2011年2月13日 星期日

內建syslog置換成rsyslog並將log匯入資料庫

[root@snort darwin]# wget http://www.bitbull.ch/dl/rpm/rsyslog-mysql-4.4.1-el5.i386.rpm
[root@snort darwin]# wget http://www.bitbull.ch/dl/rpm/rsyslog-4.4.1-el5.i386.rpm


[root@snort darwin]# rpm -e sysklogd-1.4.1-39.2 --nodeps
[root@snort darwin]# rpm -ivh rsyslog-4.4.1-el5.i386.rpm
Preparing...                ########################################### [100%]
   1:rsyslog                ########################################### [100%]
[root@snort darwin]# rpm -ivh rsyslog-mysql-4.4.1-el5.i386.rpm
Preparing...                ########################################### [100%]
   1:rsyslog-mysql          ######################################### [100%]


[root@snort log]# mysql < /usr/share/doc/rsyslog-mysql-4.4.1/createDB.sql -p
Enter password:
[root@snort log]# mysql Syslog -e "ALTER TABLE SystemEvents ADD COLUMN ProcessID char(8) default NULL;" -p
Enter password:

[root@snort log]# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> grant ALL ON Syslog.* to rsyslog@localhost identified by 'gh8Q6prt';
Query OK, 0 rows affected (0.02 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql>quit;

編輯 /etc/sysconfig/rsyslog 檔案
[root@snort ]# vi /etc/sysconfig/rsyslog
---
SYSLOGD_OPTIONS="-c4 -4"


設定 rsyslog 檔案
$ModLoad ommysql.so  mysql module
$ModLoad imudp.so
$UDPServerRun 514

$template OurDBLog,"INSERT INTO SystemEvents (Message, Facility, FromHost, Priority,DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, ProcessID) values ( '%msg%',%syslogfacility%,'%HOSTNAME%',%syslogpriority%,'%timereported:::date-mysql%','%timegenerated:::date-mysql%',%iut%,'%programname%','%procid:R,ERE,0,ZERO:[0-9]+--end%')",SQL
*.* :ommysql:localhost,Syslog,rsyslog,gh8Q6prt;OurDBLog

編輯 constants_logstream.php 檔案
[root@snort ]# vi /var/www/html/phplogcon/include/constants_logstream.php
$dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_EVENT_USER] = "EventUser";
$dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_PROCESSID] = "ProcessID";  將註解取消


重啟rsyslog及MySQL
[root@snort phplogcon]# service rsyslog start
Starting system logger:                                        [  OK  ]
[root@snort phplogcon]# service mysqld restart
Stopping MySQL:                                                [  OK  ]
Starting MySQL:                                                  [  OK  ]


下載phplogcon

打開瀏覽器
http://192.168.1.100/phplogcon/install.php











編輯 config檔案  //可編輯或可忽略
[root@snort ]# vi /var/www/html/phplogcon/config.php
$CFG['PrependTitle'] = "";                 
$CFG['ViewUseTodayYesterday'] = 1;        
$CFG['ViewMessageCharacterLimit'] = 150;    .
$CFG['ViewStringCharacterLimit'] = 30;  .
$CFG['ViewEntriesPerPage'] = 35;      
$CFG['ViewEnableDetailPopups'] = 0;   
$CFG['ViewDefaultTheme'] = "default";                                                                        
$CFG['ViewDefaultLanguage'] = "en";          
$CFG['ViewEnableAutoReloadSeconds'] = 120;  
$CFG['SearchCustomButtonCaption'] = "I'd like to feel sad";    
$CFG['SearchCustomButtonSearch'] = "severity:-=NOTICE severity:-=INFO severity:-=DEBUG severity:-=WARNING";                 
$CFG['EnableIPAddressResolve'] = 1;      
$CFG['SuppressDuplicatedMessages'] = 0;   .
$CFG['TreatNotFoundFiltersAsTrue'] = 0;   
$CFG['PopupMenuTimeout'] = 3000;       
$CFG['PhplogconLogoUrl'] = "";     

這樣就完成了!!

沒有留言:

張貼留言