日志管理实验
Rsyslog
日志管理实验
Rsyslog

日志管理实验

利用 MySQL 存储日志信息

#环境设置
两台主机
一台:rsyslog日志服务器,IP:10.0.0.156
一台:mysql数据库服务器,IP:10.0.0.153

#在rsyslog服务器上安装连接mysql模块相关的程序包
[root@rocky8 ~]#yum -y install rsyslog-mysql
[root@rocky8 ~]#rpm -ql rsyslog-mysql
/usr/lib/.build-id
/usr/lib/.build-id/93
/usr/lib/.build-id/93/cf1f270513a39c1f67625e850c11cf4c56c038
/usr/lib64/rsyslog/ommysql.so
/usr/share/doc/rsyslog/mysql-createDB.sql


#查看脚本[root@rocky8 ~]#cat /usr/share/doc/rsyslog/mysql-createDB.sql 
CREATE DATABASE Syslog;
USE Syslog;
CREATE TABLE SystemEvents
(
        ID int unsigned not null auto_increment primary key,
        CustomerID bigint,
        ReceivedAt datetime NULL,
        DeviceReportedTime datetime NULL,
        Facility smallint NULL,
        Priority smallint NULL,
        FromHost varchar(60) NULL,
        Message text,
        NTSeverity int NULL,
        Importance int NULL,
        EventSource varchar(60),
        EventUser varchar(60) NULL,
        EventCategory int NULL,
        EventID int NULL,
        EventBinaryData text NULL,
        MaxAvailable int NULL,
        CurrUsage int NULL,
        MinUsage int NULL,
        MaxUsage int NULL,
        InfoUnitID int NULL ,
        SysLogTag varchar(60),
        EventLogType varchar(60),
        GenericFileName VarChar(60),
        SystemID int NULL
);

CREATE TABLE SystemEventsProperties
(
        ID int unsigned not null auto_increment primary key,
        SystemEventID int NULL ,
        ParamName varchar(255) NULL ,
        ParamValue text NULL
);


#数据库服务器执行脚本创建数据库和表,创建用户
[root@node1 data]#mysql < mysql-createDB.sql 
mysql> CREATE USER 'rsyslog'@'10.0.0.%' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT ALL ON Syslog.* TO 'rsyslog'@'10.0.0.%' ;
Query OK, 0 rows affected (0.00 sec)


#配置日志服务器将日志发送至指定数据库
[root@rocky8 ~]#vim /etc/rsyslog.conf
#加在module下
module(load="ommysql")
#加在RULES语句块下
*.info                                                  :ommysql:10.0.0.153,Syslog,rsyslog,123456
[root@rocky8 ~]#systemctl restart rsyslog.service 

#Ubuntu 自动生成以下配置文件,只需要按环境修改
[root@ubuntu2004 ~]#cat /etc/rsyslog.d/mysql.conf
### Configuration file for rsyslog-mysql
### Changes are preserved
module (load="ommysql")   
*.* action(type="ommysql" server="10.0.0.18" db="Syslog" uid="rsyslog" pwd="123456")

#测试
[root@rocky8 ~]#logger "this is a test log"

*************************** 15. row ***************************
                ID: 15
        CustomerID: NULL
        ReceivedAt: 2022-09-05 20:49:51
DeviceReportedTime: 2022-09-05 20:49:51
          Facility: 1
          Priority: 5
          FromHost: rocky8
           Message: this is a test log
        NTSeverity: NULL
        Importance: NULL
       EventSource: NULL
         EventUser: NULL
     EventCategory: NULL
           EventID: NULL
   EventBinaryData: NULL
      MaxAvailable: NULL
         CurrUsage: NULL
          MinUsage: NULL
          MaxUsage: NULL
        InfoUnitID: 1
         SysLogTag: root[2141]:
      EventLogType: NULL
   GenericFileName: NULL
          SystemID: NULL
15 rows in set (0.00 sec)
mysql> SELECT * FROM SystemEvents\G;

rsyslog启用网络日志服务

#所有节点开启网络服务模块TCP/UDP
[root@rocky8 ~]#vim /etc/rsyslog.conf 
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

#推送节点配置推送日志信息
[root@rocky8 ~]#vim /etc/rsyslog.conf 
*.info;mail.none;authpriv.none;cron.none                @@10.0.0.153:514 #TCP
*.info;mail.none;authpriv.none;cron.none                @10.0.0.154:514 #UDP
[root@rocky8 ~]#systemctl restart rsyslog.service

Logrotate 日志转储

#实现博客网站nginx访问日志转储
[root@shuzihan ~]# vim  /etc/logrotate.d/nginx
/www/wwwlogs/access.log {
    daily  #每天
    rotate 100  #存储100天
    missingok  #如果日志不存在,不提示错误,继续处理下一个
    compress   #压缩
    delaycompress #延后一天压缩
    notifempty #空文件不转储
    create 644 www www 
    postrotate 在转储以后需要执行的命令,这两个关键字必须单独成行
      if [ -f /www/server/nginx/logs/nginx.pid ]; then
          kill -USR1 cat /www/server/nginx/logs/nginx.pid
      fi
    endscript
}

#手动执行
[root@shuzihan ~]# logrotate /etc/logrotate.d/nginx 

#系统默认配置
[root@shuzihan ~]# cat /etc/logrotate.conf 
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
	minsize 1M
    rotate 1
}

/var/log/btmp {
    missingok
    monthly
    create 0600 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.
Print Friendly, PDF & Email