SpecialistOff.NET / Вопросы / Статьи / Фрагменты кода / Резюме / Метки / Помощь / Файлы

RSYSLOG:Установка и настройка

Ответы

RemiZOffAlex Создано: 2017-08-07 15:13:42.023749 Обновлено: 2017-08-07 15:13:42.023749
Установка FreeBSD # portmaster sysutils/rsyslog8 ┌───────────────────────────── rsyslog8-8.4.2_1 ───────────────────────────────┐ │ ┌──────────────────────────────────────────────────────────────────────────┐ │ │ │ [ ] DBI LibDBI output module for rsyslog │ │ │ │ [x] DOCS Build and/or install documentation │ │ │ │ [ ] GNUTLS GNUTLS module for rsyslog │ │ │ │ [ ] GSSAPI GSS API input/output module for rsyslog │ │ │ │ [x] MYSQL MySQL output module for rsyslog │ │ │ │ [ ] PGSQL PostgreSQL output module for rsyslog │ │ │ │ [ ] RELP RELP input/output module for rsyslog │ │ │ │ [ ] RFC3195 RFC3195 input support for rsyslog │ │ │ │ [ ] SNMP SNMP trap sender for rsyslog │ │ │ └──────────────────────────────────────────────────────────────────────────┘ │ ├──────────────────────────────────────────────────────────────────────────────┤ │ < OK > <Cancel> │ └──────────────────────────────────────────────────────────────────────────────┘ =================================================================== To start using rsyslogd(8), stop syslogd(8) if it's running and add the following lines to rc.conf(5): syslogd_enable="NO" rsyslogd_enable="YES" It's recommended to copy syslog.conf(5) to /usr/local/etc/rsyslog.conf and edit it there. Otherwise add this: rsyslogd_config="/etc/syslog.conf" Add the following (3) lines to the beginning of the config file, for basic functionality: $ModLoad immark.so # provides --MARK-- message capability $ModLoad imuxsock.so # provides support for local system logging $ModLoad imklog.so # kernel logging newsyslog(8) has the path of syslogd's pid file hardcoded. To make it work seamlessly with rsyslog, add this: rsyslogd_pidfile="/var/run/syslog.pid" =================================================================== Настройка MySQL/MariaDB Создаём базу данных CREATE TABLE SystemEvents ( ID int unsigned not null auto_increment primary key, CustomerID bigint, ReceivedAt datetime NULL, DeviceReportedTime datetime NULL, Facility smallint NULL, Priority smallint NULL, FromHost varchar(60) NULL, Message text, NTSeverity int NULL, Importance int NULL, EventSource varchar(60), EventUser varchar(60) NULL, EventCategory int NULL, EventID int NULL, EventBinaryData text NULL, MaxAvailable int NULL, CurrUsage int NULL, MinUsage int NULL, MaxUsage int NULL, InfoUnitID int NULL , SysLogTag varchar(60), EventLogType varchar(60), GenericFileName VarChar(60), SystemID int NULL ); CREATE TABLE SystemEventsProperties ( ID int unsigned not null auto_increment primary key, SystemEventID int NULL , ParamName varchar(255) NULL , ParamValue text NULL ); Файл rsyslog.conf $template sqltmpl,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%fromhost-ip%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', '%iut%', '%syslogtag%')",SQL module(load="ommysql") . :ommysql:IPorHOSTNAME,DBNAME,DNUSER,DBPASSWORD;sqltmpl Процедура Данная процедура предназначена для занесения логов в таблицу, которая создаётся индивидуально для каждого логируемого IP delimiter $$ DROP PROCEDURE IF EXISTS `rsyslogproc`$$ CREATE PROCEDURE `rsyslogproc` ( IN varMessage TEXT, IN varFacility SMALLINT, IN varFromHost VARCHAR(60), IN varPriority SMALLINT, IN varDeviceReportedTime DATETIME, IN varReceivedAt DATETIME, IN varInfoUnitID INT , IN varSysLogTag VARCHAR(60) ) BEGIN SET @createTab = CONCAT('CREATE TABLE IF NOT EXISTS `host_', varFromHost, '`', ' (', ' ID int unsigned not null auto_increment primary key,', ' CustomerID bigint,', ' ReceivedAt datetime NULL,', ' DeviceReportedTime datetime NULL,', ' Facility smallint NULL,', ' Priority smallint NULL,', ' FromHost varchar(60) NULL,', ' Message text,', ' NTSeverity int NULL,', ' Importance int NULL,', ' EventSource varchar(60),', ' EventUser varchar(60) NULL,', ' EventCategory int NULL,', ' EventID int NULL,', ' EventBinaryData text NULL,', ' MaxAvailable int NULL,', ' CurrUsage int NULL,', ' MinUsage int NULL,', ' MaxUsage int NULL,', ' InfoUnitID int NULL ,', ' SysLogTag varchar(60),', ' EventLogType varchar(60),', ' GenericFileName VarChar(60),', ' SystemID int NULL', ' )'); SET @insertTab = CONCAT('INSERT INTO `host_', varFromHost, '`', ' (', ' Message,', ' Facility,', ' FromHost,', ' Priority,', ' DeviceReportedTime,', ' ReceivedAt,', ' InfoUnitID,', ' SysLogTag', ' ) VALUES (', '"', varMessage, '",', varFacility, ',', '"', varFromHost, '",', varPriority, ',', '"', varDeviceReportedTime, '",', '"', varReceivedAt, '",', varInfoUnitID, ',', '"', varSysLogTag, '"', ' )'); PREPARE createSQL FROM @createTab; EXECUTE createSQL; PREPARE insertSQL FROM @insertTab; EXECUTE insertSQL; END$$ Проверка работоспособности mysql -uUSERNAME -p rsysdb -e "CALL rsyslogproc ('Message',NULL,'host','2014-12-13 00:52:10',0,6,'1.2.3.4','My test log');" Файл rsyslog.conf module(load="ommysql") $template sqltmpl,"CALL rsyslogproc SystemEvents ('%msg:::json%', %syslogfacility%, '%fromhost-ip%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', '%iut%', '%syslogtag%')",SQL . :ommysql:IPorHOSTNAME,DBNAME,DNUSER,DBPASSWORD;sqltmpl Сервер Файл rsyslog.conf # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 Клиент Добавить в файл /etc/rsyslog.conf строку . @IPorHOSTNAME.SERVER.DOMAIN:514 И перезагрузить сервис service rsyslog restart

RemiZOffAlex Создано: 2017-08-07 15:13:42.023749 Обновлено: 2017-08-07 15:13:42.023749

Установка

FreeBSD

# portmaster sysutils/rsyslog8
┌───────────────────────────── rsyslog8-8.4.2_1 ───────────────────────────────┐
│ ┌──────────────────────────────────────────────────────────────────────────┐ │
│ │ [ ] DBI      LibDBI output module for rsyslog                            │ │
│ │ [x] DOCS     Build and/or install documentation                          │ │
│ │ [ ] GNUTLS   GNUTLS module for rsyslog                                   │ │
│ │ [ ] GSSAPI   GSS API input/output module for rsyslog                     │ │
│ │ [x] MYSQL    MySQL output module for rsyslog                             │ │
│ │ [ ] PGSQL    PostgreSQL output module for rsyslog                        │ │
│ │ [ ] RELP     RELP input/output module for rsyslog                        │ │
│ │ [ ] RFC3195  RFC3195 input support for rsyslog                           │ │
│ │ [ ] SNMP     SNMP trap sender for rsyslog                                │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
│                       <  OK  >            <Cancel>                           │
└──────────────────────────────────────────────────────────────────────────────┘
===================================================================
To start using rsyslogd(8), stop syslogd(8) if it's running and
add the following lines to rc.conf(5):

  syslogd_enable="NO"
  rsyslogd_enable="YES"

It's recommended to copy syslog.conf(5) to
/usr/local/etc/rsyslog.conf and edit it there. Otherwise add
this:

  rsyslogd_config="/etc/syslog.conf"

Add the following (3) lines to the beginning of the config file, for
basic functionality:

  $ModLoad immark.so   # provides --MARK-- message capability
  $ModLoad imuxsock.so # provides support for local system logging
  $ModLoad imklog.so   # kernel logging

newsyslog(8) has the path of syslogd's pid file hardcoded. To
make it work seamlessly with rsyslog, add this:

  rsyslogd_pidfile="/var/run/syslog.pid"
===================================================================

Настройка

MySQL/MariaDB

Создаём базу данных

CREATE TABLE SystemEvents
(
        ID int unsigned not null auto_increment primary key,
        CustomerID bigint,
        ReceivedAt datetime NULL,
        DeviceReportedTime datetime NULL,
        Facility smallint NULL,
        Priority smallint NULL,
        FromHost varchar(60) NULL,
        Message text,
        NTSeverity int NULL,
        Importance int NULL,
        EventSource varchar(60),
        EventUser varchar(60) NULL,
        EventCategory int NULL,
        EventID int NULL,
        EventBinaryData text NULL,
        MaxAvailable int NULL,
        CurrUsage int NULL,
        MinUsage int NULL,
        MaxUsage int NULL,
        InfoUnitID int NULL ,
        SysLogTag varchar(60),
        EventLogType varchar(60),
        GenericFileName VarChar(60),
        SystemID int NULL
);

CREATE TABLE SystemEventsProperties
(
        ID int unsigned not null auto_increment primary key,
        SystemEventID int NULL ,
        ParamName varchar(255) NULL ,
        ParamValue text NULL
);

Файл rsyslog.conf

$template sqltmpl,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%fromhost-ip%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', '%iut%', '%syslogtag%')",SQL
module(load="ommysql")
*.* :ommysql:IPorHOSTNAME,DBNAME,DNUSER,DBPASSWORD;sqltmpl

Процедура

Данная процедура предназначена для занесения логов в таблицу, которая создаётся индивидуально для каждого логируемого IP

delimiter $$

DROP PROCEDURE IF EXISTS `rsyslogproc`$$

CREATE PROCEDURE `rsyslogproc` (
	IN varMessage TEXT,
	IN varFacility SMALLINT,
	IN varFromHost VARCHAR(60),
	IN varPriority SMALLINT,
	IN varDeviceReportedTime DATETIME,
	IN varReceivedAt DATETIME,
	IN varInfoUnitID INT ,
	IN varSysLogTag VARCHAR(60)
)
BEGIN
	SET @createTab = CONCAT('CREATE TABLE IF NOT EXISTS `host_', varFromHost, '`',
'	(',
'		ID int unsigned not null auto_increment primary key,',
'		CustomerID bigint,',
'		ReceivedAt datetime NULL,',
'		DeviceReportedTime datetime NULL,',
'		Facility smallint NULL,',
'		Priority smallint NULL,',
'		FromHost varchar(60) NULL,',
'		Message text,',
'		NTSeverity int NULL,',
'		Importance int NULL,',
'		EventSource varchar(60),',
'		EventUser varchar(60) NULL,',
'		EventCategory int NULL,',
'		EventID int NULL,',
'		EventBinaryData text NULL,',
'		MaxAvailable int NULL,',
'		CurrUsage int NULL,',
'		MinUsage int NULL,',
'		MaxUsage int NULL,',
'		InfoUnitID int NULL ,',
'		SysLogTag varchar(60),',
'		EventLogType varchar(60),',
'		GenericFileName VarChar(60),',
'		SystemID int NULL',
'	)');

	SET @insertTab = CONCAT('INSERT INTO `host_', varFromHost, '`',
'	(',
'		Message,',
'		Facility,',
'		FromHost,',
'		Priority,',
'		DeviceReportedTime,',
'		ReceivedAt,',
'		InfoUnitID,',
'		SysLogTag',
'	) VALUES (',
		'"', varMessage, '",',
		varFacility, ',',
		'"', varFromHost, '",',
		varPriority, ',',
		'"', varDeviceReportedTime, '",',
		'"', varReceivedAt, '",',
		varInfoUnitID, ',',
		'"', varSysLogTag, '"',
'	)');

	PREPARE createSQL FROM @createTab;
	EXECUTE createSQL;

	PREPARE insertSQL FROM @insertTab;
	EXECUTE insertSQL;
END$$

Проверка работоспособности

mysql -uUSERNAME -p rsysdb -e "CALL rsyslogproc ('Message',NULL,'host','2014-12-13 00:52:10',0,6,'1.2.3.4','My test log');"

Файл rsyslog.conf

module(load="ommysql")
$template sqltmpl,"CALL rsyslogproc SystemEvents ('%msg:::json%', %syslogfacility%, '%fromhost-ip%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', '%iut%', '%syslogtag%')",SQL
*.* :ommysql:IPorHOSTNAME,DBNAME,DNUSER,DBPASSWORD;sqltmpl

Сервер

Файл rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Клиент

Добавить в файл /etc/rsyslog.conf строку

*.* @IPorHOSTNAME.SERVER.DOMAIN:514

И перезагрузить сервис

service rsyslog restart

RSYSLOG:Установка и настройка

Ответы

Установка

FreeBSD

Настройка

MySQL/MariaDB

Процедура

Сервер

Клиент

Возможно будут интересны и другие вопросы