基于Rsyslog和LogAnalyzer的日志管理方案

LogAnalyzer

LogAnalyzer 是一款syslog日志和其他网络事件数据的Web前端。它提供了对日志的简单浏览、搜索、基本分析和一些图表报告的功能。数据可以从数据库或一般的syslog文本文件中获取,所以LogAnalyzer不需要改变现有的记录架构。基于当前的日志数据,它可以处理syslog日志消息,Windows事件日志记录,支持故障排除,使用户能够快速查找日志数据中看出问题的解决方案。

LogAnalyzer 获取客户端日志会有两种保存模式,一种是直接读取客户端/var/log/目录下的日志并保存到服务端该目录下,一种是读取后保存到日志服务器数据库中,推荐使用后者。LogAnalyzer 采用php开发,所以日志服务器需要php的运行环境,本文采用LNMP(Linux Nginx Mariadb PHP)

系统环境:

  • Debian9
  • nginx
  • mariadb-server-10.1
  • php7.0
  • php7.0-gd
  • php7.0-fpm
  • php7.0-mysql
  • rsyslog-mysql

配置LNMP环境

第一步:安装相关包

apt install nginx mariadb-server-10.1 php7.0 php7.0-gd php7.0-fpm php7.0-mysql rsyslog-mysql

第二步:安装完成后,配置项

php7.0-fpm:

  • /etc/php/7.0/fpm/pool.d/www.conf
[www]
user = www-data
group = www-data
listen = 127.0.0.1:9000

listen.owner = www-data
listen.group = www-data

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

nginx 配置

/etc/nginx/sites-available/default

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;
        index index.php index.html index.htm index.nginx-debian.html;
        server_name _;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }
}

启动服务:

root@logserver:~# systemctl restart php7.0-fpm.service
root@logserver:~# systemctl restart nginx.srevice
root@logserver:~# systemctl restart mariadb.service

检查服务项启动:

root@logserver:~# ss -tnl
State       Recv-Q Send-Q                 Local Address:Port                                Peer Address:Port
LISTEN      0      128                        127.0.0.1:9000                                           *:*
LISTEN      0      80                         127.0.0.1:3306                                           *:* 

登录 MariaDB 服务器,创建初始的库表的连接用户。

root@logserver:~# mysql -u root -p
Enter password: 
...
MariaDB [(none)]> 

MariaDB [(none)]>create database if not exists syslog;
MariaDB [(none)]>grant select,insert,update on syslog.* to lognan@'127.0.0.%' identified by 'password';
MariaDB [(none)]>use syslog;
MariaDB [(none)]>\. /usr/share/dbconfig-common/data/rsyslog-mysql/install/mysql

会建立起两张表:SystemEvents、SystemEventsProperties,日志也记录在第一张表里。

配置rsyslog

配置rsyslog使用ommysql模块,/etc/rsyslog.d/mysql.conf

$ModLoad ommysql
*.* :ommysql:127.0.0.1,syslog,logana,password
  • 'ommysql’之后分别时:数据库服的地址,数据库名称,登录数据库的用户名,登录数据库的密码

  • 启动服务rsyslog服务

root@logserver:~# systemctl restart rsyslog.service
  • 检查rsyslog服务:

登录 MariaDB 服务器,看表里已有的日志: MariaDB [(none)]> SELECT * from SystemEvents\G

安装loganalyzer

http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz
tar -xf loganalyzer-3.6.5.tar.gz
cd loganalyzer-3.6.5/
cp -a src  /var/www/html/loganalyzer
cd /var/www/html
ln -sv loganalyzer log
cd log
touch config.php
chmod 666 config.php

在浏览器安装向导中安装LogAnalyzer,打开浏览器访问"服务器地址/log"

config.php 日志源部分的关键配置

$CFG['DefaultSourceID'] = 'Source1';

$CFG['Sources']['Source1']['ID'] = 'Source1';
$CFG['Sources']['Source1']['Name'] = 'My Syslog Source';
$CFG['Sources']['Source1']['ViewID'] = 'SYSLOG';
$CFG['Sources']['Source1']['SourceType'] = SOURCE_PDO;
$CFG['Sources']['Source1']['DBTableType'] = 'monitorware';
$CFG['Sources']['Source1']['DBType'] = DB_MYSQL;
$CFG['Sources']['Source1']['DBServer'] = '127.0.0.1';
$CFG['Sources']['Source1']['DBName'] = 'syslog';
$CFG['Sources']['Source1']['DBUser'] = 'logana';
$CFG['Sources']['Source1']['DBPassword'] = 'a4h3ljbn';
$CFG['Sources']['Source1']['DBTableName'] = 'SystemEvents';
$CFG['Sources']['Source1']['DBEnableRowCounting'] = true;

原文出处:https://raw.githubusercontent.com/panhaitao/DeploymentGuideForDebian9/master/ops/loganalyzer.md

1 个赞

欢迎 :wink: