@stu log]# tail -l /var/log/messages Mar 13 10:00:49 stu ntpd[1211]: 0.0.0.0 c016 06 restartMar 13 10:00:49 stu ntpd[1211]: 0.0.0.0 c012 02 freq_set kernel 11.318 PPMMar 13 10:00:50 stu ntpd[1211]: 0.0.0.0 c615 05 clock_syncMar 13 10:09:58 stu kernel: Kernel logging (proc) stopped.Mar 13 10:09:58 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1048" x-info="http://www.rsyslog.com"] exiting on signal 15.Mar 13 10:09:58 stu kernel: imklog 5.8.10, log source = /proc/kmsg started.Mar 13 10:09:58 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1398" x-info="http://www.rsyslog.com"] startMar 13 10:12:11 stu kernel: imklog 5.8.10, log source = /proc/kmsg started.Mar 13 10:12:11 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1336" x-info="http://www.rsyslog.com"] startMar 13 10:13:45 stu yum[1344]: Installed: zsh-4.3.11-4.el6.centos.x86_64
例2:将日志放到mysql中
实现该功能需要用模块来实现,用驱动连接
安装mysql-server,rsyslog-mysql:[root@stu log]# yum -y install mysql-server rsyslog-mysql查看生成文件:[root@stu log]# rpm -ql rsyslog-mysql/lib64/rsyslog/ommysql.so #模块/usr/share/doc/rsyslog-mysql-5.8.10 /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql #模板启动mysql[root@stu ~]# service mysqld start编辑/etc/rsyslog.conf模块端添加:#log event to mysql$ModLoad ommysqlroles端添加:*.info :ommysql:127.0.0.1,Syslog,rsysloguser,rsyslogpass导入文件(即创建数据库):[root@stu ~]# mysql < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql进入数据库:[root@stu ~]# mysql查看数据库:mysql> SHOW DATABASES;+--------------------+| Database |+--------------------+| information_schema || Syslog || mysql || test |+--------------------+4 rows in set (0.05 sec)使用Syslog:mysql> USE Syslog;查看表:mysql> SHOW TABLES;+------------------------+| Tables_in_Syslog |+------------------------+| SystemEvents || SystemEventsProperties |+------------------------+2 rows in set (0.01 sec)创建用户、密码mysql> GRANT ALL ON Syslog.* TO rsysloguser@127.0.0.1 IDENTIFIED BY 'rsyslogpass';Query OK, 0 rows affected (0.01 sec)mysql> GRANT ALL ON Syslog.* TO rsysloguser@localhost IDENTIFIED BY 'rsyslogpass';Query OK, 0 rows affected (0.00 sec)刷新权限:mysql> FLUSH PRIVILEGES;Query OK, 0 rows affected (0.00 sec)重启rsyslog:[root@stu ~]# service rsyslog restartShutting down system logger: [ OK ]Starting system logger: [ OK ]
客户端安装tree:
[root@stu log]# yum -y install tree
查看客户端日志:
[root@stu log]# tail -l /var/log/messages
查看服务器日志:
[root@stu ~]# tail -l /var/log/messagesMar 13 10:24:15 stu kernel: Kernel logging (proc) stopped.Mar 13 10:24:15 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1398" x-info="http://www.rsyslog.com"] exiting on signal 15.Mar 13 10:24:16 stu kernel: imklog 5.8.10, log source = /proc/kmsg started.Mar 13 10:24:16 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1600" x-info="http://www.rsyslog.com"] startMar 13 10:25:54 stu yum[1621]: Updated: mysql-libs-5.1.73-5.el6_6.x86_64Mar 13 10:25:54 stu yum[1621]: Installed: mysql-5.1.73-5.el6_6.x86_64Mar 13 10:31:35 stu ntpd[1177]: 0.0.0.0 0617 07 panic_stop +3285 s; set clock manually within 1000 s.Mar 13 10:32:18 stu ntpd[1211]: 0.0.0.0 0617 07 panic_stop +3285 s; set clock manually within 1000 s.Mar 13 10:34:31 stu kernel: Kernel logging (proc) stopped.Mar 13 10:34:31 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1600" x-info="http://www.rsyslog.com"] exiting on signal 15.
查看服务器mysql:
mysql> USE Syslog;mysql> SELECT * FROM SystemEvents;+----+------------+---------------------+---------------------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+------------+--------------+-----------------+----------+| ID | CustomerID | ReceivedAt | DeviceReportedTime | Facility | Priority | FromHost | Message | NTSeverity | Importance | EventSource | EventUser | EventCategory | EventID | EventBinaryData | MaxAvailable | CurrUsage | MinUsage | MaxUsage | InfoUnitID | SysLogTag | EventLogType | GenericFileName | SystemID |+----+------------+---------------------+---------------------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+------------+--------------+-----------------+----------+| 1 | NULL | 2016-03-13 11:46:42 | 2016-03-13 11:46:42 | 0 | 6 | stu | Kernel logging (proc) stopped. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | kernel: | NULL | NULL | NULL || 2 | NULL | 2016-03-13 11:46:42 | 2016-03-13 11:46:42 | 5 | 6 | stu | [origin software="rsyslogd" swVersion="5.8.10" x-pid="1673" x-info="http://www.rsyslog.com"] exiting on signal 15. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL || 3 | NULL | 2016-03-13 11:46:43 | 2016-03-13 11:46:43 | 0 | 6 | stu | imklog 5.8.10, log source = /proc/kmsg started. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | kernel: | NULL | NULL | NULL || 4 | NULL | 2016-03-13 11:46:43 | 2016-03-13 11:46:43 | 5 | 6 | stu | [origin software="rsyslogd" swVersion="5.8.10" x-pid="2794" x-info="http://www.rsyslog.com"] start | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL || 5 | NULL | 2016-03-13 11:47:02 | 2016-03-13 11:47:02 | 5 | 6 | stu | [origin software="rsyslogd" swVersion="5.8.10" x-pid="1336" x-info="http://www.rsyslog.com"] rsyslogd was HUPed | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL || 6 | NULL | 2016-03-13 11:48:40 | 2016-03-13 11:48:40 | 1 | 6 | stu | Installed: tree-1.5.3-3.el6.x86_64 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | yum[1620]: | NULL | NULL | NULL |+----+------------+---------------------+---------------------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+------------+--------------+-----------------+----------+6 rows in set (0.00 sec)
例3:通过loganalyzer展示
此软件依赖于lamp平台
安装lamp:
[root@stu ~]# yum –y install httpd php php-mysql php-gd mysql-server
启动httpd:
[root@stu ~]# service httpd startStarting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.0.20 for ServerName [ OK ]
编辑测试页:
vim /var/www/index.php
访问web:
删除测试页
解压loganalyzer:
[root@stu ~]# tar xf loganalyzer-3.6.5.tar.gz
创建log目录
[root@stu ~]# mkdir /var/www/html/log
复制文件
[root@stu log]# cp /root/loganalyzer-3.6.5/src/* .[root@stu log]# cp /root/loganalyzer-3.6.5/contrib/* .[root@stu log]# chmod +x ./configure.sh [root@stu log]# chmod +x ./secure.sh[root@stu log]# ./configure.sh [root@stu log]# ./secure.sh [root@stu log]# chmod 666 config.php [root@stu log]# chown -R apache.apache ./*
访问:
红色框为之前填写的数据库名,表名,用户名,密码