日志分析系统Rsyslog+LogAnalyzer+LogCheck的部署

一、相关软件包准备

Rsyslog 5.8.9

    wget http://www.rsyslog.com/files/download/rsyslog/rsyslog-5.8.9.tar.gz
`</pre>

LogAnalyzer 3.4.1

<pre>`    wget http://download.adiscon.com/loganalyzer/loganalyzer-3.4.1.tar.gz
`</pre>

LogCheck 1.1.2

<pre>`    wget http://sourceforge.net/projects/logcheck/files/latest/download?source=files
`</pre>

Eventsys 4.4.3

<pre>`    wget http://eventlog-to-syslog.googlecode.com/files/EvtSys_4.4.3_32-Bit-LP.zip
`</pre>

#### 二、服务器端安装配置
  1. LAMP系统部署
    略。
  2. Rsyslog安装
    cd /usr/local/src/
    tar zxvf rsyslog-5.8.9.tar.gz &amp;&amp; cd rsyslog-5.8.9
    ./configure --enable-mysql
    make &amp;&amp; make install
    ln -s /usr/local/sbin/rsyslogd /sbin/rsyslogd
    cp rsyslog.conf /etc

    配置rsyslog.conf:
    vim /etc/rsyslog.conf
    $ModLoad immark
    $ModLoad imuxsock
    $ModLoad imklog
    $ModLoad ommysql
    *.*       :ommysql:localhost,Syslog,uid,password
    local7.*                                            /var/log/boot.log
    *.*                                                     /data/logs/messages
    $ModLoad imudp.so
    $UDPServerRun 514

    确保514端口可用或iptables关闭
    建立rsyslog启动脚本
    cp -rp /etc/init.d/syslog /etc/init.d/rsyslog
    sed -i 's/syslog/rsyslog/g' /etc/init.d/rsyslog

    导入数据库
    cd /usr/local/src/rsyslog-5.8.9/plugins/ommysql
    mysql -u root -p &lt; createDB.sql

    关闭syslog
    service syslog stop

    启动rsyslog
    service rsyslog start

    检查SystemEvents表,如果有数据则成功
  3. LogAnalyzer安装
    mkdir /data/www/wwwroot/loganalyzer
    cd /usr/local/src/
    tar zxvf loganalyzer-3.4.1.tar.gz &amp;&amp; cd /usr/local/src/loganalyzer-3.4.1/src
    cp -r * /data/www/wwwroot/loganalyzer
    cd ../contrib
    cp * /data/www/wwwroot/loganalyzer
    cd /data/www/wwwroot/loganalyzer
    chmod 755 *.sh
    ./configure.sh
    ./secure.sh
    chmod 666 config.php
    chown -R www.www /data/www/wwwroot/loganalyzer

    浏览器访问LogAnalyzer服务器地址,进行下一步安装。安装过程中注意大小写!
  4. LogCheck安装

    `mkdir -p /usr/local/logcheck/bin /usr/local/logcheck/etc /usr/local/logcheck/tmp
    cd /usr/local/src/
    tar zvxf logcheck-1.1.2.tar.gz && cd logcheck-1.1.2
    sed -i 's/local/local\/logcheck/g' Makefile
    make linux
    `
    修改logcheck.sh
    `sed -i 's/\=\/usr\/local/\=\/usr\/local\/logcheck/g' logcheck.sh
    vim logcheck.sh
    #管理员邮箱
    SYSADMIN=root,admin@test.com
    #注释以下三行
    $LOGTAIL /var/log/messages > $TMPDIR/check.$$
    $LOGTAIL /var/log/secure >> $TMPDIR/check.$$
    $LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
    添加一行
    $LOGTAIL /www/messages > $TMPDIR/check.$$
    `
    加入计划任务
    `crontab -e
    0 0 * * */usr/local/logcheck/etc/logcheck.sh  > /dev/null 2>&1
    `
    清除日志脚本
    `#!/bin/bash
    #delete syslog
    MesDate=$(date -d '30 days ago' +%Y-%m-%d)
    SqlDate=$(date -d "-1 week" +%m-%d)
    Mes=/www/messages
    mysql -uroot -proot -e "delete from Syslog.SystemEvents where       DATE_FORMAT(DeviceReportedTime,'%m-%d') like '%${SqlDate}%';"
    sed -i "/${MesDate}/d" ${Mes}
    `
    确保sendmail启动
    `service sendmail start
    chkconfig --add sendmail
    chkconfig sendmail on
    `

    三、客户端安装配置

  5. Linux客户端安装配置
    修改/etc/syslog.conf

    `echo "*.* @rsyslog_server_ip" >> /etc/syslog.conf
    `
  6. Windows客户端安装配置

    *   下载安装客户端软件
    

    wget http://eventlog-to-syslog.googlecode.com/files/EvtSys_4.4.3_32-Bit-LP.zip

    • 解压后将evtsys.dll和evtsys.exe拷贝到c:\windows\system32
    • 安装evtsys
      C:>evtsys –i –h rsyslog_server_ip
      #-i 安装为系统服务
      #-h 指定日志服务器IP地址
    • 启动服务:
      `C:\>net start evtsys
      `
    • 卸载evtsys
      `c:\net stop evtsys
      c:\evtsys -u

四、参考:

  1. http://bbs.linuxtone.org/thread-10784-1-1.html
  2. http://bslxn.i.sohu.com/blog/view/178279376.htm
log