。哈哈。已经搭建成功,本想自己写,不过这篇博文非常的不错,在此感谢作者无私的奉献精神,
五、安装前的准备工作
1. 关闭SELinux
查看SELinux的状态
getenforce
如果是开启状态,则
vi /etc/selinux/config
#SELINUX=enforcing #注释掉
#SELINUXTYPE=targeted #注释掉
SELINUX=disabled #增加
重启系统
reboot
2. 开启防火墙80和514端口
vi /etc/sysconfig/iptables
添加两条规则
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
3.安装LAMP和需要用到的额外软件包
yum -y install gcc gcc-c++ flex pcre pcre-devel glib2 glib2-devel openssl-devel php gd gd-devel php-gd mysql php-mysql mysql-server mysql-devel httpd
4.平台初始化
yum -y install libdbi* libnet
cpan Date::Calc Text::LevenshteinXS String::CRC32
cpan -i Digest::SHA1
cpan -i Net::MySQL
5.下载软件
cd /usr/local/src/
wget http://www.balabit.com/downloads/files/eventlog/0.2/eventlog_0.2.12.tar.gz
wget http://www.balabit.com/downloads/files/libol/0.3/libol-0.3.18.tar.gz
wget http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.3.5/source/syslog-ng_3.3.5.tar.gz
wget http://php-syslog-ng.googlecode.com/files/logzilla_v2.9.9o.tgz
六、syslog-ngt和logzilla的安装
1.安装eventlog
tar -zxvf eventlog_0.2.12.tar.gz
cd eventlog-0.2.12/
./configure --prefix=/usr/local/eventlog
make && make install
2.安装libol
tar -zxvf libol-0.3.18.tar.gz
cd libol-0.3.18
./configure --prefix=/usr/local/libol
make && make install
3.安装syslog-ng
# 设置环境变量
export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig/
tar -zxvf syslog-ng_3.3.5.tar.gz
cd syslog-ng-3.3.5/
./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/
出现下图内容则表示OK
./configure出现的错误:
错误1:configure:error: Package requirements (glib-2.0 >= 2.10.1 gmodule-2.0 gthread-2.0) were not met:
解决办法:yum -y install glib2-devel
错误2:configure: error: OpenSSL is required when glib-2.0 << 2.16.0
configure: error: ./configure.gnu failed for modules/afmongodb/libmongo-client
解决办法:yum -y install openssl-devel
编译安装syslog-ng
make && make install
4.安装logzilla
tar -zxvf logzilla_v2.9.9o.tgz -C /var/www/html/
创建logzilla日志的存放目录
mkdir -p /var/log/logzilla
给php-syslog-ng目录apache用户的权限
chown -R apache:apache /var/www/html/php-syslog-ng/
七、配置syslog-ng和logzilla
1. mysql的初始化和配置
vi /etc/my.cnf
由于search_cache表采用的是MEMORY存储引擎,有大小的限制,修改一下/etc/my.cnf,添加以下内容:
tmp_table_size=1G
max_heap_table_size=1G
让mysql以服务的方式开机启动
chkconfig mysqld on
启动mysql
service mysqld start
设置mysql的root密码
cd /usr/bin/
mysqladmin -u root -h localhost password 'mysql123456'
登录mysql测试
mysql -u root -p
输入密码:mysql123456
Exit
2.修改syslog-ng配置
将syslog-ng初始配置文件备份,我们要重新创建配置文件
mv /usr/local/syslog-ng/etc/syslog-ng.conf /usr/local/syslog-ng/etc/syslog-ng.conf.bak
vi /usr/local/syslog-ng/etc/syslog-ng.conf
- #############################################################################
- # Default syslog-ng.conf file which collects all local logs into a
- # single file called /var/log/messages.
- #
- @version: 3.3
- @include "scl.conf"
- source s_local {
- system();
- internal();
- unix-stream("/dev/log");
- file("/proc/kmsg" program_override("kernel: "));
- };
- source s_network {
- udp(ip(0.0.0.0) port(514));
- };
- destination d_messages {
- file("/var/log/messages");
- };
- options {
- chain_hostnames(off);
- # doesn't actually help on Solaris, log(3) truncates at 1024 chars
- log_msg_size(8192);
- # buffer just a little for performance
- # sync(1); <- Deprecated - use flush_lines() instead
- flush_lines(1);
- # memory is cheap, buffer messages unable to write (like to loghost)
- log_fifo_size(16384);
- # Hosts we don't want syslog from
- #bad_hostname("^(ctld.|cmd|tmd|last)$");
- # The time to wait before a dead connection is reestablished (seconds)
- time_reopen(10);
- #Use DNS so that our good names are used, not hostnames
- use_dns(yes);
- dns_cache(yes);
- #Use the whole DNS name
- use_fqdn(yes);
- keep_hostname(yes);
- chain_hostnames(no);
- #Read permission for everyone
- perm(0644);
- # The default action of syslog-ng 1.6.0 is to log a STATS line
- # to the file every 10 minutes. That's pretty ugly after a while.
- # Change it to every 12 hours so you get a nice daily update of
- # # how many messages syslog-ng missed (0).
- # stats(43200);
- };
- destination d_logzilla {
- program("/var/www/html/php-syslog-ng/scripts/db_insert.pl"
- template("$HOST\t$FACILITY\t$PRIORITY\t$LEVEL\t$TAG\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n")
- template_escape(yes)
- );
- };
- log {
- source(s_local);
- # uncomment this line to open port 514 to receive messages
- source(s_network);
- destination(d_logzilla);
- };
3.修改apache的配置
vi /etc/httpd/conf/httpd.conf
找到以下行,将其修改为下面内容
- ServerName www.example.com:80
- DirectoryIndex index.html index.htm default.htm default.html index.php index.php3 index.jsp index.html.var
- <VirtualHost *:80>
- ServerAdmin [email protected]
- DocumentRoot /var/www/html/php-syslog-ng/html/
- ServerName syslog.com.cn
- ErrorLog logs/syslog.com.cn-error_log
- CustomLog logs/syslog.com.cn-access_log common
- Alias /logs "/var/www/html/php-syslog-ng/html/"
- <Directory "/var/www/html/php-syslog-ng/html/">
- Options Indexes MultiViews FollowSymLinks
- AllowOverride All
- Order allow,deny
- Allow from all
- </Directory>
- </VirtualHost>
4.修改php.ini
vi /etc/php.ini
- max_execution_time = 300 # 最大运行时间
- display_errors = On # 显示所有错误信息
- magic_quotes_gpc = On
让apache以服务的方式开机启动
chkconfig httpd on
启动apache
service httpd start
5.自动分隔logzilla日志
cp /var/www/html/php-syslog-ng/scripts/contrib/system_configs/logrotate.d /etc/logrotate.d/logzilla
添加自动运行作业
crontab -e
- @daily /usr/bin/php /var/www/html/php-syslog-ng/scripts/logrotate.php >> /var/log/logzilla/logrotate.log
- @daily /usr/bin/find /var/www/html/php-syslog-ng/html/jpcache/ -atime 1 -exec rm -f '{}' ';'
- */5 * * * * /usr/bin/php /var/www/html/php-syslog-ng/scripts/reloadcache.php >> /var/log/logzilla/reloadcache.log
给logrotate.php和reloadcache.php可执行权限
chmod +x logrotate.php
chmod +x reloadcache.php
6.修改db_insert.pl文件
vi /var/www/html/php-syslog-ng/scripts/db_insert.pl
找到所有包含
/var/www/php-syslog-ng/html/config/config.php
的行,改为
/var/www/html/php-syslog-ng/html/config/config.php
7.配置syslog-ng开机启动
vi /etc/rc.d/rc.local
加入下面行
/usr/local/syslog-ng/sbin/syslog-ng
启动syslog-ng
/usr/local/syslog-ng/sbin/syslog-ng
八、通过WEB方式安装logzilla
1.打开浏览器输入:http://192.168.0.231/logs
如果此时-GD support为Unavailable,解决方法如下:
yum -y install gd-devel php-gd
service httpd restart
ps -ef |grep syslog-ng
找到syslog-ng的进程, kill掉,然后启动syslog-ng
/usr/local/syslog-ng/sbin/syslog-ng
确认所有项都无误后,点击“Next>>”
Web登录的用户为:admin,密码为:password,点击“Install CEMDB”
注:如果点击install CEMDB没有反应的话,请使用Firefox进行安装。
2.替换脚本路径
cd php-syslog-ng/scripts/
./fixpaths.sh
Updating all files with a base path of /var/www/php-syslog-ng
Modifying ../scripts/lpdcache.php
Modifying ../scripts/db_insert.pl
Modifying ../scripts/logrotate.php
Modifying ../scripts/resetusers.sh
Modifying ../scripts/contrib/dbgen/dbgen.pl
Modifying ../scripts/contrib/system_configs/crontab
Modifying ../scripts/contrib/system_configs/syslog-ng.conf
Modifying ../scripts/contrib/system_configs/logzilla.apache
Modifying ../scripts/contrib/loggen/find_missing_sequences.pl
Modifying ../scripts/reloadcache.php
出现以上内容,则表示执行成功。
3.重启syslog-ng
ps -ef | grep syslog-ng
找到syslog-ng的进程,kill掉,启动syslog-ng
/usr/local/syslog-ng/sbin/syslog-ng
4.添加verdana.ttf字体
mkdir -p /usr/share/fonts/truetype/msttcorefonts/
上传windows机器的verdana.ttf字体到此目录下,否则点graph时会提示找不到此字体文件。
九、客户机配置
1.Linux客户机配置
vi /etc/syslog.conf
修改syslog的配置文件,添加以下内容:
- *.* @192.168.0.231
重启syslog服务
service syslog restart
2.windows客户机配置
windows日志不支持syslog格式,需要安装Evtsys_4.4.3_64-Bit.zip,下载地址为:http://code.google.com/p/eventlog-to-syslog/downloads/list
解压后是两个文件evtsys.dll和evtsys.exe
把这两个文件拷贝到 c:\windows\system32目录下。
打开Windows命令提示符(开始->运行 输入CMD)
evtsys –i –h 192.168.0.231 #(日志服务器的IP地址)
参数说明:
-i 表示安装成系统服务
-h 指定log服务器的IP地址
如果要卸载evtsys,则:
net stop evtsys
evtsys -u
启动该服务:
net start evtsys
附:不能显示日志当中带有"<"、">"的问题,如思科系统的日志
解决方法:
在tailresult.php和regularresult.php中查找
- if (CISCO_TAG_PARSE )
- {
- $row['msg'] = preg_replace('/\s:/', ':', $row['msg']);
- $row['msg'] = preg_replace('/.*(%.*?:.*)/', '$1', $row['msg']);
- }
添加如下内容
- $row['msg'] = preg_replace('/</', ' ', $row['msg']);
- $row['msg'] = preg_replace('/>/', ' ', $row['msg']);
对于服务器的一些优化,请参见我的另一篇博文:http://andyxu.blog.51cto.com/2050315/881169的附1、附3和附4内容。
参考文献:
http://blog.liuts.com/post/209/
http://bbs.chinaunix.net/thread-2042734-1-1.html
在此感谢以上两位作者,谢谢!
本文出自 “风中流浪” 博客