日志服务器搭建

i目录1,系统要求..............................................................................................ii2,需要的源码包软件..............................................................................ii3,rsyslog安装配置..................................................................................ii3.1，修改apache配置......................................................................ii3.2，修改mysql配置........................................................................ii3.3，rsyslog安装..............................................................................iii3.4，rsyslog配置..............................................................................iii3.5，数据库导入及测试....................................................................iv4，安装loganalyzer并修改.....................................................................v5，客户端设置..........................................................................................v5.1，windows客户端设置.................................................................v5.2，linux客户端配置.......................................................................vi5.3，网络设备设置..........................................................................viiii1,系统要求Lamp(httpd-2.2.21,mysql-5.1.44,php-5.3.8)2,需要的源码包软件Rsyslog-5.9.5.tar.gzLoganalyzer-3.5.0.tar.gz3,rsyslog安装配置3.1，修改apache配置Vim/nybackup/syslog/server/apache/conf/httpd.confAddDefaultCharsetoff#关掉默认字符设置3.2，修改mysql配置Vim/etc/my.cnf在[client][mysqld][mysql]三个字段中添加Default-character-set=latin1#将字符集改为latin1Mysql-uroot-pSetnamesutf8GrantinsertonSyslog.*towrite_user@localhostidentifiedby'writesyslog';#增加一个只写的账号，用于rsyslog往mysql里面写日志iiiGrantallonSyslog.*toread_user@localhostidentifiedby'readsyslog';#增加一个用于loganalyzer读取操作数据库的用户3.3，rsyslog安装cd/nybackup/syslog/server/Tarzxvf/nybackup/syslog/install/rsyslog-5.9.5.tar.gzCdrsyslog-5.9.5./configure--prefix=/nybackup/syslog/server/rsyslog--enable-mysqlMake&&makeinstallServicesyslogstop#关闭自带syslogChkconfigsyslogoff3.4，rsyslog配置Cp/etc/init.d/{syslog,rsyslog}#由于rsyslog没有启动脚本，所以修改syslog启动脚本并修改Sed-i's/syslog/rsyslog/g'/etc/init.d/rsyslogChmod700/etc/init.d/rsyslogChkconfig--addrsyslogChkconfigrsyslogonLn-sv/nybackup/syslog/server/rsyslog/sbin/rsyslogd/sbin/rsyslogd#创建服务链接ivVim/etc/rsyslog.conf$ModLoadommysql#加载模块,添加此句$ModLoadimudp.so#取消两句注释，监听UDP的514端口$MDPserverRun514$templatedbFormat,insertintoSystemEvents(Message,Facility,FromHost,Priority,DeviceReportedTime,ReceivedAt,InfoUnitID,SysLogTag)values('%msg%',%syslogfacility%,'%fromhost-ip%',%syslogpriority%,'%timereported:::date-mysql%','%timegenerated:::date-mysql%',%iut%,'%syslogtag%'),sql#自定义数据模板dbFormat*.*:ommysql:localhost,Syslog,write_user,write_syslog;dbFormat#传送数据到mysql数据库Servicersyslogrestart#启动rsyslog服务3.5，数据库导入及测试Cd/nybackup/syslog/server/rsyslog-5.9.5Mysql-uroot-p./plugins/ommysql/creatDB.sql#导入数据库Mysql-uroot-p#进入mysqlUseSyslog;Select*fromSystemEvents;#查看是否有数据v4，安装loganalyzer并修改Cd/nybackup/syslog/server/Tarzxvf../install/loganalyzer-3.5.0.tar.gzCdloganalyzer-3.5.0Cp-rsrc/*/nybackup/syslog/server/apache/htdocs/#复制loganalyzer文件到apache默认目录Cp-rcontrib/*/nybackup/syslog/server/apache/htdocsCd/nybackup/syslog/server/apache/htdocsBash./configure.sh#生成config.php文件Bash./secure.shChmod666config.php#修改config.php权限重启apache服务serviceapacherestart浏览，客户端设置5.1，windows客户端设置安装软件evtsys此软件分为32位和64位:Evtsys_4.4.3_32-bit.zipEvtsys_4.4.3_64-bit.zip安装之前先进行windows时间同步设置vi本地时间服务器地址：172.16.30.10解压evtsys.rar复制evtsys.exe和evtsys.dll到c:\windows\system32\下cmd进入dosEvtsys-i-h172.16.20.3#安装evtsys日志转发Netstartevtsys#启动evtsys服务5.2，linux客户端配置步骤一：ntp时间同步先进行时间同步ntpdate-u172.16.30.10把时间同步写入日计划任务Vim/etc/crontab304***/usr/sbin/ntpdate-u172.16.30.10;/sbin/hwclock-w重启计划任务服务Servicecrondrestart步骤二：客户端日志配置Vim/etc/syslog.conf*.*@172.16.20.3#添加此句，把本机所有各等级日志转发到172.16.20.3vii重启日志服务Servicesyslogrestart5.3，网络设备设置1.在配置模式下，定义日志记录时间戳(config)#servicetimestampslogdatetimemsec2.在配置模式下，指定日志服务器(config)#logging172.16.20.3附录：本例中日志服务器地址172.16.20.3本次操作所涉及到的源码包和安装程序，均存于ftp服务器/nybackup/backup/rsyslog中。注意：开启windows下面的安全本地安全策略里面的审核策略，否则服务器默认不记录日志