rsyslog+loganalyzer配置

1、loganalyzer服务器搭建
[root@localhost ~]# getenforce #查看selinux是否关闭
[root@localhost ~]# setenforce 0 #临时关闭;修改配置文件/etc/selinux/config,将其中SELINUX设置为disabled(永久关闭)
[root@localhost ~]# systemctl status firewalld.service
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# yum -y install mariadb mariadb-server
[root@localhost ~]# systemctl start mariadb.service
[root@localhost ~]# /bin/mysql_secure_installation      #初始化mariadb数据库
[root@localhost ~]# yum list rsyslog*
[root@localhost ~]# yum -y install rsyslog-mysql
[root@localhost ~]# mysql -uroot -proot </usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql

MariaDB [(none)]> grant all privileges on Syslog.* to 'rsyslog'@'%' identified by 'rsyslog';flush privileges;

[root@localhost ~]# vim /etc/rsyslog.d/loganalyzer.conf

$ModLoad ommysql
#所有日志 :ommysql:数据库地址,数据库名,登陆数据库的用户,用户密码
*.* :ommysql:localhost,Syslog,rsyslog,rsyslog
#使用UDP协议传输
$ModLoad imudp
$UDPServerRun 514
$UDPServerRun 38514
#使用TCP协议传输（两者可同时使用）
$ModLoad imtcp
$InputTCPServerRun 514
$InputTCPServerRun 38514

[root@localhost ~]# systemctl restart rsyslog.service
[root@localhost ~]# yum install httpd php php-mysql php-gd -y
[root@localhost ~]# wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.7.tar.gz
[root@localhost ~]# cp -a loganalyzer-master/src/* /var/www/html/
[root@localhost ~]# systemctl start httpd.service
[root@docker ~]# vim /var/www/html/hello.php      #创建php测试页

<?php phpinfo(); ?>

[root@localhost ~]# touch /var/www/html/config.php
[root@localhost ~]# chmod 666 /var/www/html/config.php
[root@localhost ~]# vim /var/www/html/include/functions_common.php #关闭loganalyzer的资助信息(true改为false)

72 $content['SHOW_DONATEBUTTON'] = false; // Default = true!

2、Web页面配置：


思科交换机日志推送
logging trap informational
logging facility local5     #把日志发送到rsyslog的local5设备
logging host 10.10.10.10

ASA防火墙日志推送
logging enable
logging timestamp
logging trap informational
logging facility 21 #21对应local5
logging host inside 10.10.10.10

3、nginx日志发送到日志服务器
rsyslog服务器配置

[root@rsyslog ~]# grep -vE "^$|#" /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none;local5.none    /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
$ModLoad ommysql
local5.* :ommysql:localhost,Syslog,rsyslog,rsyslog

nginx端rsyslog配置

[root@nginx ~]# grep -vE "^$|^#" /etc/rsyslog.conf
$ModLoad imuxsock 
$ModLoad imklog  
$ModLoad imudp
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none;local5.none    /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local5.*        @10.10.10.10:514      # @@表示通过tcp协议发送;@表示通过udp协议发送

[root@nginx ~]# cat /etc/rsyslog.d/nginx.conf
$ModLoad imfile
$InputFileName /application/nginx-1.14.2/logs/web01.log
$InputFileTag nginx_1:
$InputFileStateFile /application/nginx-1.14.2/logs/web01_state.log  
$InputFileSeverity info
$InputFileFacility local5
$InputRunFileMonitor
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$ActionQueueSaveOnShutdown on

[root@nginx ~]# logger -p local5.info 'KadeFor is testing the rsyslog and logger'     #产生一条日志

命令logger -it logger_test -p local5.info 'KadeFor is testing the rsyslog and logger'中的参数含义：
-i 在每行都记录进程ID
-t logger_test 每行记录都加上“logger_test”这个标签
-p local5.info 设置记录的设备和级别
日志内容：'KadeFor is testing the rsyslog and logger'

4、logrotate之nginx日志切割配置文件
root@localhost:/etc/logrotate.d# cat nginx

/var/log/nginx/*.log
/var/log/nginx/project/*/*.log
{
    daily          # 每天轮转一次日志
    missingok      # 如果日志文件不存在，不报错继续滚动下一个日志
    rotate 3       # 保留3天内的日志备份
    compress       # 通过gzip压缩旧日志文件
    delaycompress  # 压缩操作将推迟到下一次轮转周期
    notifempty     # 如果日志文件为空，就不进行轮转
    minsize 1M     # 文件大小超过1M后才会切割
    create 640 nobody root  # 轮转后创建新的日志文件，权限为 0640
    sharedscripts
    postrotate     # 在日志文件轮转后执行的命令，这里是发送USR1信号给Nginx，使其重新打开日志文件
        [ -f /usr/local/etc/nginx/logs/nginx.pid ] && kill -USR1 `cat /usr/local/etc/nginx/logs/nginx.pid`
    endscript
}

root@localhost: systemctl restart crond.service    # 修改logrorate需要重启定时任务服务，否则修改不生效

参考链接：
            https://loganalyzer.adiscon.com/downloads/loganalyzer-v4-1-7-v4-stable/
            https://blog.51cto.com/11555417/2046796
            https://www.cnblogs.com/kevingrace/p/5570411.html     # rsyslog日志收集服务环境部署
            https://blog.51cto.com/zhpfbk/1878901          #Rsyslog实现对Nginx日志发送至日志服务器
            https://blog.csdn.net/Scirhh/article/details/83016456      #ELK部署
            https://www.cnblogs.com/iamqiu/p/5749783.html            #graylog日志监控
            https://www.cnblogs.com/liang545621/p/9448402.html   #graylog日志监控
            https://www.cnblogs.com/kevingrace/p/6307298.html     #日志切割方法小结 [ logrotate服务、python、shell脚本实现 ]
            https://www.cnblogs.com/qiuhom-1874/p/12091118.html    # Linux日志管理系统rsyslog
            https://blog.51cto.com/welcomeweb/1956557     # rsyslog服务实时传输日志配置