使用syslog-ng搭建日志服务器[/b]
|
|
|
一、环境 Gentoo-2007.0_amd64
二、安装:为了简便,我用了系统自带的syslog-ng
三、服务器配置: #cat /etc/syslog-ng/syslog-ng.conf
# # configuration file for syslog-ng, customized for remote logging # options { use_fqdn(yes); chain_hostnames(off); keep_hostname(off); sync(0); # The default action of syslog-ng 1.6.0 is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats(43200); create_dirs(yes); }; source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog"); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_rsync { file("/var/log/rsync"); }; destination d_mlal { usertty("*"); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; filter f_filter9 { facility(daemon); }; filter f_filter10 { facility(local6); }; #log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_filter7); destination(d_boot); }; log { source(s_sys); filter(f_filter8); destination(d_cron); }; # Remote logging source s_remote { udp(ip(0.0.0.0) port(514)); };
destination r_mesg { file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_auth { file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/secure" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_mail { file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/maillog" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_spol { file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/spooler" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_boot { file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/boot.log" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_cron { file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/cron" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_daemon { file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/daemon" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; destination r_local6 { file("/var/log/syslog-ng/$YEAR/$MONTH/network/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; #destination d_separatedbyhosts { # file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); #}; #log { source(s_remote); destination(d_separatedbyhosts); }; log { source(s_remote); filter(f_filter2); destination(r_mesg); }; log { source(s_remote); filter(f_filter3); destination(r_auth); }; log { source(s_remote); filter(f_filter4); destination(r_mail); }; log { source(s_remote); filter(f_filter6); destination(r_spol); }; log { source(s_remote); filter(f_filter7); destination(r_boot); }; log { source(s_remote); filter(f_filter8); destination(r_cron); }; log { source(s_remote); filter(f_filter9); destination(r_daemon); }; log { source(s_remote); filter(f_filter10); destination(r_local6); };
四、客户端配置 linux使用的syslog守护进程主要有两种,syslog和syslog-ng 1、syslog #vi /etc/syslog.conf *.* @loghost
loghost为日志服务器的IP或者主机名,主机明必须能正确解析到日志服务器IP。 然后重新启动syslog服务: #/etc/init.d/syslog restart
2、syslog-ng 在配置文件syslog-ng.conf中加入两行: destination d_udp { udp("loghost" port(514)); }; log { source(src); destination(d_udp); }; 重新启动syslog-ng服务 #/etc/init.d/syslog-ng restart
winodws服务器的配置 因为windows服务器不支持日志服务器,因此需要安装一个转换软件: 下载地址为:https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/ 根据系统的版本下载32位和64位的程序。 解压后是两个文件evtsys.dll和evtsys.exe 把这两个文件拷贝到 c:\windows\system32目录下。 打开Windows命令提示符(开始->运行 输入CMD) C:\>evtsys –i –h 192.168.10.100 #(日志服务器的IP地址) -i 表示安装成系统服务 -h 指定log服务器的IP地址 如果要卸载evtsys,则: net stop evtsys evtsys -u 启动该服务: C:\>net start evtsys
配置完成:) |
|
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理