Centos7.5搭建rsyslog+loganalyzer

一、搭建LAMP环境

1.关闭防火墙和selinux

systemctl stop firewalld(关闭防火墙)
systemctl disable firewalld(禁用自启动)
vim /etc/sysconfig/selinux
SELINUX=disabled(更改状态)

yum install -y httpd httpd-devel mariadb mariadb-server php php-devel php-mysql php-gd libjpeg* php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-bcmath php-mhash

systemctl start mariadb.service   启动mysql

systemctl enable mariadb.service   开启自启

systemctl start httpd.service     启动Apache

systemctl enable httpd.service   开启自启

2.配置mariadb

mysql_secure_installation    按提示配置

systemctl restart mariadb.service 

二、安装loganalyzer(默认已经安装了rsyslog)

1.先安装rsyslog-mysql模块,并查看自带生成rsyslog需要库表工具

yum -y install rsyslog-mysql

rpm -ql rsyslog-mysql
/usr/lib64/rsyslog/ommysql.so (生成的模块)
/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql (需要导入的数据库)

2.导入rsyslog所需的库

mysql -uroot -p123 <  /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql

3.在mysql中创建rsyslog所需要的用户

grant all on Syslog.* to 'systest'@'127.0.0.1' identified by '123';

grant all on Syslog.* to 'systest'@'localhost' identified by '123';

4.启动rsyslog中的udp514端口及ommysql.so模块

vim /etc/rsyslog.conf
$ModLoad imuxsock (去掉注释)
$ModLoad imklog (去掉注释)
$ModLoad ommysql (手动添加)
$ModLoad imudp (去掉注释)
$UDPServerRun 514 (去掉注释)

5.定义将登陆信息写入数据库

vim /etc/rsyslog.conf
#### RULES ####
*.* :ommysql:127.0.0.1,Syslog,systest,123 (规则中写入,对应为模块,数据库地址,数据库,用户,密码)

systemctl restart rsyslog   重启rsyslog服务

6.下载loganalyzer

wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz
tar -xf loganalyzer-3.6.5.tar.gz
cp -r loganalyzer-3.6.5/src/* /var/www/html/tool
cp loganalyzer-3.6.5/contrib/* /var/www/html/tool
cd /var/www/html/tool/
chmod +x configure.sh secure.sh
./configure.sh
chown -R apache.apache ./*

7.打开install.php通过web页面来与数据对接

http://IP/tool/install.php

 

三、日志导入

cisco路由器:
logging on
clock timezone GMT +8
logging trap warnings
logging facility local4
logging source-interface Loopback1
logging host 172.30.100.87
logging origin-id hostname
service timestamps log datetime msec localtime show-timezone

cisco ASA:
logging enable
logging timestamp
logging trap errors
logging asdm warnings
logging facility 21
logging device-id hostname
logging host DMZ 172.30.100.87
logging permit-hostdown

 四、解决loganalyzer卡的问题

管理设备的数量及日志量很大的情况,是由于数据库存储的日志日积月累累计数量庞大,日志进行日志分割

#!bin/bash

#word make 140513

#set -x
DBUSER=test
DBPASSWD=test
DBNAME=Syslog
BACKUPDIR=/var/log/Syslog
DATE=`date +%Y%m%d%H%M`
date2=`date --date='yesterday' '+%y%m%d'`   #当前时间的前一天

backup_mysql()    #定义函数
{
        cd $BACKUPDIR
        mysql -u$DBUSER -p$DBPASSWD -e "use Syslog;create table log$date2 select * from SystemEvents;ALTER TABLE log$date2 ADD PRIMARY KEY (\`id\`);INSERT INTO logcon_sources VALUES ($date2,'log$date2','',2,'',0,0,'1',NULL,NULL,'monitorware',0,'localhost','Syslog','syslog','syslog','log$date2',1,100,'',NULL,NULL);truncate table SystemEvents;"
        mysqldump -u$DBUSER -p$DBPASSWD -R $DBNAME `mysql -u$DBUSER -p$DBPASSWD -e 'use Syslog;show tables' -ss |egrep -v 'log' `> $DATE$DBNAME.sql
        tar czf $DATE$DBNAME.sql.tar.gz $DATE$DBNAME.sql
        rm -rf $DATE$DBNAME.sql
}
backup_mysql

create table logtest like  SystemEvents; insert into logtest select * from SystemEvents;

 

posted @ 2019-03-21 10:17  Me-lihu  阅读(13)  评论(0编辑  收藏  举报