集中日志管理与Web界面
如果您有一个用于中央日志服务器日志的Web界面,那岂不是很棒吗? 梦想成真,这要归功于 LogAnalyzer (又名 phplogcon)。 让我们看看如何在中央日志服务器上设置它及其建议的 syslog 变体 rsyslog。 我们将从 Gentoo 和 Ubuntu 10.04 LTS 的角度来探讨这个问题,Gentoo 默认情况下未使用 rsyslog(也没有其他任何默认设置),而 Ubuntu 10.04 LTS 已经使用 rsyslog 作为事实上的记录器。 值得一提的是,根据 rsyslog 网站,Fedora 现在也默认使用 rsyslog。
准备工作
在我们深入研究任何设置之前,我们需要做一些准备工作。 如果您要通过 Web 浏览器查看这些日志,那么您看到的时戳反映正确的时区可能会更好。 为此,我将借鉴 Gentoo 手册,因为它适用于这两个发行版
7.a. 时区
您首先需要选择您的时区,以便您的系统知道它位于何处。 在 /usr/share/zoneinfo 中查找您的时区,然后将其复制到 /etc/localtime。 请避免使用 /usr/share/zoneinfo/Etc/GMT* 时区,因为它们的名称没有指示预期的区域。 例如,GMT-8 实际上是 GMT+8。
假设您位于东部时区
~# cp /usr/share/zoneinfo/EST5EDT /etc/localtime
时间
如果您要在一个地方编译所有日志,那么让所有相关人员都知道正确的时间也变得非常重要。 为了实现这一点,您可以使用 NTP 客户端。
Ubuntu 10.04 LTS
使用您最喜欢的文本编辑器,创建文件 /etc/cron.daily/ntpdate 并插入以下内容
ntpdate ntp.ubuntu.com
保存文件,然后
~# chmod 755 /etc/cron.daily/ntpdate
现在运行它以更正我们的时间
~# /etc/cron.daily/ntpdate
最后,验证...
~# date You should see your current time here.
Gentoo
在 Gentoo 中,这由 net-misc/ntp 处理。
~ # emerge -a ntp
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild N ] net-misc/ntp-4.2.4_p7-r1
USE="ssl -caps -debug -ipv6 -openntpd
-parse-clocks (-selinux) -vim-syntax -zeroconf"
Would you like to merge these packages? [Yes/No] y
~ # cp /usr/share/ntp/ntp.conf /etc/ntp.conf
~ # rc-update add ntp-client default
* ntp-client added to runlevel default
~ # rc-update add ntpd default
* ntpd added to runlevel default
~ # /etc/init.d/ntp-client start
* Caching service dependencies ... [ ok ]
* Setting clock via the NTP client 'ntpdate' ... [ ok ]
~ # /etc/init.d/ntpd start
* Starting ntpd ... [ ok ]
~ # date
You should see your current time here.
日志记录
现在我们已经同步了时钟,让我们继续讨论本文的重点。 这里需要设置一些先决条件软件包:Apache、MySQL、PHP... 又名 LAMP 堆栈。 我不会详细介绍这些,但我确实要指出几件事
- 在 Gentoo 上,我建议将以下内容添加到 /etc/portage/package.keywords。 如果您不是 64 位系统,请将 ~amd64 替换为 ~x86。
- dev-db/mysql ~amd64
- virtual/mysql ~amd64
- dev-lang/php ~amd64
- 我还建议在 /etc/make.conf 中设置 mysql 和 php use 标志
- 在 Ubuntu 上,只需运行 tasksel 并从那里选择 LAMP。
- 安装 LAMP 堆栈后,不要忘记手动重启 Apache。
- 在两个发行版上,我都建议设置 phpMyAdmin 以简化 MySQL 管理。
Gentoo 上的 Rsyslog
Gentoo 最初可能没有设置 rsyslog,所以让我们让它运行起来。 但是在 emerge 它之前,您需要添加 relp 作为 use 标志。
~ # emerge -a rsyslog
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild N ] dev-libs/librelp-0.1.1 USE="-debug"
[ebuild N ] app-admin/rsyslog-3.22.0
USE="mysql relp zlib -dbi -debug -gnutls -kerberos -postgres -snmp"
Would you like to merge these packages? [Yes/No] y
After installing rsyslog run its script to create the database and tables in MySQL:
~ # mysql
Verify it with these commands:
~ # mysql -p -e "show databases;"
You should see a database named Syslog.
~ # mysql -p -e "show tables;" Syslog
You should see two tables in this one.
Now, create a user that rsyslog can use to manipulate the Syslog database:
~ # mysql -p -e "grant all on Syslog.* to rsyslog@'localhost' identified by 'password';"
We now need to make a couple of tweeks to /etc/rsyslog.conf. Add this just below the comments at the top:
# Logging to MySQL stuff
$ModLoad ommysql
*.* :ommysql:localhost,Syslog,rsyslog,password
Near the bottom, change what is there to look like this:
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
$ModLoad imtcp.so # load module
$InputTCPServerRun 514 # start a TCP syslog server at standard port 514
# UDP Syslog Server:
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # start a UDP syslog server at standard port 514
Now, let's fire up our new logger and stop the old one.
~ # rc-update del syslog-ng // or whatever logger you used.
* 'syslog-ng' removed from the following runlevels: default
~ # rc-update add rsyslog default
* rsyslog added to runlevel default
~ # /etc/init.d/rsyslog start
* Starting rsyslogd ... [ ok ]
It is a little rough to read if your terminal is not wide enough, but you can verify that the logs are going to the database with
~# mysql -p -e "SELECT * FROM Syslog.SystemEvents;"
Now that rsyslog is running we can get rid of the old logger...
~ # emerge -aC syslog-ng
Rsyslog on Ubuntu 10.04 LTS
Ubuntu now comes with rsyslog as its defacto logger but we need to add a little bit of additional functionality to it. Namely, we need to add MySQL output support and add in the Reliable Event Logging Protocol (relp):
~# apt-get install rsyslog-mysql rsyslog-relp
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
dbconfig-common librelp0
The following NEW packages will be installed:
dbconfig-common librelp0 rsyslog-mysql rsyslog-relp
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 677kB of archives.
After this operation, 2,335kB of additional disk space will be used.
Do you want to continue [Y/n]? y
During this install’s process you will be prompted to make the tables that are needed in MySQL:
Do this. You will then be asked for your MySQL root password followed by being asked to create a password for rsyslog to use. This is the password that rsyslog will use in its config files.
Now, just like on Gentoo, we need to make a couple of tweeks to the config files of rsyslog. The biggest difference here is that Ubuntu takes advantage of the fact that rsyslog can use multiple config files that are merged into one “config.” You still have /etc/rsyslog.conf but you also have a directory named /etc/rsyslog.d/ that contains additional configs. In there you will now see one named mysql.conf that contains the needed info to dump our logs into the database. To turn on accepting remote logs though we still have to uncoment a couple of lines in /etc/rsyslog.conf
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
Now, let's apply our changes:
~# service rsyslog restart
As I mentioned in the Gentoo section, it is a little rough to read if your terminal is not wide enough, but you can verify that the logs are going to the database with
~# mysql -p -e "SELECT * FROM Syslog.SystemEvents;"
RELP: Reliable Event Logging Protocol
t this point we have configured our servers to accept messages over TCP & UDP on the standard port of 514, which is what is needed to be compatible with the majority of network devices that can shoot logs to a central server. Now, let's take it a step farther and add support to the config files for a third protocol: RELP, which is implemented via librelp. This is supposed to be a much more reliable method of sending syslog data over the network than even TCP. More info about the unreliability of tcp and the creation of RELP can be found on the developer’s blog. Rsyslog has native support for it via the imrelp & omrelp modules.
Now, on Gentoo edit /etc/rsyslog.conf again and add the following to the bottom of the file:
# RELP Syslog Server:
$ModLoad imrelp.so # provide RELP syslog reception
$InputRELPServerRun 20514 # start a RELP syslog server at port 20514
And on Ubuntu, use your favorite editor and create /etc/rsyslog.d/relp.conf and enter the following in it:
$ModLoad imrelp
$InputRELPServerRun 20514
Adding reliability to your logging systems
One of the many helpful articles at rsyslog.com explains how to log massive amounts of syslog data to a database by setting up buffering on your server so that messages are less likely to be lost if a system or link is under very high load. To do this you first need to make a working directory that it can store queue files in if needed.
~ # mkdir -p /var/rsyslog/work
Now we need to add the following to /etc/rsyslog.conf or /etc/rsyslog.d/mysql.conf
# Buffering stuff:
$WorkDirectory /var/rsyslog/work # default location for work (spool) files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName dbq # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
And now we need to restart rsyslog:
Gentoo:
~ # /etc/init.d/rsyslog restart
Ubuntu:
~ # service rsyslog restart
The Viewing:
To view the info that we are now dumping into MySQL via the web we need to setup LogAnalyzer. Step one of this is to download the software from http://loganalyzer.adiscon.com/downloads. As of this writing, the newest version is v3.0.1.
~ # wget http://download.adiscon.com/loganalyzer/loganalyzer-3.0.1.tar.gz
~ # tar -xzf loganalyzer-*.*.*.tar.gz
~ # cd loganalyzer-3.0.1
~/loganalyzer-3.0.1# mkdir /var/www/logs
~/loganalyzer-3.0.1# cp -R src/* /var/www/logs/
~/loganalyzer-3.0.1# cp contrib/* /var/www/logs/
~/loganalyzer-3.0.1# cd /var/www/logs/
/var/www/logs# chmod +x configure.sh secure.sh
/var/www/logs# ./configure.sh
To enable the authentication part of LogAnalyzer we need to make an empty database for users to be stored in and grant privileges on it.
/var/www/logs# mysql -p
mysql> create database LogAnalyzerUsers;
mysql> show databases;
mysql> grant all on LogAnalyzerUsers.* to LAUser@'localhost' identified by 'password';
mysql> quit
*** Parts of the following section are direct quotes from http://loganalyzer.adiscon.com/doc/install.html:
Now, go to http://yourlogserver/logs/ and you will be pointed to the installation script which will guide you through the process of setting up LogAnalyzer.
Basic Configuration
You can set several basic options here.
- 每页 syslog 消息数 = 50 (默认)
- 这是每页显示的 syslog 消息数。 您可以增加该值(使 LogAnalyzer 变慢)或减小该值(使其更快)。
- 主视图的消息字符限制 = 80 (默认)
- 设置将在主视图的最后一列中显示的消息字符数。 可以通过将鼠标悬停在完整消息上来查看完整消息。
- 许多人喜欢使用“0”设置,这意味着将显示完整消息
- 显示消息详细信息弹出窗口(默认“是”)= 是(默认)。 请注意,许多人发现弹出窗口具有侵入性,并且更喜欢禁用它们。 在这种情况下使用“否”。
- 在设置过程中,系统还会提示您启用用户数据库。 执行此操作并输入所请求的信息。
- 在稍后的几个页面中,系统将提示您输入主要(管理员)用户。
- 步骤 7 的默认值表明可以在没有数据库后端的情况下使用它。 但是我们需要更改它以匹配我们的设置。
- 将源命名为逻辑名称,因为它将是来自所有服务器的编译日志。
- 源类型 = MYSQL Native
- 选择视图 = Syslog 字段
- 表类型 = MonitorWare
- 数据库主机 = localhost
- 数据库名称 = Syslog
- 数据库表名 = SystemEvents
- 数据库用户 = rsyslog
- 启用行计数 = 否
完成后,登录到您的新站点,并查看到目前为止服务器上记录的内容。
您的其他主机
Linux 和 Solaris
设置您的其他主机非常简单。 对于此示例,假设您设置的服务器名为 myserv。 如果您不想编辑 hosts 文件,请使用 FQDN 或 IP 地址代替 myserv。 如果您愿意在它们上运行 rsyslog,那么您只需安装 librelp,然后将以下内容添加到您的 rsysnc 配置文件中
$ModLoad omrelp # forward messages to the remote server "myserv" on # port 20514 *.* :omrelp:myserv:20514;RSYSLOG_ForwardFormat
有关此的详细信息,请参阅 omrelp 页面。 如果您运行的是传统版本的 syslog,那么您将通过 UDP 发送消息。 为此,请将以下内容添加到您的 syslog.conf 文件中
*.* @myserv
这适用于大多数 Linux 主机以及 Solaris。 只需记住重启您的记录器,以便它读取对配置文件的更改。
网络设备
如果您想将您的网络设备指向此服务器,请记住它正在端口 514 上侦听 TCP 和 UDP 连接。
OS X
OS X 已经运行 syslog,所以它基本上与配置 Linux 相同...只需将以下内容添加到 /etc/syslog.conf
*.* @myserv
现在使用以下命令重启 syslog
launchctl stop com.apple.syslogd launchctl start com.apple.syslogd
Windows
如果您想让您的 Windows 2000 - Server 2008 机器将日志发送到您的新中央日志服务器,请查看 eventlog-to-syslog。 只需下载它,解压缩它,将 evtsys.exe 复制到 C:\Windows\system32\ 并执行
C:\Windows\system32>evtsys.exe -i -h ip.address.of.myserv
我在 Windows 7 企业版虚拟机中测试了 x64 版本,效果很好。
更多来源
您还可以将来自 Apache、IIS、ISA、Squid 代理服务器、Lotus Notes、Exchange 和其他服务器的日志发送到您的中央日志服务器。 查看 Intersect Alliance 的 Snare Agents。 它们可以从 他们的网站 和 SourceForge 获得。
祝您日志记录愉快:)
