作为运维人员,熟悉系统日志是一项基本功。本文将介绍centos6的系统日志rsyslog及loganalyzer工具。
简介
系统日志:记录历史事件,通常都是按时间顺序将发生的事件予以记录,linux上的日志分为syslogd(系统进程相关日志)和klogd(内核事件日志)
centos5:syslog
缺点:不能进行并行数据存储,效率低,不能实现放在专用数据管理文件中
centos6:rsyslog
优点:
1、支持多线程
2、基于tcp,tls,relp放在远程日志服务器中,早期的syslog仅支持简单的文本传输模式实现日志发送,不安全
3、支持将日志放到mysql,pgsql,oracle等多种数据库中
4、强大的过滤器,可实现过滤系统信息中的任意部分
5、支持完整的输出格式配置(自定义格式),特别适合企业级需求
facility:设施,从功能或程序上对日志进行分类,并由专门的工具负责记录其日志,不是syslog一个进程来接受,而是由代理人帮忙接受并记录下来
auth:认证相关
authpriv
cron
daemon:进程相关
lpr:打印机相关
mail:邮件相关
kern:内核相关
mark:防火墙标记相关
news:新闻组
security:安全
syslog:系统日志
user:用户相关
uucp:unix to unix copy
local0 through local7:8个自定义的设施
指定设施可以使用通配符:
*:所有设备
f1;f2;f3:列表
!:取反
日志级别:
debug
notice
warn|warning(此级别及以上级别都应该重视)
error
crit(蓝色警戒,再不处理就挂了)
alert(橙色警戒)
emerg|panic(红色警戒)
能使用的通配符:
*:所有级别
none:不记录
target(将保存至的目标文件):
文件:例如/var/log/message
用户:*当前系统登录的所有用户
日志服务器:@server_ip
管道:| command
事件格式:
时间 主机 进程 事件本身
配置文件:/etc/rsyslog.conf或/etc/rsyslog.d/*
配置文件段落: [root@stu etc]# grep '###' /etc/rsyslog.conf #### MODULES #### #### GLOBAL DIRECTIVES #### #### RULES #### # ### begin forwarding rule ### # ### end of the forwarding rule ###
格式:facility.priority target
例如:
mail.info /var/log/maillog info及以上级别
mail.=info /var/log/maillog 明确指定级别
mail.!info 除了指定级别
*.info 所有facility的info及以上级别
mail.* mail的所有级别
mail,news.info mail和news的info及以上级别
mail.notice;news.info如果级别不同,使用;分隔
*.info | command
日志一般是同步的,只有产生日志,就从内存写到磁盘,若使用异步,则在target前面加–
例1:日志服务器
服务器端:
去掉注释并重启即可打开日志服务器功能 # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 重启日志服务器 [root@stu etc]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] 查看端口: [root@stu etc]# netstat -tnulp | grep 514 tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 1398/rsyslogd tcp 0 0 :::514 :::* LISTEN 1398/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 1398/rsyslogd udp 0 0 :::514 :::* 1398/rsyslogd
客户端:
修改配置文件: #*.info;mail.none;authpriv.none;cron.none /var/log/messages *.info;mail.none;authpriv.none;cron.none @192.168.0.20 重启: [root@stu ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] 测试安装zsh: [root@stu ~]# yum -y install zsh 查看服务器日志: [root@stu log]# tail -l /var/log/messages Mar 13 10:00:49 stu ntpd[1211]: 0.0.0.0 c016 06 restart Mar 13 10:00:49 stu ntpd[1211]: 0.0.0.0 c012 02 freq_set kernel 11.318 PPM Mar 13 10:00:50 stu ntpd[1211]: 0.0.0.0 c615 05 clock_sync Mar 13 10:09:58 stu kernel: Kernel logging (proc) stopped. Mar 13 10:09:58 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1048" x-info="http://www.rsyslog.com"] exiting on signal 15. Mar 13 10:09:58 stu kernel: imklog 5.8.10, log source = /proc/kmsg started. Mar 13 10:09:58 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1398" x-info="http://www.rsyslog.com"] start Mar 13 10:12:11 stu kernel: imklog 5.8.10, log source = /proc/kmsg started. Mar 13 10:12:11 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1336" x-info="http://www.rsyslog.com"] start Mar 13 10:13:45 stu yum[1344]: Installed: zsh-4.3.11-4.el6.centos.x86_64
例2:将日志放到mysql中
实现该功能需要用模块来实现,用驱动连接
安装mysql-server,rsyslog-mysql: [root@stu log]# yum -y install mysql-server rsyslog-mysql 查看生成文件: [root@stu log]# rpm -ql rsyslog-mysql /lib64/rsyslog/ommysql.so #模块 /usr/share/doc/rsyslog-mysql-5.8.10 /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql #模板 启动mysql [root@stu ~]# service mysqld start 编辑/etc/rsyslog.conf 模块端添加: #log event to mysql $ModLoad ommysql roles端添加: *.info :ommysql:127.0.0.1,Syslog,rsysloguser,rsyslogpass 导入文件(即创建数据库): [root@stu ~]# mysql < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql 进入数据库: [root@stu ~]# mysql 查看数据库: mysql> SHOW DATABASES; +--------------------+ | Database | +--------------------+ | information_schema | | Syslog | | mysql | | test | +--------------------+ 4 rows in set (0.05 sec) 使用Syslog: mysql> USE Syslog; 查看表: mysql> SHOW TABLES; +------------------------+ | Tables_in_Syslog | +------------------------+ | SystemEvents | | SystemEventsProperties | +------------------------+ 2 rows in set (0.01 sec) 创建用户、密码 mysql> GRANT ALL ON Syslog.* TO rsysloguser@127.0.0.1 IDENTIFIED BY 'rsyslogpass'; Query OK, 0 rows affected (0.01 sec) mysql> GRANT ALL ON Syslog.* TO rsysloguser@localhost IDENTIFIED BY 'rsyslogpass'; Query OK, 0 rows affected (0.00 sec) 刷新权限: mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) 重启rsyslog: [root@stu ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
客户端安装tree:
[root@stu log]# yum -y install tree
查看客户端日志:
[root@stu log]# tail -l /var/log/messages
查看服务器日志:
[root@stu ~]# tail -l /var/log/messages Mar 13 10:24:15 stu kernel: Kernel logging (proc) stopped. Mar 13 10:24:15 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1398" x-info="http://www.rsyslog.com"] exiting on signal 15. Mar 13 10:24:16 stu kernel: imklog 5.8.10, log source = /proc/kmsg started. Mar 13 10:24:16 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1600" x-info="http://www.rsyslog.com"] start Mar 13 10:25:54 stu yum[1621]: Updated: mysql-libs-5.1.73-5.el6_6.x86_64 Mar 13 10:25:54 stu yum[1621]: Installed: mysql-5.1.73-5.el6_6.x86_64 Mar 13 10:31:35 stu ntpd[1177]: 0.0.0.0 0617 07 panic_stop +3285 s; set clock manually within 1000 s. Mar 13 10:32:18 stu ntpd[1211]: 0.0.0.0 0617 07 panic_stop +3285 s; set clock manually within 1000 s. Mar 13 10:34:31 stu kernel: Kernel logging (proc) stopped. Mar 13 10:34:31 stu rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="1600" x-info="http://www.rsyslog.com"] exiting on signal 15.
查看服务器mysql:
mysql> USE Syslog; mysql> SELECT * FROM SystemEvents; +----+------------+---------------------+---------------------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+------------+--------------+-----------------+----------+ | ID | CustomerID | ReceivedAt | DeviceReportedTime | Facility | Priority | FromHost | Message | NTSeverity | Importance | EventSource | EventUser | EventCategory | EventID | EventBinaryData | MaxAvailable | CurrUsage | MinUsage | MaxUsage | InfoUnitID | SysLogTag | EventLogType | GenericFileName | SystemID | +----+------------+---------------------+---------------------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+------------+--------------+-----------------+----------+ | 1 | NULL | 2016-03-13 11:46:42 | 2016-03-13 11:46:42 | 0 | 6 | stu | Kernel logging (proc) stopped. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | kernel: | NULL | NULL | NULL | | 2 | NULL | 2016-03-13 11:46:42 | 2016-03-13 11:46:42 | 5 | 6 | stu | [origin software="rsyslogd" swVersion="5.8.10" x-pid="1673" x-info="http://www.rsyslog.com"] exiting on signal 15. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL | | 3 | NULL | 2016-03-13 11:46:43 | 2016-03-13 11:46:43 | 0 | 6 | stu | imklog 5.8.10, log source = /proc/kmsg started. | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | kernel: | NULL | NULL | NULL | | 4 | NULL | 2016-03-13 11:46:43 | 2016-03-13 11:46:43 | 5 | 6 | stu | [origin software="rsyslogd" swVersion="5.8.10" x-pid="2794" x-info="http://www.rsyslog.com"] start | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL | | 5 | NULL | 2016-03-13 11:47:02 | 2016-03-13 11:47:02 | 5 | 6 | stu | [origin software="rsyslogd" swVersion="5.8.10" x-pid="1336" x-info="http://www.rsyslog.com"] rsyslogd was HUPed | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | rsyslogd: | NULL | NULL | NULL | | 6 | NULL | 2016-03-13 11:48:40 | 2016-03-13 11:48:40 | 1 | 6 | stu | Installed: tree-1.5.3-3.el6.x86_64 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 1 | yum[1620]: | NULL | NULL | NULL | +----+------------+---------------------+---------------------+----------+----------+----------+---------------------------------------------------------------------------------------------------------------------+------------+------------+-------------+-----------+---------------+---------+-----------------+--------------+-----------+----------+----------+------------+------------+--------------+-----------------+----------+ 6 rows in set (0.00 sec)
例3:通过loganalyzer展示
此软件依赖于lamp平台
安装lamp:
[root@stu ~]# yum –y install httpd php php-mysql php-gd mysql-server
启动httpd:
[root@stu ~]# service httpd start Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.0.20 for ServerName [ OK ]
编辑测试页:
vim /var/www/index.php <?php phpinfo(); ?>
访问web:
删除测试页
解压loganalyzer:
[root@stu ~]# tar xf loganalyzer-3.6.5.tar.gz
创建log目录
[root@stu ~]# mkdir /var/www/html/log
复制文件
[root@stu log]# cp /root/loganalyzer-3.6.5/src/* . [root@stu log]# cp /root/loganalyzer-3.6.5/contrib/* . [root@stu log]# chmod +x ./configure.sh [root@stu log]# chmod +x ./secure.sh [root@stu log]# ./configure.sh [root@stu log]# ./secure.sh [root@stu log]# chmod 666 config.php [root@stu log]# chown -R apache.apache ./*
访问:
红色框为之前填写的数据库名,表名,用户名,密码
原创文章,作者:黑白子,如若转载,请注明出处:http://www.178linux.com/12748
评论列表(1条)
确实很认真,但少了很多层次感