Centos6.5部署Rsyslog+LogAnalyzer收集網絡及系統日志

本文轉載自查看原文 2018-04-21 15:53 1772 Linux

1. 介紹

Rsyslog是比syslog功能更強大的日志記錄系統,可以將日志輸出到文件,數據庫和其它程序.可以使用rsyslog替換系統自帶的syslog。

LogAnalyzer 是一個 syslog 和其他網絡事件數據的 Web 前端工具,提供簡單易用的日志瀏覽、搜索和基本分析以及圖表顯示。數據可以從數據庫或一般的syslog文本文件中獲取，所以LogAnalyzer不需要改變現有的記錄架構。基於當前的日志數據，它可以處理syslog日志消息，Windows事件日志記錄，支持故障排除，使用戶能夠快速查找日志數據中看出問題的解決方案。LogAnalyzer 獲取客戶端日志會有兩種保存模式，一種是直接讀取客戶端/var/log/目錄下的日志並保存到服務端該目錄下，一種是讀取后保存到日志服務器數據庫中，推薦使用后者。

LogAnalyzer 采用php開發，所以日志服務器需要php的運行環境。

2. 系統環境

本文環境為CENTOS 6.5平台部署Rsyslog+LogAnalyzer+LAMP。

rsyslog版本：rsyslog-5.8.10-8.el6.x86_64

loganalyzer版本：loganalyzer-3.6.5，目前最新版本為4.1.6

SELINUX=disabled

iptables開啟，放行80,TCP/UDP 514端口

3. 安裝環境

安裝LAMP以及依賴的環境，我這里選擇yum方式，也可以選擇源代碼編譯安裝。

[root@log ~]# yum install mysql-server mysql-devel libcurl-devel net-snmp-devel php php-gd php-xml php-mysql httpd -y

設置開機啟動

[root@log ~]# /etc/init.d/httpd start

[root@log ~]# /etc/init.d/mysqld start

[root@log ~]# chkconfig mysqld on

[root@log ~]# chkconfig httpd on

[root@log ~]# chkconfig rsyslog on

設置數據庫密碼

[root@log ~]# mysqladmin -uroot password '123456'

測試PHP

[root@log ~]# cd /var/www/html/

[root@log html]# cat > index.php << EOF

> <?php

> phpinfo();

> ?>

> EOF

LAMP環境配置完畢。

4. 配置服務器端

4.1. 檢查並安裝服務器端軟件

[root@log ~]# rpm -qa |grep rsyslog

rsyslog-5.8.10-8.el6.x86_64

[root@log ~]# yum install rsyslog-mysql -y

4.2. 導入rsyslog-MySQL數據庫文件

[root@log ~]# cd /usr/share/doc/rsyslog-mysql-5.8.10/

[root@log rsyslog-mysql-5.8.10]# mysql -uroot -p123456 < createDB.sql

mysql更改密碼時如果有!，那么要加“\”，在shell腳本當中如果出現此問題，加上“\”反轉意符號

[root@rsyslog ~]# mysqladmin -uroot -pzhang.coM@!@# password zhang123
-bash: !@#: event not found
[root@rsyslog ~]# mysqladmin -uroot -pzhang.coM@\!@# password zhang123
[root@rsyslog ~]# mysql -uroot -p #登錄測試

查看操作是否生效

[root@log ~]# mysql -uroot -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 5

Server version: 5.1.73 Source distribution

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

導入數據庫操作創建了Syslog 庫並在該庫中創建了兩張空表SystemEvents 和SystemEventsProperties。

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| Syslog |

| mysql |

| test |

+--------------------+

4 rows in set (0.00 sec)

mysql> use Syslog

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;

+------------------------+

| Tables_in_Syslog |

+------------------------+

| SystemEvents |

| SystemEventsProperties |

+------------------------+

2 rows in set (0.00 sec)

創建rsyslog 用戶在mysql下的相關權限

mysql> grant all on Syslog.* to rsyslog@localhost identified by '123456';

Query OK, 0 rows affected (0.00 sec)

刷新

mysql> flush privileges;

Query OK, 0 rows affected (0.00 sec)

mysql> exit

Bye

4.3. 設置rsylog.conf

[root@log ~]# vim /etc/rsyslog.conf

配置服務端支持rsyslog-mysql 模塊，並開啟UDP服務端口獲取網內其他LINUX系統日志

（1）在#### MODULES ####上面一行添加

$ModLoad ommysql

*.* :ommysql:localhost,Syslog,rsyslog,123456

注：localhost 表示本地主機，Syslog 為數據庫名，rsyslog 為數據庫的用戶，123456為該用戶密碼。

（2）開啟相關日志模塊

支持標記日志

$ModLoad immark

#允許514端口接收使用UDP和TCP協議轉發過來的日志

支持udp日志

$ModLoad imudp

$UDPServerRun 514

$ModLoad imtcp

$InputTCPServerRun 514

重啟服務

[root@log ~]# /etc/init.d/rsyslog restart

Shutting down system logger: [ OK ]

Starting system logger: [ OK ]

4.4. 放行端口

[root@log ~]# /sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT

[root@log ~]#/sbin/iptables -I INPUT -p tcp --dport 514 -j ACCEPT

[root@log ~]#/sbin/iptables -I INPUT -p udp --dport 514 -j ACCEPT

最好是放在配置文件中，要不然系統或者防火牆重啟后會失效

# vim /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

# /etc/init.d/iptables restart

5. 客戶端

5.1. Linux主機

[root@pstation ~]# ping 192.168.1.1

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.

64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.58 ms

64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.351 ms

--- 192.168.1.1 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1357ms

rtt min/avg/max/mdev = 0.351/0.967/1.583/0.616 ms

[root@pstation ~]# rpm -qa | grep rsyslog

rsyslog-5.8.10-10.el6_6.x86_64

編輯配置文件，shift+G到最后一行，按小o，添加如下內容

將系統日志發送到日志服務器。注意@前有空格

[root@pstation ~]# vim /etc/rsyslog.conf

#send syslog to LogServer

*.* @192.168.1.1

[root@pstation ~]# /etc/init.d/rsyslog restart

Shutting down system logger: [ OK ]

Starting system logger: [ OK ]

編輯/etc/bashrc，客戶端執行的所有命令寫入系統日志/var/log/messages中。

shift+G到最后一行，添加如下內容

[root@pstation ~]# vim /etc/bashrc

export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):[`pwd`]"$msg"; }'

使之生效

[root@pstation ~]# source /etc/bashrc

5.2. 測試是否服務正常

客戶端

[root@pstation ~]# ll

total 40

-rw-------. 1 root root 1001 Jan 17 07:17 anaconda-ks.cfg

-rw-r--r--. 1 root root 22430 Jan 17 07:17 install.log

-rw-r--r--. 1 root root 5890 Jan 17 07:15 install.log.syslog

[root@pstation ~]# mkdir /zhang

[root@pstation ~]# cd /zhang/

[root@pstation zhang]# touch test.txt

[root@pstation zhang]# ll

total 0

-rw-r--r--. 1 root root 0 Apr 20 13:05 test.txt

服務端查看

[root@log ~]# tailf /var/log/messages（實時查看）

或

[root@log ~]# tail -10 /var/log/messages

Apr 20 12:21:31 log rsyslogd: -- MARK --

Apr 20 12:41:31 log rsyslogd: -- MARK --

Apr 20 13:01:06 pstation kernel: imklog 5.8.10, log source = /proc/kmsg started.

Apr 20 13:01:06 pstation rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="26902" x-info="http://www.rsyslog.com"] start

Apr 20 13:05:16 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/root]source /etc/bashrc

Apr 20 13:05:34 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/root]ll

Apr 20 13:05:47 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/root]mkdir /zhang

Apr 20 13:05:49 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/zhang]cd /zhang/

Apr 20 13:05:56 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/zhang]touch test.txt

Apr 20 13:06:00 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/zhang]ll

5.3. 網絡設備

配置NE40/NE80路由器的日志發送功能

默認情況下，NE40/NE80路由器上記錄、發送日志的功能是關閉的，要想使日志采集器能夠收集到NE40/NE80路由器的日志，必須配置NE40/NE80，將日志發往日志采集器。

前提條件

NE40路由器的時區和時間都必須和eSight服務器保持一致。

操作步驟

配置Syslog日志發送功能。

進入系統視圖。

<NE40/NE80> system-view

開啟信息中心。

[NE40/NE80] info-center enable

配置允許輸出所有模塊、嚴重級別為informational的日志信息。

[NE40/NE80] info-center source default channel 2 log level informational

配置發送日志信息的源接口。

[NE40/NE80] info-center loghost source { interface-type interface-number }

配置日志采集器的IP地址，使NE40/NE80路由器將Syslog日志發送到指定的日志主機。

[NE40/NE80] info-center loghost host-ip-address facility local2 language english

配置會話日志發送功能。

說明：

NAT板、主控板不能往外發送NAT日志，需要通過其他板轉發，請在其他板轉發日志的端口連上網線，配置IP地址。

進入系統視圖。

<NE40/NE80> system-view

啟用NAT日志的記錄功能。

[NE40/NE80] ip userlog nat export slot slot-id [ host host 9002 | source source-address ] *

該操作將指定槽位號的NAT日志發送到主機。eSight將日志以IP報文格式實時發送到日志服務器的相應端口，並可以指定日志的源地址。要使日志正確地送到日志主機，需要有到日志主機的可達的路由，並且在日志主機上做相應配置。

source-address指定了發送日志報文的源地址，通常使用本地的Loopback接口的地址。

NAT板上的以太網接口是專門用於NAT日志發送的接口，不能配置其他業務。NAT日志也可以通過其他的業務接口發送。

說明：

NE40/NE80的NAT日志以二進制日志形式發送，9002為日志采集器接收二進制日志所用的端口，請不要修改。

保存配置。

[NE40/NE80] quit

<NE40/NE80> save

舉例

<huawei>sys

Enter system view, return user view with Ctrl+Z.

[huawei]info-ce

[huawei]info-center en

[huawei]info-center enable

Info: Information center is enabled.

控制台（ Console ）、日志緩沖區（logbuf ）、日志主機（ loghost ）、監視終端（ monitor ）SNMP六個方向的日志輸出、告警緩沖區（trapbuf）。

[huawei]info-center source default channel ?

INTEGER<0-9> Information channel number

channel6 6 channel's name is channel6

channel7 7 channel's name is channel7

channel8 8 channel's name is channel8

channel9 9 channel's name is channel9

console 0 channel's name is console

logbuffer 4 channel's name is logbuffer

loghost 2 channel's name is loghost

monitor 1 channel's name is monitor

snmpagent 5 channel's name is snmpagent

trapbuffer 3 channel's name is trapbuffer

日志級別即日志的level: local0～local7 16～23保留為本地使用

[huawei]info-center source default channel 2 log level ?

alert Immediate action needed (severity=1) 必須馬上采取行動來糾正的事件

critical Critical conditions (severity=2) 關鍵的事件，大多為關鍵錯誤

debugging Debugging messages (severity=7) 調試信息

emergencies System is unusable (severity=0) 系統不可用，極其緊急

error Error conditions (severity=3) 錯誤事件，需要但不需要太多關注

informational Informational messages (severity=6) 一般的信息，大多為有用的信息

notification Normal but significant conditions (severity=5) 需要注意的信息

warning Warning conditions (severity=4) 警告事件，可能存在某種差錯

[huawei]info-center source default channel 2 log level informational

從哪個接口出去

[huawei]info-center loghost source ?

Eth-Trunk Ethernet-Trunk interface

Ethernet Ethernet interface

GigabitEthernet GigabitEthernet interface

LoopBack LoopBack interface

NULL NULL interface

Vlanif Vlan interface

XGigabitEthernet XGigabitEthernet interface

[huawei]info-center loghost source Vlanif 111

目前，系統對每個輸出方向缺省分配一個信息通道

輸出方向信息通道號缺省的信息通道名

控制台 0 console

監視終端 1 monitor

日志主機 2 loghost

告警緩沖區 3 trapbuffer

日志緩沖區 4 logbuffer

snmp 5 snmpagent

[huawei]info-center loghost 192.168.1.1 facility local?

local0 local1

local2 local3

local4 local5

local6 local7

[huawei]info-center loghost 192.168.1.1 facility local2 language English

Warning: There is security risk as this operation enables a non secure syslog protocol.

[huawei]

配置文件

Quitway:

info-center enable 
info-center source default channel 2 log level informational 
info-center loghost source  GigabitEthernet 2/0/0
info-center loghost 192.168.1.1 local-time facility local2 language  English 
################################################################

################################################################
H3C
info-center enable 
info-center source default channel loghost log level informational state on
info-center loghost source  Ethernet4/0/0
info-center loghost 192.168.1.1  facility local2

服務端

這個地方有點問題，就是華為的設備默認是發送utc時間的，所以日主主機收到的時間是北京時間-08:00個小時：Apr 27 08:12:14 huawei；

若華為設備發送local-time的話，日志主機解析時會在包前增加一個時間戳，由於loganalyzer默認取第二個字段為主機名，這時候就會出現用Apr為主機名的現象：

Apr 27 16:12:44 Apr 27 2018 16:12:44+08:00 huawei

[root@log ~]# tail -10 /var/log/messages

Apr 20 13:05:16 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/root]source /etc/bashrc

Apr 20 13:05:34 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/root]ll

Apr 20 13:05:47 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/root]mkdir /zhang

Apr 20 13:05:49 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/zhang]cd /zhang/

Apr 20 13:05:56 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/zhang]touch test.txt

Apr 20 13:06:00 pstation root: [euid=root]:root pts/0 Apr 20 12:56 (192.168.1.197):[/zhang]ll

Apr 20 05:18:21 huawei %%01SHELL/5/CMDRECORD(s)[0]: Recorded command information. (Task=VT0, Ip=192.168.1.197, VpnName=, User=petrochina, AuthenticationMethod="Local-user", Command="info-center loghost 192.168.1.1 facility local2 language English")

Apr 20 05:18:28 huawei DS/4/DATASYNC_CFGCHANGE: OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 176, the change loop count is 0, and the maximum number of records is 4095.

Apr 20 05:18:41 huawei %%01SECE/4/ARPMISS(l)[1]: Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=GigabitEthernet2/1/0/18, SourceIP=192.168.15.242, AttackPackets=54 packets per second)

Apr 20 05:18:41 huawei SECE/4/ARPMISS_SIP_SPEEDLIMIT_ALARM: OID 1.3.6.1.4.1.2011.5.25.165.2.2.2.12 The arp-miss packet speed with source ip 192.168.15.242 exceed the speed-limit value configed 30.

[root@log ~]# tail -10 /var/log/messages

Apr 20 05:18:41 huawei SECE/4/ARPMISS_SIP_SPEEDLIMIT_ALARM: OID 1.3.6.1.4.1.2011.5.25.165.2.2.2.12 The arp-miss packet speed with source ip 192.168.15.242 exceed the speed-limit value configed 30.

Apr 20 05:19:06 huawei ARP/4/ARP_IPCONFLICT_TRAP: OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=192.168.13.223, Local interface=Eth-Trunk11, Local MAC=f0de-f1b4-b74a, Local vlan=113, Local CE vlan=0, Receive interface=Eth-Trunk11, Receive MAC=a8b1-d4fb-7ad7, Receive vlan=113, Receive CE vlan=0, IP conflict type=Remote IP conflict).

Apr 20 05:19:06 huawei %%01ARP/4/ARP_LOG_DUPLICATE_IPADDR_DETECT(l)[2]: Detected an IP address collision. (IpAddress=192.168.13.223, LocalMacAddress=f0de-f1b4-b74a, LocalInterfaceName=Eth-Trunk11, LocalVlanId=113, ReceiveMacAddress=a8b1-d4fb-7ad7, ReceiveInterfaceName=Eth-Trunk11, ReceiveVlanId=113)

Apr 20 05:20:20 huawei %%01NTP/4/PEER_SELE(l)[3]: The peer selected by the system is 10.33.176.67.

Apr 20 05:20:26 huawei %%01SECE/6/PORT_ATTACK_END(l)[4]: Auto port-defend stop.(SourceAttackInterface=GigabitEthernet2/1/0/10, AttackProtocol=ARP-REQUEST)

Apr 20 05:20:50 huawei %%01MSTP/6/RECEIVE_MSTITC(l)[5]: MSTP received BPDU with TC, MSTP process 0 instance 0, port name is Eth-Trunk7.

Apr 20 05:20:59 huawei %%01SNMP/4/SNMP_FAIL(s)[6]: Failed to login through SNMP. (Ip=192.168.11.137, Times=6, Reason=the version was incorrect, VPN= )

Apr 20 05:22:23 huawei %%01INFO/4/SUPPRESS_LOG(l)[7]: Last message repeated 9 times.(InfoID=1082212355, ModuleName=SNMP, InfoAlias=SNMP_FAIL)

Apr 20 05:22:23 huawei %%01DEFD/6/CPCAR_DROP_LPU(l)[8]: Rate of packets to cpu exceeded the CPCAR limit on the LPU in slot 2/1. (Protocol=arp-reply, CIR/CBS=64/10000, ExceededPacketCount=65)

Apr 20 05:22:23 huawei %%01DEFD/6/CPCAR_DROP_LPU(l)[9]: Rate of packets to cpu exceeded the CPCAR limit on the LPU in slot 2/1. (Protocol=arp-miss, CIR/CBS=64/10000, ExceededPacketCount=141)

6.LogAnalyzer

6.1. 下載與安裝

如無法下載可以去http://loganalyzer.adiscon.com/downloads/下載。

[root@log app]wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz

[root@log app]# tar zxvf loganalyzer-3.6.5.tar.gz

[root@log app]# cd loganalyzer-3.6.5

[root@log loganalyzer-3.6.5]# mkdir -p /var/www/html/loganalyzer

[root@log loganalyzer-3.6.5]# rsync -a src/* /var/www/html/loganalyzer/

[root@log loganalyzer-3.6.5]# cd /var/www/html/loganalyzer/

[root@log loganalyzer]# ll

total 256

drwxrwxr-x. 2 root root 4096 Oct 9 2013 BitstreamVeraFonts

drwxrwxr-x. 2 root root 4096 Oct 9 2013 admin

-rw-rw-r--. 1 root root 5509 Oct 9 2013 asktheoracle.php

-rw-rw-r--. 1 root root 18492 Oct 9 2013 chartgenerator.php

drwxrwxr-x. 6 root root 4096 Oct 9 2013 classes

-rw-rw-r--. 1 root root 9205 Oct 9 2013 convert.php

drwxrwxr-x. 2 root root 4096 Oct 9 2013 cron

drwxrwxr-x. 2 root root 4096 Oct 9 2013 css

-rw-rw-r--. 1 root root 16499 Oct 9 2013 details.php

drwxr-xr-x. 2 root root 4096 Oct 9 2013 doc

-rw-rw-r--. 1 root root 12748 Oct 9 2013 export.php

-rw-rw-r--. 1 root root 1150 Oct 9 2013 favicon.ico

drwxrwxr-x. 5 root root 4096 Oct 9 2013 images

drwxrwxr-x. 2 root root 4096 Oct 9 2013 include

-rw-rw-r--. 1 root root 38383 Oct 9 2013 index.php

-rw-rw-r--. 1 root root 41586 Oct 9 2013 install.php

drwxrwxr-x. 2 root root 4096 Oct 9 2013 js

drwxrwxr-x. 4 root root 4096 Oct 9 2013 lang

-rw-rw-r--. 1 root root 3395 Oct 9 2013 login.php

-rw-rw-r--. 1 root root 7164 Oct 9 2013 reportgenerator.php

-rw-rw-r--. 1 root root 4146 Oct 9 2013 reports.php

-rw-rw-r--. 1 root root 9438 Oct 9 2013 search.php

-rw-rw-r--. 1 root root 4878 Oct 9 2013 statistics.php

drwxrwxr-x. 3 root root 4096 Oct 9 2013 templates

drwxrwxr-x. 4 root root 4096 Oct 9 2013 themes

-rw-rw-r--. 1 root root 3383 Oct 9 2013 userchange.php

6.2. 配置

在瀏覽器中輸入http://x.x.x.x/loganalyzer

提示沒有配置文件，點擊 here 利用向導生成。

Step 1 - Prerequisites

Before you start installing LogAnalyzer, the Installer setup has to check a few things first.

You may have to correct some file permissions first.

Step 2 - Verify File Permissions

The following file permissions have been checked. Verify the results below!

You may use the configure.sh script from the contrib folder to set the permissions for you.

提示錯誤：config.php 文件不存在，並且權限要設置為666，可以使用contrib目錄下的configure.sh 腳本生成。

[root@log loganalyzer]# cd /zhang/app/loganalyzer-3.6.5

[root@log loganalyzer-3.6.5]# ll

total 104

-rw-rw-r--. 1 root root 35497 Oct 9 2013 COPYING

-rw-rw-r--. 1 root root 44027 Oct 9 2013 ChangeLog

-rw-rw-r--. 1 root root 8449 Oct 9 2013 INSTALL

drwxrwxr-x. 2 root root 4096 Oct 9 2013 contrib

drwxrwxr-x. 2 root root 4096 Oct 9 2013 doc

drwxrwxr-x. 14 root root 4096 Oct 9 2013 src

[root@log loganalyzer-3.6.5]# cd contrib/

[root@log contrib]# ll

total 8

-rw-rw-r--. 1 root root 49 Oct 9 2013 configure.sh

-rw-rw-r--. 1 root root 31 Oct 9 2013 secure.sh

查看configure.sh，提示說要創建config.php，並給666的權限。

[root@log contrib]# cat configure.sh

#!/bin/sh

touch config.php

chmod 666 config.php

[root@log contrib]# cd /var/www/html/loganalyzer/

[root@log loganalyzer]# touch config.php

[root@log loganalyzer]# chmod 666 config.php

[root@log loganalyzer]# vim /etc/rsyslog.conf

刷新web或下端的recheck

Step 3 - Basic Configuration

In this step, you configure the basic configurations for LogAnalyzer.

將User Database Options下Enable User Database ===>Yes

填寫下面三項

Database Name
Database User
Database Password

Step 4 - Create Tables

If you reached this step, the database connection has been successfully verified!

The next step will be to create the necessary database tables used by the LogAnalyzer User System. This might take a while!

WARNING, if you have an existing LogAnalyzer installation in this database with the same tableprefix, all your data will be OVERWRITTEN! Make sure you are using a fresh database, or you want to overwrite your old LogAnalyzer database.