RHEL5下使用syslog-ng构建集中型日志服务器

1、RHEL5下使用syslog-ng构建集中型日志服务器第3页共9页RHEL5下使用syslog-ng构建集中型日志服务器在生产环境中，存在一台日志服务器，专门用来记录其他服务器的日志信息是个很好的主意，不过用红帽自带的syslog，配置虽然简单，但是日志却没有办法分离，默认都堆在/var/log/message 文件里面，用来超不爽，下面来介绍下用syslog-ng来构建日志服务器，这个还支持将日志导入数据库和通过网页来发布日志，听起来功能相当的强大，接下来要好好的研究下咯环境介绍日志服务器 IP: 0 ;客户端 IP: 0系统：RHEL5.4实

2、现目标：将客户端的日志自动保存在服务器端的相应目录，并根据日期，IP地址和日志类型进行分开保存备注：由于在虚拟机环境下操作，服务器于客户端时间未同步，所以会存在记录日志时间不一致的现象；rootserver2 # cd /usr/local/src/tarbag/rootserver2 tarbag# wget http:/www.balabit.eom/downloads/files/eventlog/0.2/eventlog_0.2.9.tar.gzrootserver2 tarbag# tar -zxvf eventlog_0.2.9.tar.gz -C ./software/roots

3、erver2 tarbag# cd ./software/eventlog-0.2.9/rootserver2 eventlog-0.2.9# ./configure -prefix=/usr/local/eventlog & make & make installrootserver2 eventlog-0.2.9# ls /usr/local/eventlog/include librootserver2 syslog-ng-3.0.5# cd -/usr/local/src/tarbagrootserver2 tarbag# wget http:/www.balabit.eom/down

4、loads/files/libol/0.3/libol-0.3.9.tar.gzrootserver2 tarbag# tar -zxvf libol-0.3.9.tar.gz -C ./software/rootserver2 tarbag# cd ./software/libol-0.3.9/rootserver2 libol-0.3.9# ./configure -prefix=/usr/local/libol & make & make installrootserver2 libol-0.3.9# ls /usr/local/libol/bin include librootserv

5、er2 tarbag# wget http:/www.balabit.eom/downloads/files/syslog-ng/sources/3.0.5/source/syslog-ng_3.0.5.tar.gzrootserver2 tarbag# tar -zxvf syslog-ng_3.0.5.tar.gz -C ./software/rootserver2 tarbag# cd ./software/syslog-ng-3.0.5/rootserver2 syslog-ng-3.0.5# export PKG_CONFIG_PATH=/usr/local/eventlog/lib

6、/pkgconfigrootserver2 syslog-ng-3.0.5# ./configure -prefix=/usr/local/syslog-ng -with-libol=/usr/local/libol & make & make installRHEL5下使用syslog-ng构建集中型日志服务器第#页共9页configure: error: Cannot find eventlog version = 0.2: is pkg-config in path?(PKG_CONFIG_PATH量没指定好）RHEL5下使用syslog-ng构建集中型日志服务器第4页共9页rootse

7、rver2 syslog-ng-3.0.5# ls /usr/local/syslog-ng/bin libexec sbin sharerootserver2 syslog-ng-3.0.5# mkdir /usr/local/syslog-ng/etcrootserver2 syslog-ng-3.0.5# mkdir /usr/local/syslog-ng/varrootserver2 syslog-ng-3.0.5# cp contrib/syslog-ng.conf.RedHat /usr/local/syslog-ng/etc/rootserver2 syslog-ng-3.0.

8、5# cp contrib/init.d.RedHat /etc/init.d/syslog-ngrootserver2 syslog-ng-3.0.5# cd /usr/local/syslog-ng/etc/rootserver2 etc# mv syslog-ng.conf.RedHat syslog-ng.confrootserver2 etc# cat syslog-ng.confversion:3.0options long_hostnames(off);log_msg_size(8192);flush_lines(1);log_fifo_size(20480);time_reop

9、en(10);use_dns(yes);dns_cache(yes);use_fqdn(yes);keep_hostname(yes);chain_hostnames(no);perm(0644);stats_freq(43200);RHEL5下使用syslog-ng构建集中型日志服务器第8页共9页source s_internal internal。； ;destination d_syslognglog file(7var/log/syslog-ng .lo g); ;log source(s_internal); destination(d_syslognglog); ;source s

10、_local unix-dgram(/dev/log);file(7proc/kmsg program_override(kernel:);filter f_messages level(info.emerg); ; /定义 7种日志类型filter f_secure facility(authpriv); ;filter f_mail facility(mail); ;filter f_cron facility(cron); ;filter f_emerg level(emerg); ;filter f_spooler level(crit.emerg) and facility(uucp

11、, news); ;filter f_local7 facility(local7); ;destination d_messages file(/var/log/messages); ; /定义 7种类型日志在客户端的位置destination d_secure file(/var/log/secure); ;destination d_maillog file(/var/log/maillog); ;destination d_cron file(/var/log/cron); ;destination d_console usertty(root); ;destination d_spo

12、oler file(/var/log/spooler); ;destination d_bootlog file(/var/log/dmesg); ;log source(s_local); filter(f_emerg); destination(d_console); ;log source(s_local); filter(f_secure); destination(d_secure); flags(final); ;log source(s_local); filter(f_mail); destination(d_maillog); flags(final); ;log sourc

13、e(s_local); filter(f_cron); destination(d_cron); flags(final); ;log source(s_local); filter(f_spooler); destination(d_spooler); ;log source(s_local); filter(f_local7); destination(d_bootlog); ;log source(s_local); filter(f_messages); destination(d_messages); ;# Remote logging /定义监听的端口source s_remote

14、 tcp(ip(O.O.O.O) port(514);udp(ip(O.O.O.O) port(514);/定义客户端日志在服务器上保存的格式，位置和权限等destination r_console file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console owner(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_secure file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure owner

15、(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_cron file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron owner(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_spooler file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler owner(root) group(root) p

16、erm(0640) dir_perm(0750) create_dirs(yes);destination r_bootlog file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog owner(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_messages file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages owner(root) group(root) perm(0640) di

17、r_perm(0750) create_dirs(yes); log source(s_remote); filter(f_emerg); destination(r_console); ;log source(s_remote); filter(f_secure); destination(r_secure); flags(final); ;log source(s_remote); filter(f_cron); destination(r_cron); flags(final); ;log source(s_remote); filter(f_spooler); destination(

18、r_spooler); ;log source(s_remote); filter(f_local7); destination(r_bootlog); ;log source(s_remote); filter(f_messages); destination(r_messages); ;若岀现该错误，请修改该脚本前四行如下)/力口 services 不是在 usr下的 etcrootserver2 etc# chmod +x /etc/init.d/syslog-ng rootserver2 etc# chkconfig -add syslog-ng service syslog-ng d

19、oes not support chkconfig( rootserver2 etc# head -4 /etc/init.d/syslog-ng #!/bin/bash#chkconifg: -add syslog-ng#chkconfig: 2345 12 88 #Description: syslog-ng该脚本还需要修改下面的三个位置rootserver2 etc# grepPATH /etc/init.d/syslog-ngPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/syslog-ng/bin:/usr/local/syslog-ng/

20、sbinrootserver2 etc# grep INIT /etc/init.d/syslog-ng |head -2INIT_PROG=/usr/local/syslog-ng/sbin/syslog-ng # Full path to daemon# options passed to daemon/ 注意 cd /usr/local/syslog-ng/etc/INIT_OPTS=-f /usr/local/syslog-ng/etc/syslog-ng.confrootserver2 etc# service syslog-ng startStarting syslog-ng: /

21、usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libevtlog.so.0: cannot open shared object file: No such file or directoryStarting Kernel Logger:出现此错误是因为共享库链接没做好rootserver2 etc# ln -s /usr/local/eventlog/lib/* /lib/出现下面的问题是因为主配置文件中缺少：version:3.0这行Starting syslog-ng: Configur

22、ation file has no version number, assuming syslog-ng 2.1 format. Please add version: maj.min to the beginning of the file;rootserver2 # service syslog-ng startStarting Kernel Logger: OK rootserver2 etc# cat /var/log/syslog-ng .logJan 28 03:59:07 syslog-ng20225: syslog-ng starting up; version=3.0.5RH

23、EL5下使用syslog-ng构建集中型日志服务器第11页共9页客户端配置：rootclient # tail -1 /etc/syslog.conf*.*0rootclient # logger -i just one testrootclient # tail -1 /var/log/messagesJan 27 22:12:02 client root2861: just one testrootserver2 # cat /var/log/syslog-ng/20100128/0/messagesJan 28 04:24:32 192.1

24、68.90.10 root2861: just one testrootserver2 # cat /var/log/syslog-ng/20100128/0/secureJan 28 04:01:04 0 sshd2832: Accepted publickey for root from port 48834 ssh2Jan 28 04:01:04 0 sshd2832: pam_unix(sshd:session): session opened for user root by (uid=

25、0)参考网站：.en/s/blog_4a071ed80100cssu.html前面配置好了 syslog-ng,下面简要的概述下如何将系统日志存入mysql1:将mysql的头文件和库文件链接到/usr/local 下rootserver2 # ln -s /usr/local/mysql/lib/mysql /usr/local/lib/mysqlrootserver2 # ln -s /usr/local/mysql/include/mysql/ /usr/local/includerootserver2 # cd /usr/local/src/software/sqlsyslogd2：下

26、载sqlsyslogd源码包，由于是整个目录下载，所以会下载index.html打头的索引文件rootserver2 software# wget -d -r -np rootserver2 software# cd rootserver2 sqlsyslogd# rm -rf index.html*rootserver2 sqlsyslogd# cd contrib/rootserver2 contrib# rm -rf index.html*rootserver2 contrib# cdrootserver2 # mv /usr/local/src/software/ /usr/local

27、/src/software/ 3:make,复制 sqlsyslogd 二进制程序到 /usr/local/sbin 目录下rootserver2 # cd /usr/local/src/software/sqlsyslogd/rootserver2 sqlsyslogd# makecc -06 -Wall -pipe -l/usr/local/include -DCONF=/usr/local/etc/sqlsyslogd.conf -L/usr/local/lib/mysql -lmysqlclient sqlsyslogd.c -o sqlsyslogdrootserver2 sqlsy

28、slogd# cp sqlsyslogd /usr/local/sbin/4：执行下sqlsyslogd程序，出现下面的命令选项则说明安装成功rootserver2 sqlsyslogd# sqlsyslogdusage: sqlsyslogd -h hostname -u username-p database5：修改/etc/ld.so.conf文件，并使其生效，这个文件维护着编译的动态链接库位置rootserver2 sqlsyslogd# cat /etc/ld.so.confinclude ld.so.conf.d/*.conf/usr/local/lib/mysqlrootserv

29、er2 sqlsyslogd# ldconfig6:在数据库中创建相应的库和表rootserver2 sqlsyslogd# mysqlWelcome to the MySQL monitor. Commands end with ; or g.Your MySQL connection id is 158Server version: 5.1.36-log Source distributionType help; or h for help. Type c to clear the current input statement.mysql create database syslog;Q

30、uery OK, 1 row affected (0.00 sec)mysql use syslogDatabase changedmysql create table logs (Id int(10) NOT NULL auto_increment,Timestamp varchar(16),Host varchar(50),Prog varchar(50),Mesg text,PRIMARY KEY (id);Query OK, 0 rows affected (0.01 sec)mysql exitBye7:该文件定义了连接数据库的密码rootserver2 sqlsyslogd# cat /usr/loca