RHEL5下使用syslog-ng構(gòu)建集中型日志服務(wù)器

1、RHEL5下使用syslog-ng構(gòu)建集中型日志服務(wù)器第3頁(yè)共9頁(yè)RHEL5下使用syslog-ng構(gòu)建集中型日志服務(wù)器在生產(chǎn)環(huán)境中，存在一臺(tái)日志服務(wù)器，專(zhuān)門(mén)用來(lái)記錄其他服務(wù)器的日志信息是個(gè)很好的主意，不過(guò)用紅帽自帶的syslog，配置雖然簡(jiǎn)單，但是日志卻沒(méi)有辦法分離，默認(rèn)都堆在/var/log/message 文件里面，用來(lái)超不爽，下面來(lái)介紹下用syslog-ng來(lái)構(gòu)建日志服務(wù)器，這個(gè)還支持將日志導(dǎo)入數(shù)據(jù)庫(kù)和通過(guò)網(wǎng)頁(yè)來(lái)發(fā)布日志，聽(tīng)起來(lái)功能相當(dāng)?shù)膹?qiáng)大，接下來(lái)要好好的研究下咯環(huán)境介紹日志服務(wù)器 IP: 0 ;客戶端 IP: 0系統(tǒng)：RHEL5.4實(shí)

2、現(xiàn)目標(biāo)：將客戶端的日志自動(dòng)保存在服務(wù)器端的相應(yīng)目錄，并根據(jù)日期，IP地址和日志類(lèi)型進(jìn)行分開(kāi)保存?zhèn)渥ⅲ河捎谠谔摂M機(jī)環(huán)境下操作，服務(wù)器于客戶端時(shí)間未同步，所以會(huì)存在記錄日志時(shí)間不一致的現(xiàn)象；rootserver2 # cd /usr/local/src/tarbag/rootserver2 tarbag# wget http:/www.balabit.eom/downloads/files/eventlog/0.2/eventlog_0.2.9.tar.gzrootserver2 tarbag# tar -zxvf eventlog_0.2.9.tar.gz -C ./software/roots

3、erver2 tarbag# cd ./software/eventlog-0.2.9/rootserver2 eventlog-0.2.9# ./configure -prefix=/usr/local/eventlog & make & make installrootserver2 eventlog-0.2.9# ls /usr/local/eventlog/include librootserver2 syslog-ng-3.0.5# cd -/usr/local/src/tarbagrootserver2 tarbag# wget http:/www.balabit.eom/down

4、loads/files/libol/0.3/libol-0.3.9.tar.gzrootserver2 tarbag# tar -zxvf libol-0.3.9.tar.gz -C ./software/rootserver2 tarbag# cd ./software/libol-0.3.9/rootserver2 libol-0.3.9# ./configure -prefix=/usr/local/libol & make & make installrootserver2 libol-0.3.9# ls /usr/local/libol/bin include librootserv

5、er2 tarbag# wget http:/www.balabit.eom/downloads/files/syslog-ng/sources/3.0.5/source/syslog-ng_3.0.5.tar.gzrootserver2 tarbag# tar -zxvf syslog-ng_3.0.5.tar.gz -C ./software/rootserver2 tarbag# cd ./software/syslog-ng-3.0.5/rootserver2 syslog-ng-3.0.5# export PKG_CONFIG_PATH=/usr/local/eventlog/lib

6、/pkgconfigrootserver2 syslog-ng-3.0.5# ./configure -prefix=/usr/local/syslog-ng -with-libol=/usr/local/libol & make & make installRHEL5下使用syslog-ng構(gòu)建集中型日志服務(wù)器第#頁(yè)共9頁(yè)configure: error: Cannot find eventlog version = 0.2: is pkg-config in path?(PKG_CONFIG_PATH量沒(méi)指定好）RHEL5下使用syslog-ng構(gòu)建集中型日志服務(wù)器第4頁(yè)共9頁(yè)rootse

7、rver2 syslog-ng-3.0.5# ls /usr/local/syslog-ng/bin libexec sbin sharerootserver2 syslog-ng-3.0.5# mkdir /usr/local/syslog-ng/etcrootserver2 syslog-ng-3.0.5# mkdir /usr/local/syslog-ng/varrootserver2 syslog-ng-3.0.5# cp contrib/syslog-ng.conf.RedHat /usr/local/syslog-ng/etc/rootserver2 syslog-ng-3.0.

8、5# cp contrib/init.d.RedHat /etc/init.d/syslog-ngrootserver2 syslog-ng-3.0.5# cd /usr/local/syslog-ng/etc/rootserver2 etc# mv syslog-ng.conf.RedHat syslog-ng.confrootserver2 etc# cat syslog-ng.confversion:3.0options long_hostnames(off);log_msg_size(8192);flush_lines(1);log_fifo_size(20480);time_reop

9、en(10);use_dns(yes);dns_cache(yes);use_fqdn(yes);keep_hostname(yes);chain_hostnames(no);perm(0644);stats_freq(43200);RHEL5下使用syslog-ng構(gòu)建集中型日志服務(wù)器第8頁(yè)共9頁(yè)source s_internal internal。； ;destination d_syslognglog file(7var/log/syslog-ng .lo g); ;log source(s_internal); destination(d_syslognglog); ;source s

10、_local unix-dgram(/dev/log);file(7proc/kmsg program_override(kernel:);filter f_messages level(info.emerg); ; /定義 7種日志類(lèi)型filter f_secure facility(authpriv); ;filter f_mail facility(mail); ;filter f_cron facility(cron); ;filter f_emerg level(emerg); ;filter f_spooler level(crit.emerg) and facility(uucp

11、, news); ;filter f_local7 facility(local7); ;destination d_messages file(/var/log/messages); ; /定義 7種類(lèi)型日志在客戶端的位置destination d_secure file(/var/log/secure); ;destination d_maillog file(/var/log/maillog); ;destination d_cron file(/var/log/cron); ;destination d_console usertty(root); ;destination d_spo

12、oler file(/var/log/spooler); ;destination d_bootlog file(/var/log/dmesg); ;log source(s_local); filter(f_emerg); destination(d_console); ;log source(s_local); filter(f_secure); destination(d_secure); flags(final); ;log source(s_local); filter(f_mail); destination(d_maillog); flags(final); ;log sourc

13、e(s_local); filter(f_cron); destination(d_cron); flags(final); ;log source(s_local); filter(f_spooler); destination(d_spooler); ;log source(s_local); filter(f_local7); destination(d_bootlog); ;log source(s_local); filter(f_messages); destination(d_messages); ;# Remote logging /定義監(jiān)聽(tīng)的端口source s_remote

14、 tcp(ip(O.O.O.O) port(514);udp(ip(O.O.O.O) port(514);/定義客戶端日志在服務(wù)器上保存的格式，位置和權(quán)限等destination r_console file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console owner(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_secure file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure owner

15、(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_cron file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron owner(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_spooler file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler owner(root) group(root) p

16、erm(0640) dir_perm(0750) create_dirs(yes);destination r_bootlog file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog owner(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_messages file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages owner(root) group(root) perm(0640) di

17、r_perm(0750) create_dirs(yes); log source(s_remote); filter(f_emerg); destination(r_console); ;log source(s_remote); filter(f_secure); destination(r_secure); flags(final); ;log source(s_remote); filter(f_cron); destination(r_cron); flags(final); ;log source(s_remote); filter(f_spooler); destination(

18、r_spooler); ;log source(s_remote); filter(f_local7); destination(r_bootlog); ;log source(s_remote); filter(f_messages); destination(r_messages); ;若岀現(xiàn)該錯(cuò)誤，請(qǐng)修改該腳本前四行如下)/力口 services 不是在 usr下的 etcrootserver2 etc# chmod +x /etc/init.d/syslog-ng rootserver2 etc# chkconfig -add syslog-ng service syslog-ng d

19、oes not support chkconfig( rootserver2 etc# head -4 /etc/init.d/syslog-ng #!/bin/bash#chkconifg: -add syslog-ng#chkconfig: 2345 12 88 #Description: syslog-ng該腳本還需要修改下面的三個(gè)位置rootserver2 etc# grepPATH /etc/init.d/syslog-ngPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/syslog-ng/bin:/usr/local/syslog-ng/

20、sbinrootserver2 etc# grep INIT /etc/init.d/syslog-ng |head -2INIT_PROG=/usr/local/syslog-ng/sbin/syslog-ng # Full path to daemon# options passed to daemon/ 注意 cd /usr/local/syslog-ng/etc/INIT_OPTS=-f /usr/local/syslog-ng/etc/syslog-ng.confrootserver2 etc# service syslog-ng startStarting syslog-ng: /

21、usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libevtlog.so.0: cannot open shared object file: No such file or directoryStarting Kernel Logger:出現(xiàn)此錯(cuò)誤是因?yàn)楣蚕韼?kù)鏈接沒(méi)做好rootserver2 etc# ln -s /usr/local/eventlog/lib/* /lib/出現(xiàn)下面的問(wèn)題是因?yàn)橹髋渲梦募腥鄙伲簐ersion:3.0這行Starting syslog-ng: Configur

22、ation file has no version number, assuming syslog-ng 2.1 format. Please add version: maj.min to the beginning of the file;rootserver2 # service syslog-ng startStarting Kernel Logger: OK rootserver2 etc# cat /var/log/syslog-ng .logJan 28 03:59:07 syslog-ng20225: syslog-ng starting up; version=3.0.5RH

23、EL5下使用syslog-ng構(gòu)建集中型日志服務(wù)器第11頁(yè)共9頁(yè)客戶端配置：rootclient # tail -1 /etc/syslog.conf*.*0rootclient # logger -i just one testrootclient # tail -1 /var/log/messagesJan 27 22:12:02 client root2861: just one testrootserver2 # cat /var/log/syslog-ng/20100128/0/messagesJan 28 04:24:32 192.1

24、68.90.10 root2861: just one testrootserver2 # cat /var/log/syslog-ng/20100128/0/secureJan 28 04:01:04 0 sshd2832: Accepted publickey for root from port 48834 ssh2Jan 28 04:01:04 0 sshd2832: pam_unix(sshd:session): session opened for user root by (uid=

25、0)參考網(wǎng)站：.en/s/blog_4a071ed80100cssu.html前面配置好了 syslog-ng,下面簡(jiǎn)要的概述下如何將系統(tǒng)日志存入mysql1:將mysql的頭文件和庫(kù)文件鏈接到/usr/local 下rootserver2 # ln -s /usr/local/mysql/lib/mysql /usr/local/lib/mysqlrootserver2 # ln -s /usr/local/mysql/include/mysql/ /usr/local/includerootserver2 # cd /usr/local/src/software/sqlsyslogd2：下

26、載sqlsyslogd源碼包，由于是整個(gè)目錄下載，所以會(huì)下載index.html打頭的索引文件rootserver2 software# wget -d -r -np rootserver2 software# cd rootserver2 sqlsyslogd# rm -rf index.html*rootserver2 sqlsyslogd# cd contrib/rootserver2 contrib# rm -rf index.html*rootserver2 contrib# cdrootserver2 # mv /usr/local/src/software/ /usr/local

27、/src/software/ 3:make,復(fù)制 sqlsyslogd 二進(jìn)制程序到 /usr/local/sbin 目錄下rootserver2 # cd /usr/local/src/software/sqlsyslogd/rootserver2 sqlsyslogd# makecc -06 -Wall -pipe -l/usr/local/include -DCONF=/usr/local/etc/sqlsyslogd.conf -L/usr/local/lib/mysql -lmysqlclient sqlsyslogd.c -o sqlsyslogdrootserver2 sqlsy

28、slogd# cp sqlsyslogd /usr/local/sbin/4：執(zhí)行下sqlsyslogd程序，出現(xiàn)下面的命令選項(xiàng)則說(shuō)明安裝成功rootserver2 sqlsyslogd# sqlsyslogdusage: sqlsyslogd -h hostname -u username-p database5：修改/etc/ld.so.conf文件，并使其生效，這個(gè)文件維護(hù)著編譯的動(dòng)態(tài)鏈接庫(kù)位置rootserver2 sqlsyslogd# cat /etc/ld.so.confinclude ld.so.conf.d/*.conf/usr/local/lib/mysqlrootserv

29、er2 sqlsyslogd# ldconfig6:在數(shù)據(jù)庫(kù)中創(chuàng)建相應(yīng)的庫(kù)和表rootserver2 sqlsyslogd# mysqlWelcome to the MySQL monitor. Commands end with ; or g.Your MySQL connection id is 158Server version: 5.1.36-log Source distributionType help; or h for help. Type c to clear the current input statement.mysql create database syslog;Q

30、uery OK, 1 row affected (0.00 sec)mysql use syslogDatabase changedmysql create table logs (Id int(10) NOT NULL auto_increment,Timestamp varchar(16),Host varchar(50),Prog varchar(50),Mesg text,PRIMARY KEY (id);Query OK, 0 rows affected (0.01 sec)mysql exitBye7:該文件定義了連接數(shù)據(jù)庫(kù)的密碼rootserver2 sqlsyslogd# cat /usr/loca