Ubuntu下rsyslog集中收集mysql审计⽇志
服务端
1、安装最新版本rsyslog
sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository ppa:adiscon/v8-stable
sudo apt-get update
sudo apt-get install rsyslog
2、配置⽬录存储mysql审计⽇志
vim /etc/rsyslog.f
# add: define logfiles
$template Mysql-audit,"/var/log/remote_log/%app-name%/%hostname%_%fromhost-ip%_log_%app-n
ame%_%$YEAR%-%$MONTH%-%$DAY%.log" $template Remote,"/var/log/remote_log/%hostname%_%fromhost-ip%/log_%app-name%_%$YEAR%-%$MONTH%-%$DAY%.log"
# Log all messages to the dynamically formed file.
:app-name,isequal,"mysql-audit" ?Mysql-audit
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
& stop
3、安装MySQL以及rsyslog-mysql模块,
apt-get install rsyslog-mysql mysql-server -y #安装过程中会⾃动创建表
4、配置/etc/rsyslog.f,以便将mysql的审计⽇志本地保留⼀份,mysql数据库⾥写⼀份
vim /etc/rsyslog.f
$ModLoad ommysql #加载ommysql模块,将⽇志写⼊mysql
$template Remote,"/var/log/remote_log/%hostname%_%fromhost-ip%/log_%app-name%_%$YEAR%-%$MONTH%-%$DAY%.log"
$template Mysql-audit,"/var/log/remote_log/%app-name%/%hostname%_%fromhost-ip%_log_%app-name%_%$YEAR%-%$MONTH%-%$DAY%.log" :app-name,isequal,"mysql-audit" ?Mysql-audit
& :ommysql:localhost,Syslog,rsyslog,123 #在前⼀⾏的⽇志匹配动作之后,继续将⽇志插⼊到mysql
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
& stop #结束前⾯的匹配信息,包括mysql-audit的匹配.
客户端
1、安装最新版本syslog
sudo apt-get install software-properties-common python-software-properties
sudo add-apt-repository ppa:adiscon/v8-stable
sudo apt-get update
sudo apt-get install rsyslog
2、rsyslog配置(注意如果升级为8.30.0之后不需要state⽂件配置)
创建配置⽂件 /etc/rsyslog.f
#mysql-audit.log
module(load="imfile" PollingInterval="10") #加载模块
input(type="imfile" File="/data/mysqldata/mysql_audit.log" #定义⽂件位置
Tag="mysql-audit" #打tag
#StateFile="/var/spool/rsyslog/mysql-audit.state" #inotify 状态
Severity="error" #log级别
Facility="local7") #rsyslog 级别
local7.* @10.25.109.64:514 #传送log服务器
#end
3、修改syslog的记录,过滤掉mysql⽇志,不记录本机syslog
mysql下载app:app-name,isequal,"mysql-audit" stop
*.*;          -/var/log/syslog
4、重启rsyslog以及设定⽂件权限
touch /var/spool/rsyslog/mysql-audit.state
chown syslog.adm /var/spool/rsyslog/mysql-audit.state
usermod -G mysql syslog
/etc/init.d/rsyslog restart

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。