1) 华为防火墙,型号USG5120
2) PC机作为日志服务器,型号清华同方,硬盘1TB
注意:centos 7 32bit,有些软件不能通过yum命令来安装,centos 7 已经不支持这些32位的软件了。
PC机:
1) 操作系统:Centos 7 64bit
2) Syslog 8.24
3) loganalyzer-4.1.6.tar
4) Mariadb 5.5.56
5) LAMP环境
利用之前做好的U盘PE镜像,插入PC机USB接口,开机进入PE,选择安装Centos 7 ,按照提示一步一步装好。
[root@localhost ~]# date
Tue Mar 20 19:42:22 CST 2018
[root@localhost ~]# timedatectl
Local time: Tue 2018-03-20 19:42:47 CST
Universal time: Tue 2018-03-20 11:42:47 UTC
RTC time: Tue 2018-03-20 11:42:47
Time zone: Asia/Shanghai (CST, +0800)
NTPenabled: no
NTP synchronized: no
RTC inlocal TZ: no
DSTactive: n/a
在安装的时候,已经选择了Asia/Shanghai (CST, +0800),但是在使用date命令的时候,发现Local time比当前实际时间要快8个小时,在后期的日志中会有很大的问题,所以需要把时间改回来。
解决办法:
1) 先查看系统时区信息
2) 删除当前系统所处的时区
3) 从/usr/share/zoneinfo/中创建软连接以替换当前的时区信息,直接选择Universal
4) 利用timedatectl查看,OK问题解决。
[root@localhost ~]# ls/usr/share/zoneinfo/
Africa Australia Cuba Etc GMT-0 Indian Kwajalein Navajo posix ROK UTC
America Brazil EET Europe GMT+0 Iran Libya NZ posixrules Singapore WET
Antarctica Canada Egypt GB Greenwich iso3166.tab MET NZ-CHAT PRC Turkey W-SU
Arctic CET Eire GB-Eire Hongkong Israel Mexico Pacific PST8PDT UCT zone.tab
Asia Chile EST GMT HST Jamaica MST Poland right Universal Zulu
Atlantic CST6CDT EST5EDT GMT0 Iceland Japan MST7MDT Portugal ROC US
[root@localhost ~]# rm /etc/localtime
rm: remove symbolic link ‘/etc/localtime’?
[root@localhost ~]# rm/etc/localtime
rm: remove symbolic link ‘/etc/localtime’? y
[root@localhost ~]# ln-s /usr/share/zoneinfo/Universal /etc/localtime
[root@localhost ~]#timedatectl
Local time: Tue 2018-03-20 11:48:29 UTC
Universal time: Tue 2018-03-20 11:48:29 UTC
RTC time: Tue 2018-03-20 11:48:28
Time zone: Universal (UTC, +0000)
NTPenabled: yes
NTP synchronized: no
RTC inlocal TZ: no
DSTactive: n/a
[root@localhost ~]#date
Tue Mar 20 11:48:36 UTC 2018
1. 安装ntpdate工具
# yum -y install ntp ntpdate
2. 设置系统时间与网络时间同步
# ntpdate cn.pool.ntp.org
进入/etc/sysconfig/network-scripts/,由于我这里没有eth0,默认的是ifcfg-enp4s0,所以vi ifcfg-enp4s0,配置如下:
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eth0
UUID=8a67b4da-3bb2-40df-9006-9c3fd9ec7b95
DEVICE=enp4s0
ONBOOT=yes
HWADDR=34:97:F6:9A:5E:94
IPADDR=192.168.1.15
PREFIX=24
GATEWAY=192.168.1.10
DNS1=114.114.114.114
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
[root@localhost ~]# ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytesof data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64time=0.443 ms
[root@localhost ~]# ping www.baidu.com
ping: www.baidu.com: Name orservice not known
解决办法:
将/etc/resovl.conf文件设置成:
search localdomain
nameserver 114.114.114.114
[root@rsyslog ~]# yum install httpd -y
[root@rsyslog ~]# systemctl start httpd #启动服务
[root@rsyslog ~]# systemctl enable httpd #设置开启启动
如果系统中开着防火墙,那么外部访问192.168.1.15/phpmyadmin就无法访问.
[root@mycentos ~]# systemctl stop firewalld.service #停止防火墙服务
[root@localhost ~]# systemctldisable firewalld.service #禁用防火墙开机启动服务
Removed symlink/etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost loganalyzer]# cat /etc/httpd/conf/httpd.conf
#
# Specify a default charset for all contentserved; this enables
# interpretation of all content as UTF-8 bydefault. To use the
# default browser choice (ISO-8859-1), or toallow the META tags
# in HTML content to override this choice,comment out this
# directive:
#
AddDefaultCharset UTF-8
由于centos 7 默认源中已经没有mysql数据库了,所以只能安装mariadb
[root@localhost conf.d]# yum -y installmariadb-server mariadb
[root@rsyslog ~]# yuminstall mysql mysql-server –y
[root@rsyslog ~]# systemctl start mariadb
[root@rsyslog ~]# systemctl enable mariadb
Created symlink from/etc/systemd/system/multi-user.target.wants/mariadb.service to/usr/lib/systemd/system/mariadb.service.
[root@rsyslog ~]# mysqladmin -u root password '2991421'
注意:在Centos7上默认安装mysql会变成mariadb,mysql的开源版
安装完了之后启动不了
[root@localhost html]#systemctl start mariadb
Failed to startmariadb.service: Unit not found
yum install -y mariadb*
1) 文件/etc/my.cnf
vi /etc/my.cnf
在[mysqld]标签下添加
init_connect='SET collation_connection =utf8_unicode_ci'
init_connect='SET NAMES utf8'
character-set-server=utf8
collation-server=utf8_unicode_ci
skip-character-set-client-handshake
2) 文件/etc/my.cnf.d/client.cnf
vi /etc/my.cnf.d/client.cnf
在[client]中添加
default-character-set=utf8
3) 文件/etc/my.cnf.d/mysql-clients.cnf
vi/etc/my.cnf.d/mysql-clients.cnf
在[mysql]中添加
default-character-set=utf8
4) 全部配置完成,重启mariadb
systemctl restart mariadb
之后进入MariaDB查看字符集
mysql> show variables like"%character%";show variables like "%collation%";
显示为
+--------------------------+----------------------------+
| Variable_name | Value |
+--------------------------+----------------------------+
| character_set_client |utf8 |
| character_set_connection | utf8 |
| character_set_database | utf8 |
| character_set_filesystem | binary |
| character_set_results |utf8 |
| character_set_server |utf8 |
| character_set_system |utf8 |
| character_sets_dir |/usr/share/mysql/charsets/ |
+--------------------------+----------------------------+
8 rows in set (0.00 sec)
+----------------------+-----------------+
| Variable_name |Value |
+----------------------+-----------------+
| collation_connection | utf8_unicode_ci |
| collation_database | utf8_unicode_ci |
| collation_server |utf8_unicode_ci |
+----------------------+-----------------+
3 rows in set (0.00 sec)
字符集配置完成。
由于日志量很大,默认安装的目录下硬盘空间有限,需要将此目录移动到单独划出来的一块大磁盘空间上。
[root@localhostmysql]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos-root 50G 2.6G 48G 6% /
devtmpfs 1.9G 0 1.9G 0% /dev
tmpfs 1.9G 0 1.9G 0% /dev/shm
tmpfs 1.9G 8.8M 1.9G 1% /run
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
/dev/sda1 1014M 139M 876M 14% /boot
/dev/mapper/centos-home 877G 62M 877G 1% /home
tmpfs 383M 0 383M 0% /run/user/0
默认的存放目录为/var/lib/mysql,更改后为/home/data/mysql
注意目录的属主和权限。 chown -R mysql:mysql /home/data/
1) 创建目录
a) cd /home
b) mkdir data
2) 停止数据库服务
a) [root@localhost mysql]# systemctlstop mariadb
3) 把/var/lib/mysql整个目录保持权限复制到/home/data
a) cp -arp /var/lib/mysql /home/data/
4) 修改配置文件
a) [root@localhost ~]# vi/etc/my.cnf.d/server.cnf
b) [mysqld]
c) datadir=/home/data/mysql
d) socket=/var/lib/mysql/mysql.sock
e) character_set_server=utf8
f) slow_query_log=on
g) slow_query_log_file=/home/data/mysql/slow_query_log.log
h) long_query_time=2
5) 配置慢查询
a) touch /home/data/mysql /slow_query_log.log
b) chown mysql:mysql /home/data/mysql /slow_query_log.log
6) 关闭selinux
a) setenforce 0
7) 重启mysql
a) systemctl restart mariadb
b) mysql –u root –p
c) 新建一个数据库,查看是否在新目录下已经生成
[root@rsyslog ~]# yum install php php-mysqlphp-gd -y
[root@rsyslog ~]# vi /var/www/html/test.php
phpinfo();
?>
打开客户端浏览器,进行访问测试http://192.168.1.15/test.php
若是不能访问,那么重启Apache服务.
systemctl stop httpd
systemctl start httpd
注意:Apache默认的网站服务地址为/var/www/html/下面,如果不存在可以新建。若是Apache中,php网页不能正确运行,请确保httpd中开启了对php的支持,
命令:httpd–M
Centos 7 使用yum默认安装的是php 5.4版本的,但是最新的phpmyadmin不支持这个版本的php,只支持php5.5及以上的版本.
更新之前查看当前PHP版本避免重复更新
# php -v
检查当前PHP的安装包
# yum list installed | grep php
完全移除当前PHP安装包以免起冲突
# yum remove php*
默认的yum源无法升级PHP,需要添加第三方yum源,我们选择webtatic库
CentOs 7.X
rpm -Uvhhttps://mirror.webtatic.com/yum/el7/epel-release.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
安装php5.6
yum install -y php56w.x86_64 php56w-cli.x86_64php56w-common.x86_64 php56w-gd.x86_64 php56w-ldap.x86_64 php56w-mbstring.x86_64php56w-mcrypt.x86_64 php56w-mysql.x86_64 php56w-pdo.x86_64 php56w-fpm
安装php7.1
yum install -y php71w-fpm php71w-opcachephp71w-cli php71w-gd php71w-imap php71w-mysqlnd php71w-mbstring php71w-mcryptphp71w-pdo php71w-pecl-apcu php71w-pecl-mongodb php71w-pecl-redis php71w-pgsqlphp71w-xml php71w-xmlrpc php71w-devel mod_php71w
查看当前php版本
php –v
[root@localhost ~]# yum install phpmyadmin
有时候会安装不成功,提示没有可用软件包,则需要安装Remi源
# yum install epel-release
# rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
[root@localhost ~]# yum install phpmyadmin
Yum默认安装在/usr/share/phpMyAdmin目录下
[root@localhost conf.d]# vi /etc/httpd/conf.d/phpMyAdmin.conf
只需要修改红色字体部分就可以了
# phpMyAdmin - Web based MySQL browser writtenin php
#
# Allows only localhost by default
#
# But allowing phpMyAdmin to anyone other thanlocalhost should be considered
# dangerous unless properly secured by SSL
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
AddDefaultCharset UTF-8
#Apache 2.4
#Require ip 127.0.0.1
#Require ip ::1
Require all granted
#Apache 2.2
Order Deny,Allow
Denyfrom All
#Allow from 127.0.0.1
#Allow from ::1
Allow from All granted
#Apache 2.4
Require ip 127.0.0.1
Require ip ::1
#Apache 2.2
Order Deny,Allow
Denyfrom All
Allow from 127.0.0.1
Allow from ::1
# These directories do not require access overHTTP - taken from the original
# phpMyAdmin upstream tarball
#
OrderDeny,Allow
Denyfrom All
Allowfrom None
OrderDeny,Allow
Denyfrom All
Allowfrom None
OrderDeny,Allow
Denyfrom All
Allowfrom None
# This configuration prevents mod_security atphpMyAdmin directories from
# filtering SQL etc. This may break your mod_securityimplementation.
#
#
#
# SecRuleInheritance Off
#
#
重启httpd服务
[root@localhost conf.d]# systemctl restarthttpd
在浏览器中访问http://192.168.1.15/phpmyadmin/index.php
[root@localhost ~]# yum install rsyslog-*--skip-broken –y
[root@localhost ~]# systemctl enable rsyslog
rsyslog建库脚本在/usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql,直接将这个脚本导入mariadb数据中就好了。
[[email protected]]# mysql -uroot -p
去数据库中查看数据库是否存在:
MariaDB [(none)]>show databases;
+--------------------+
| Database |
+--------------------+
| information_schema|
| Syslog |
| mysql |
| performance_schema|
| test |
+--------------------+
5 rows in set (0.00sec)
查看Syslog中的tables:
MariaDB [Syslog]>show tables;
+------------------------+
|Tables_in_Syslog |
+------------------------+
| SystemEvents |
|SystemEventsProperties |
+------------------------+
2 rows in set (0.00sec)
MariaDB [Syslog]> GRANT ALL ON Syslog.* TOsyslog@localhost IDENTIFIED BY 'syslog';
给Syslog数据库添加用户名为syslog,密码为syslog的用户。红色部分为密码。
MariaDB [Syslog]> flush privileges;
MariaDB [Syslog]> exit
[root@localhost rsyslog-8.24.0]# mysql -usyslog –p
Enter password:
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Syslog |
| test |
+--------------------+
3 rows in set (0.00 sec)
[root@localhost rsyslog-8.24.0]# vi/etc/rsyslog.conf
# rsyslog configuration file
# For more information see/usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, seehttp://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now usedas a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via loggercommand)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad immark # provides --MARK-- messagecapability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$ModLoad ommysql
*.*:ommysql:localhost,Syslog,syslog,syslog
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplateRSYSLOG_TraditionalFileFormat
# File syncing capability is disabled bydefault. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in/etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local logsocket;
# local messages are retrieved throughimjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level infoor higher.
# Don't log private authenticationmessages!
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
#authpriv.* /var/log/secure
# Log all the mail messages in one place.
#mail.* -/var/log/maillog
# Log cron stuff
#cron.* /var/log/cron
重启rsyslog服务
[root@localhost loganalyzer]# systemctl stoprsyslog
[root@localhost loganalyzer]# systemctl startrsyslog
最新的下载地址: http://loganalyzer.adiscon.com/downloads/
找到最新版版本,然后点击下载,在360下载器中获得下载地址,复制到SecureCRT中
[root@localhost loganalyzer]# wget -chttp://download.adiscon.com/loganalyzer/loganalyzer-4.1.6.tar.gz
[root@rsyslog ~]# tar zxvf loganalyzer-4.1.6.tar.gz
复制文件到
[root@rsyslog ~]# cp -r loganalyzer-4.1.6/src//var/www/html/loganalyzer
[root@rsyslog ~]# cp -r loganalyzer-4.1.6/contrib/*/var/www/html/loganalyzer/
进入到loganalyzer 程序中,将以下脚本赋予执行权限
[root@rsyslog ~]# cd /var/www/html/loganalyzer/
[root@rsyslog loganalyzer]# chmod +xconfigure.sh secure.sh
运行configure.sh,将创建一个空白的config.php配置文件
[root@rsyslog loganalyzer]# ./configure.sh
打开浏览器访问:http://192.168.1.15/loganalyzer/
选择here进行安装
命令:setenforce 0,关闭selinux。
否则会提示At least one file or directory (or more) is notwriteable, please check the file permissions (chmod 666)!,也就是config.php文件没有写的权限。
在后台数据数据库中可以看到新建出来的用户表:
loganalyzer
MariaDB [Syslog]>show tables;
+------------------------+
| Tables_in_Syslog |
+------------------------+
| SystemEvents |
|SystemEventsProperties |
| logcon_charts |
| logcon_config |
|logcon_dbmappings |
| logcon_fields |
|logcon_groupmembers |
| logcon_groups |
| logcon_savedreports |
|logcon_searches |
| logcon_sources |
| logcon_users |
| logcon_views |
+------------------------+
13 rows in set (0.00sec)
select concat(round(sum(data_length/1024/1024),2),'MB')as data_length_MB,concat(round(sum(index_length/1024/1024),2),'MB') asindex_length_MB from tables where table_schema='dbname' and table_name ='tablename';
selectconcat(round(sum(data_length/1024/1024),2),'MB') as data_length_MB,concat(round(sum(index_length/1024/1024),2),'MB')as index_length_MB from tables where table_schema='Syslog'and table_name = 'SystemEvents';
LogAnalyzer 默认表字段只有一个 FromHost,我们在添加一个 FromIP,用于记录源IP地址。
mysql> use Syslog;
mysql> alter table SystemEvents add FromIP varchar(60) default null after FromHost;
rsyslog 默认情况下插入语句没有 FromIP字段,我们修改插入SQL 语句添加 FromIP字段即可。
$template insertpl,"insert into SystemEvents (Message, Facility, FromHost, FromIP, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', '%fromhost-ip%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL
$ModLoad ommysql
*.* :ommysql:localhost,Syslog,rsyslog,syslog;insertpl
#
应用上面
SQL
语句,
template
在
ModLoad
上面
使用管理员账号登录
进入Admin Center
注: DBMappings注意大小写,对应后面全部小写,不能有错,对应如下。
uID => id, Date => devicereportedtime, Host => fromhost, Messagetype => infounitid, Message => message, Facility => facility, Severity => priority, Syslogtag => syslogtag, ProcessID => processid, Event ID => eventid, Eventlog Type => eventlogtype, Event Source => eventsource, Event Category => eventcategory, Event User => eventuser, SystemID => systemid, Checksum => checksum
修改默认 Table type=>> MonitorWare, 修改为 NewSyslog 也就是上面新添加的NewSyslog。
修改日志选择 SelectView => NewSyslog。