syslog-ng构建集中型日志服务器
2013-04-04 14:15
411 查看
环境介绍日志服务器IP:199.0.3.100;客户端IP:199.0.3.110
系统:RHEL5.5
实现目标:将客户端的日志自动保存在服务器端的相应目录,并根据日期,IP地址和日志类型进行分开保存(注意系统时间同步)
安装包:eventlog libol
syslog-ng 的源码包
安装步骤:
tar -zxvf eventlog_0.2.9.tar.gz
cd ../software/eventlog-0.2.9/./configure --prefix=/usr/local/eventlog
&& make && make install
tar -zxvf libol-0.3.9.tar.gz
cd ../software/libol-0.3.9
./configure
--prefix=/usr/local/eventlog && make && make install
tar
-zxvf syslog-ng_3.0.5.tar.gz
cd ../software/syslog-ng-3.0.5/
./configure --prefix=/usr/local/syslog-ng
--with-libol=/usr/local/libol && make && make install
此时配置会出现错误(Cannot find eventlog version >= 0.2: is pkg-config in path?)
可做如下修改:
a 在/etc/ld.so.conf里添加glib和eventlog的path如:
echo
”/usr/local/glib/“ >>/etc/ld.so.conf
echo
”/usr/local/enventlog“ >>/etc/ld.so.conf
执行ldconfig /etc/ld.so.conf加载
b 设置变量
export
LD_LIBRARY_PATH=/usr/local/glib/lib/
export
PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig
创建syslog-ng 的目录
mkdir /usr/local/syslog-ng/etc
mkdir /usr/local/syslog-ng/var
cp
contrib/syslog-ng.conf.RedHat /usr/local/syslog-ng/etc/
cp contrib/init.d.RedHat
/etc/init.d/syslog-ng
cd /usr/local/syslog-ng/etc/
mv syslog-ng.conf.RedHat syslog-ng.conf
将以下内容粘贴到 syslog-ng.conf
@version:3.0
options {
long_hostnames(off);
log_msg_size(8192);
flush_lines(1);
log_fifo_size(20480);
time_reopen(10);
use_dns(yes);
dns_cache(yes);
use_fqdn(yes);
keep_hostname(yes);
chain_hostnames(no);
perm(0644);
stats_freq(43200);
};
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };
source s_local {
unix-dgram("/dev/log");
file("/proc/kmsg"
program_override("kernel:"));
};
filter f_messages { level(info..emerg); }; //定义7种日志类型
filter f_secure { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
filter f_spooler { level(crit..emerg) and facility(uucp, news); };
filter f_local7 { facility(local7); };
destination d_messages { file("/var/log/messages"); }; //定义7种类型日志在客户端的位置
destination d_secure { file("/var/log/secure"); };
destination d_maillog { file("/var/log/maillog"); };
destination d_cron { file("/var/log/cron"); };
destination d_console { usertty("root"); };
destination d_spooler { file("/var/log/spooler"); };
destination d_bootlog { file("/var/log/dmesg"); };
log { source(s_local); filter(f_emerg); destination(d_console); };
log { source(s_local); filter(f_secure); destination(d_secure); flags(final);
};
log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); };
log { source(s_local); filter(f_cron); destination(d_cron); flags(final); };
log { source(s_local); filter(f_spooler); destination(d_spooler); };
log { source(s_local); filter(f_local7); destination(d_bootlog); };
log { source(s_local); filter(f_messages); destination(d_messages); };
# Remote
logging //定义监听的端口
source s_remote {
tcp(ip(0.0.0.0)
port(514));
udp(ip(0.0.0.0) port(514));
};
//定义客户端日志在服务器上保存的格式,位置和权限等
destination r_console
{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes));};
destination r_secure
{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure" owner("root")
group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_cron
{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes));};
destination r_spooler {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes));};
destination r_bootlog
{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes));};
destination r_messages
{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes));};
log { source(s_remote); filter(f_emerg); destination(r_console); };
log { source(s_remote); filter(f_secure); destination(r_secure); flags(final);
};
log { source(s_remote); filter(f_cron); destination(r_cron); flags(final); };
log { source(s_remote); filter(f_spooler); destination(r_spooler); };
log { source(s_remote); filter(f_local7); destination(r_bootlog); };
log { source(s_remote); filter(f_messages); destination(r_messages); };
修改/etc/init.d/syslog-ng 将syslog-ng 设置为开机启动
chmod
+x /etc/init.d/syslog-ng
chkconfig
--add syslog-ng
service syslog-ng does not
support chkconfig(若出现该错误,请修改该脚本前四行如下)
vim /etc/init.d/syslog-ng
#!/bin/bash
#chkconifg: --add syslog-ng
#chkconfig: 2345 12 88
#Description: syslog-ng
该脚本还需要修改下面的三个位置
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/syslog-ng/bin:/usr/local/syslog-ng/sbin
INIT_PROG="/usr/local/syslog-ng/sbin/syslog-ng"
# Full path to daemon
INIT_OPTS="-f
/usr/local/syslog-ng/etc/syslog-ng.conf"
# options passed to daemon
service syslog-ng start // 注意cd /usr/local/syslog-ng/etc/
Starting
syslog-ng: /usr/local/syslog-ng/sbin/syslog-ng: error while loading shared
libraries: libevtlog.so.0: cannot open shared object file: No such file or
directory
Starting Kernel Logger: 出现此错误是因为共享库链接没做好
ln -s /usr/local/eventlog/lib/* /lib/
出现下面的问题是因为主配置文件中缺少@version:3.0这行
Starting syslog-ng: Configuration file has no version number, assuming
syslog-ng 2.1 format. Please add @version: maj.min to the beginning of the
file;
service syslog-ng start
Starting Kernel
Logger:
[ OK ]
客户端配置:[root@client ~]# tail -1
/etc/syslog.conf
*.* @199.0.3.100 注意要重起服务;service
syslog restart
测试:
客户端# logger -i just one test
# tail -1 /var/log/messages
Jan 27 22:12:02 client root[2861]: just one test
服务器端:
# cat /var/log/syslog-ng/20130310/199.0.3.110/messages
# cat /var/log/syslog-ng/20130310/199.0.3.110/secure
参考网站:http://blog.sina.com.cn/s/blog_4a071ed80100cssu.html
系统:RHEL5.5
实现目标:将客户端的日志自动保存在服务器端的相应目录,并根据日期,IP地址和日志类型进行分开保存(注意系统时间同步)
安装包:eventlog libol
syslog-ng 的源码包
安装步骤:
tar -zxvf eventlog_0.2.9.tar.gz
cd ../software/eventlog-0.2.9/./configure --prefix=/usr/local/eventlog
&& make && make install
tar -zxvf libol-0.3.9.tar.gz
cd ../software/libol-0.3.9
./configure
--prefix=/usr/local/eventlog && make && make install
tar
-zxvf syslog-ng_3.0.5.tar.gz
cd ../software/syslog-ng-3.0.5/
./configure --prefix=/usr/local/syslog-ng
--with-libol=/usr/local/libol && make && make install
此时配置会出现错误(Cannot find eventlog version >= 0.2: is pkg-config in path?)
可做如下修改:
a 在/etc/ld.so.conf里添加glib和eventlog的path如:
echo
”/usr/local/glib/“ >>/etc/ld.so.conf
echo
”/usr/local/enventlog“ >>/etc/ld.so.conf
执行ldconfig /etc/ld.so.conf加载
b 设置变量
export
LD_LIBRARY_PATH=/usr/local/glib/lib/
export
PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig
创建syslog-ng 的目录
mkdir /usr/local/syslog-ng/etc
mkdir /usr/local/syslog-ng/var
cp
contrib/syslog-ng.conf.RedHat /usr/local/syslog-ng/etc/
cp contrib/init.d.RedHat
/etc/init.d/syslog-ng
cd /usr/local/syslog-ng/etc/
mv syslog-ng.conf.RedHat syslog-ng.conf
将以下内容粘贴到 syslog-ng.conf
@version:3.0
options {
long_hostnames(off);
log_msg_size(8192);
flush_lines(1);
log_fifo_size(20480);
time_reopen(10);
use_dns(yes);
dns_cache(yes);
use_fqdn(yes);
keep_hostname(yes);
chain_hostnames(no);
perm(0644);
stats_freq(43200);
};
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };
source s_local {
unix-dgram("/dev/log");
file("/proc/kmsg"
program_override("kernel:"));
};
filter f_messages { level(info..emerg); }; //定义7种日志类型
filter f_secure { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
filter f_spooler { level(crit..emerg) and facility(uucp, news); };
filter f_local7 { facility(local7); };
destination d_messages { file("/var/log/messages"); }; //定义7种类型日志在客户端的位置
destination d_secure { file("/var/log/secure"); };
destination d_maillog { file("/var/log/maillog"); };
destination d_cron { file("/var/log/cron"); };
destination d_console { usertty("root"); };
destination d_spooler { file("/var/log/spooler"); };
destination d_bootlog { file("/var/log/dmesg"); };
log { source(s_local); filter(f_emerg); destination(d_console); };
log { source(s_local); filter(f_secure); destination(d_secure); flags(final);
};
log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); };
log { source(s_local); filter(f_cron); destination(d_cron); flags(final); };
log { source(s_local); filter(f_spooler); destination(d_spooler); };
log { source(s_local); filter(f_local7); destination(d_bootlog); };
log { source(s_local); filter(f_messages); destination(d_messages); };
# Remote
logging //定义监听的端口
source s_remote {
tcp(ip(0.0.0.0)
port(514));
udp(ip(0.0.0.0) port(514));
};
//定义客户端日志在服务器上保存的格式,位置和权限等
destination r_console
{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes));};
destination r_secure
{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure" owner("root")
group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_cron
{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes));};
destination r_spooler {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes));};
destination r_bootlog
{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes));};
destination r_messages
{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes));};
log { source(s_remote); filter(f_emerg); destination(r_console); };
log { source(s_remote); filter(f_secure); destination(r_secure); flags(final);
};
log { source(s_remote); filter(f_cron); destination(r_cron); flags(final); };
log { source(s_remote); filter(f_spooler); destination(r_spooler); };
log { source(s_remote); filter(f_local7); destination(r_bootlog); };
log { source(s_remote); filter(f_messages); destination(r_messages); };
修改/etc/init.d/syslog-ng 将syslog-ng 设置为开机启动
chmod
+x /etc/init.d/syslog-ng
chkconfig
--add syslog-ng
service syslog-ng does not
support chkconfig(若出现该错误,请修改该脚本前四行如下)
vim /etc/init.d/syslog-ng
#!/bin/bash
#chkconifg: --add syslog-ng
#chkconfig: 2345 12 88
#Description: syslog-ng
该脚本还需要修改下面的三个位置
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/syslog-ng/bin:/usr/local/syslog-ng/sbin
INIT_PROG="/usr/local/syslog-ng/sbin/syslog-ng"
# Full path to daemon
INIT_OPTS="-f
/usr/local/syslog-ng/etc/syslog-ng.conf"
# options passed to daemon
service syslog-ng start // 注意cd /usr/local/syslog-ng/etc/
Starting
syslog-ng: /usr/local/syslog-ng/sbin/syslog-ng: error while loading shared
libraries: libevtlog.so.0: cannot open shared object file: No such file or
directory
Starting Kernel Logger: 出现此错误是因为共享库链接没做好
ln -s /usr/local/eventlog/lib/* /lib/
出现下面的问题是因为主配置文件中缺少@version:3.0这行
Starting syslog-ng: Configuration file has no version number, assuming
syslog-ng 2.1 format. Please add @version: maj.min to the beginning of the
file;
service syslog-ng start
Starting Kernel
Logger:
[ OK ]
客户端配置:[root@client ~]# tail -1
/etc/syslog.conf
*.* @199.0.3.100 注意要重起服务;service
syslog restart
测试:
客户端# logger -i just one test
# tail -1 /var/log/messages
Jan 27 22:12:02 client root[2861]: just one test
服务器端:
# cat /var/log/syslog-ng/20130310/199.0.3.110/messages
# cat /var/log/syslog-ng/20130310/199.0.3.110/secure
参考网站:http://blog.sina.com.cn/s/blog_4a071ed80100cssu.html
相关文章推荐
- RHEL5 下使用syslog-ng构建集中型日志服务器
- RHEL5 下使用syslog-ng构建集中型日志服务器
- syslog-ng构建集中型日志服务器
- RHEL5 下使用syslog-ng构建集中型日志服务器
- graylog2+syslog-ng+mongodb构建集中管理日志服务器 推荐
- graylog2+syslog-ng+mongodb构建集中管理日志服务器 --转载
- syslog-ng搭建集中日志服务器
- 使用KiWi Syslog Daemon构建日志服务器
- 在redhat 5.8上构建syslog日志服务器
- 使用syslog-ng搭建日志服务器
- SUSE下使用syslog-ng部署日志服务器
- Windows下用EvtSys发送日志到syslog-ng服务器
- syslog及syslog-ng详解 日志服务器
- 使用syslog-ng搭建日志服务器
- 使用syslog-ng搭建日志服务器
- CentOS 5.8搭建日志管理服务器(syslog-ng+logzilla)
- 使用syslog-ng搭建日志服务器
- CentOS 5.8搭建日志管理服务器(syslog-ng+logzilla)续:添加syslog-ng自启动脚本
- [Web] 日志服务器的搭建(logzilla+syslog-ng+lamp)
- 用LINUX+SYSLOG-NG+PHP-SYSLOG-NG搭建日志服务器