CentOS 6
Sponsored Link

Rsyslog : データベースにログを出力する
2015/03/31
 
データベースにログを出力する際の設定です。
[1]
データベースはいくつかの主要なものから選択可能ですが、ここでは例として MySQL を利用します。 よって、こちらを参考に MySQLサーバーをインストールして起動しておきます。
[2] MySQL に Rsyslog 用のユーザーやデータベースを設定します。
[root@dlp ~]#
yum -y install rsyslog-mysql
[root@dlp ~]#
cat /usr/share/doc/rsyslog-mysql-*/createDB.sql | mysql -u root -p

Enter password:
[root@dlp ~]#
mysql -u root -p

Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 12
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# rsyslog ユーザーを作成し、Syslog DB に対して権限を付与 (password には任意のパスワードを設定)

mysql>
grant all privileges on Syslog.* to rsyslog@'localhost' identified by 'password';

Query OK, 0 rows affected (0.00 sec)
mysql>
flush privileges;

Query OK, 0 rows affected (0.00 sec)
mysql>
exit

Bye
[3] ログをデータベースへ出力するように Rsyslog を設定します。
[root@dlp ~]#
vi /etc/rsyslog.conf
# 20行目あたりに追記

$ModLoad ommysql
# 例として authpriv.* のログを DB へ出力

# 書式 ⇒ :ommysql:ホスト,DB,DBユーザー,DBパスワード

authpriv.*    
:ommysql:localhost,Syslog,rsyslog,password
[root@dlp ~]#
/etc/rc.d/init.d/rsyslog restart

Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[4] DB を見てみると、以下のようにログが記録されていることが分かります。
[root@dlp ~]#
mysql -u rsyslog -p Syslog

Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
show tables;

+------------------------+
| Tables_in_Syslog       |
+------------------------+
| SystemEvents           |
| SystemEventsProperties |
+------------------------+
2 rows in set (0.00 sec)

mysql>
select ReceivedAt,Facility,Priority,FromHost,Message from SystemEvents;

+---------------------+----------+----------+----------+------------------------------------------------+
| ReceivedAt          | Facility | Priority | FromHost | Message                                        |
+---------------------+----------+----------+----------+------------------------------------------------+
| 2015-04-01 23:21:04 |       10 |        6 | node01   |  Accepted password for cent from 10.0.0.30 por |
| 2015-04-01 23:21:04 |       10 |        6 | node01   |  pam_unix(sshd:session): session opened for us |
| 2015-04-01 23:21:09 |       10 |        6 | node01   |  pam_unix(su-l:session): session opened for us |
| 2015-04-01 23:21:09 |       10 |        6 | node01   |  pam_unix(su-l:session): session closed for us |
| 2015-04-01 23:21:09 |       10 |        6 | node01   |  Received disconnect from 10.0.0.30: 11: disco |
| 2015-04-01 23:21:09 |       10 |        6 | node01   |  pam_unix(sshd:session): session closed for us |
| 2015-04-01 23:21:50 |       10 |        6 | dlp      |  pam_unix(su-l:session): session opened for us |
| 2015-04-01 23:22:16 |       10 |        6 | dlp      |  pam_unix(su-l:session): session closed for us |
| 2015-04-01 23:22:18 |       10 |        6 | dlp      |  pam_unix(su-l:session): session closed for us |
| 2015-04-01 23:22:20 |       10 |        6 | dlp      |  pam_unix(login:session): session closed for u |
| 2015-04-01 23:22:26 |       10 |        6 | dlp      |  pam_unix(login:session): session opened for u |
| 2015-04-01 23:22:26 |       10 |        6 | dlp      |  DIALUP AT ttyS0 BY cent                       |
| 2015-04-01 23:22:26 |       10 |        6 | dlp      |  LOGIN ON ttyS0 BY cent                        |
| 2015-04-01 23:22:32 |       10 |        6 | dlp      |  pam_unix(su-l:session): session opened for us |
+---------------------+----------+----------+----------+------------------------------------------------+
14 rows in set (0.00 sec)
 
Tweet