rsyslog+loganalyzer日志服务器搭建

1、下载rsyslog+loganalyzer
2、前期环境部署lamp
 yum -y install mysql-devel  这个不安装的话，在编译rsyslog时会出错的。
3、安装rsyslog
./configure --enable-mysql
make && make install
cp rsyslog.conf /etc


4、vim /etc/rsyslog.conf

# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.

$ModLoad immark   # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # kernel logging (formerly provided by rklogd)
=================新增下面2行================
$ModLoad ommysql
*.*       :ommysql:localhost,Syslog,root,123
============================================    主要是加载mysql数据库。


# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                -/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  -/var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          -/var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514


# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
#$ModLoad imtcp.so  # load module
#$InputTCPServerRun 514 # start up TCP listener at port 514

# UDP Syslog Server:
=====去掉下面2行的注释，主要是接收客户的日志====
$ModLoad imudp.so  # provides UDP syslog reception
$UDPServerRun 514 # start a UDP syslog server at standard port 514

保存退出，开启防火墙的UDP 514端口，重启防火墙。

5、建立rsyslog启动脚本。
cp -rp /etc/init.d/syslog /etc/init.d/rsyslog
sed -i 's/syslog/rsyslog/g' /etc/init.d/rsyslog
ln -s /usr/local/sbin/rsyslogd /sbin/rsyslogd

=====停止自带的syslog日志服务====
service syslog stop

6、导入数据库。
cd /root/syslog/rsyslog-5.8.1/plugins/ommysql
mysql -uroot -p <createDB.sql
密码：

启动rsyslog
service rsyslog start

检查数据库是否有相应数据

mysql -uroot -p
use Syslog;
select * from SystemEvents;
如果有数据，则表示成功。

7、安装loganalyzer-3.0.4
tar xvzf loganalyzer-3.0.4.tar.gz
cd loganalyzer-3.0.4
mv src/* /usr/local/apache/htdocs/syslog/
mv contrib/* /usr/local/apache/htdocs/syslog/
chmod u+x /usr/local/apache/htdocs/syslog/*.sh
./configure.sh
./secure.sh
chmod 666 config.php
chown -R daemon.daemon *

8、登录web安装。
http://ip地址/syslog

具体按步骤一步一步点下去，基本就安装完了。

这里说2个注意点，在这里我可是耗了好长时间：
在按步骤一步步点下去的时候，一定要主要Syslog数据库的表名称为：SystemEvents,在这里我刚开始没注意到，所以走了很多弯路。


9、linux客户端部署：
客户端部署比较简单：
vim /etc/syslog.conf
在最后面添加：*.*   @192.168.2.211
保存退出，重启syslog服务。
service syslog restart

此时在服务器上就可以看到相关服务器的日志信息了。

到此基本就安装完成。至于思科华为交换路由，大家可以测试测试，windows的需要第三方软件，如果有兴趣也可以测试下。

下面是的我的服务器贴图，大家可以看下：