ubuntu rsyslog mysql_Ubuntu下rsyslog集中收集mysql审计日志

服务端

1、安装最新版本rsyslog

sudo apt-get install software-properties-common python-software-properties

sudo add-apt-repository ppa:adiscon/v8-stable

sudo apt-get update

sudo apt-get install rsyslog

2、配置目录存储mysql审计日志

vim /etc/rsyslog.d/50-default.conf

# add: define logfiles

$template Mysql-audit,"/var/log/remote_log/%app-name%/%hostname%_%fromhost-ip%_log_%app-name%_%$YEAR%-%$MONTH%-%$DAY%.log"

$template Remote,"/var/log/remote_log/%hostname%_%fromhost-ip%/log_%app-name%_%$YEAR%-%$MONTH%-%$DAY%.log"

# Log all messages to the dynamically formed file.

:app-name,isequal,"mysql-audit" ?Mysql-audit

:fromhost-ip, !isequal, "127.0.0.1" ?Remote

& stop

3、安装MySQL以及rsyslog-mysql模块，

apt-get install rsyslog-mysql mysql-server -y #安装过程中会自动创建表

4、配置/etc/rsyslog.d/50-default.conf，以便将mysql的审计日志本地保留一份,mysql数据库里写一份

vim /etc/rsyslog.d/50-default.conf

$ModLoad ommysql #加载ommysql模块,将日志写入mysql

$template Remote,"/var/log/remote_log/%hostname%_%fromhost-ip%/log_%app-name%_%$YEAR%-%$MONTH%-%$DAY%.log"

$template Mysql-audit,"/var/log/remote_log/%app-name%/%hostname%_%fromhost-ip%_log_%app-name%_%$YEAR%-%$MONTH%-%$DAY%.log"

:app-name,isequal,"mysql-audit" ?Mysql-audit

& :ommysql:localhost,Syslog,rsyslog, #在前一行的日志匹配动作之后,继续将日志插入到mysql

:fromhost-ip, !isequal, "127.0.0.1" ?Remote

& stop #结束前面的匹配信息,包括mysql-audit的匹配.

客户端

1、安装最新版本syslog

sudo apt-get install software-properties-common python-software-properties

sudo add-apt-repository ppa:adiscon/v8-stable

sudo apt-get update

sudo apt-get install rsyslog

2、rsyslog配置(注意如果升级为8.30.0之后 不需要state文件配置)

创建配置文件 /etc/rsyslog.d/mysql-audit.conf

#mysql-audit.log

module(load="imfile" PollingInterval="10") #加载模块

input(type="imfile" File="/data/mysqldata/mysql_audit.log" #定义文件位置

Tag="mysql-audit" #打tag

#StateFile="/var/spool/rsyslog/mysql-audit.state" #inotify 状态

Severity="error" #log级别

Facility="local7") #rsyslog 级别

local7.* @10.25.109.64:514 #传送log服务器

#end

3、修改syslog的记录,过滤掉mysql日志,不记录本机syslog

:app-name,isequal,"mysql-audit" stop

*.*;auth,authpriv.none -/var/log/syslog

4、重启rsyslog以及设定文件权限

touch /var/spool/rsyslog/mysql-audit.state

chown syslog.adm /var/spool/rsyslog/mysql-audit.state

usermod -G mysql syslog

/etc/init.d/rsyslog restart

Ubuntu下rsyslog集中收集mysql审计日志

标签：rsyslog设定记录ocaforinstallfromcalever

本条技术文章来源于互联网，如果无意侵犯您的权益请点击此处反馈版权投诉

本文系统来源：/wclwcw/p/7815760.html