1、RHEL5下使用syslog-ng構建集中型日志服務器第3頁共9頁RHEL5下使用syslog-ng構建集中型日志服務器在生產環境中，存在一臺日志服務器，專門用來記錄其他服務器的日志信息是個很好的主意，不過用紅帽自帶的syslog，配置雖然簡單，但是日志卻沒有辦法分離，默認都堆在/var/log/message 文件里面，用來超不爽，下面來介紹下用syslog-ng來構建日志服務器，這個還支持將日志導入數據庫和通過網頁來發布日志，聽起來功能相當的強大，接下來要好好的研究下咯環境介紹日志服務器 IP: 0 ;客戶端 IP: 0系統：RHEL5.4實

2、現目標：將客戶端的日志自動保存在服務器端的相應目錄，并根據日期，IP地址和日志類型進行分開保存備注：由于在虛擬機環境下操作，服務器于客戶端時間未同步，所以會存在記錄日志時間不一致的現象；rootserver2 # cd /usr/local/src/tarbag/rootserver2 tarbag# wget http:/www.balabit.eom/downloads/files/eventlog/0.2/eventlog_0.2.9.tar.gzrootserver2 tarbag# tar -zxvf eventlog_0.2.9.tar.gz -C ./software/roots

3、erver2 tarbag# cd ./software/eventlog-0.2.9/rootserver2 eventlog-0.2.9# ./configure -prefix=/usr/local/eventlog & make & make installrootserver2 eventlog-0.2.9# ls /usr/local/eventlog/include librootserver2 syslog-ng-3.0.5# cd -/usr/local/src/tarbagrootserver2 tarbag# wget http:/www.balabit.eom/down

4、loads/files/libol/0.3/libol-0.3.9.tar.gzrootserver2 tarbag# tar -zxvf libol-0.3.9.tar.gz -C ./software/rootserver2 tarbag# cd ./software/libol-0.3.9/rootserver2 libol-0.3.9# ./configure -prefix=/usr/local/libol & make & make installrootserver2 libol-0.3.9# ls /usr/local/libol/bin include librootserv

5、er2 tarbag# wget http:/www.balabit.eom/downloads/files/syslog-ng/sources/3.0.5/source/syslog-ng_3.0.5.tar.gzrootserver2 tarbag# tar -zxvf syslog-ng_3.0.5.tar.gz -C ./software/rootserver2 tarbag# cd ./software/syslog-ng-3.0.5/rootserver2 syslog-ng-3.0.5# export PKG_CONFIG_PATH=/usr/local/eventlog/lib

6、/pkgconfigrootserver2 syslog-ng-3.0.5# ./configure -prefix=/usr/local/syslog-ng -with-libol=/usr/local/libol & make & make installRHEL5下使用syslog-ng構建集中型日志服務器第#頁共9頁configure: error: Cannot find eventlog version = 0.2: is pkg-config in path?(PKG_CONFIG_PATH量沒指定好）RHEL5下使用syslog-ng構建集中型日志服務器第4頁共9頁rootse

7、rver2 syslog-ng-3.0.5# ls /usr/local/syslog-ng/bin libexec sbin sharerootserver2 syslog-ng-3.0.5# mkdir /usr/local/syslog-ng/etcrootserver2 syslog-ng-3.0.5# mkdir /usr/local/syslog-ng/varrootserver2 syslog-ng-3.0.5# cp contrib/syslog-ng.conf.RedHat /usr/local/syslog-ng/etc/rootserver2 syslog-ng-3.0.

8、5# cp contrib/init.d.RedHat /etc/init.d/syslog-ngrootserver2 syslog-ng-3.0.5# cd /usr/local/syslog-ng/etc/rootserver2 etc# mv syslog-ng.conf.RedHat syslog-ng.confrootserver2 etc# cat syslog-ng.confversion:3.0options long_hostnames(off);log_msg_size(8192);flush_lines(1);log_fifo_size(20480);time_reop

9、en(10);use_dns(yes);dns_cache(yes);use_fqdn(yes);keep_hostname(yes);chain_hostnames(no);perm(0644);stats_freq(43200);RHEL5下使用syslog-ng構建集中型日志服務器第8頁共9頁source s_internal internal。； ;destination d_syslognglog file(7var/log/syslog-ng .lo g); ;log source(s_internal); destination(d_syslognglog); ;source s

10、_local unix-dgram(/dev/log);file(7proc/kmsg program_override(kernel:);filter f_messages level(info.emerg); ; /定義 7種日志類型filter f_secure facility(authpriv); ;filter f_mail facility(mail); ;filter f_cron facility(cron); ;filter f_emerg level(emerg); ;filter f_spooler level(crit.emerg) and facility(uucp

11、, news); ;filter f_local7 facility(local7); ;destination d_messages file(/var/log/messages); ; /定義 7種類型日志在客戶端的位置destination d_secure file(/var/log/secure); ;destination d_maillog file(/var/log/maillog); ;destination d_cron file(/var/log/cron); ;destination d_console usertty(root); ;destination d_spo

12、oler file(/var/log/spooler); ;destination d_bootlog file(/var/log/dmesg); ;log source(s_local); filter(f_emerg); destination(d_console); ;log source(s_local); filter(f_secure); destination(d_secure); flags(final); ;log source(s_local); filter(f_mail); destination(d_maillog); flags(final); ;log sourc

13、e(s_local); filter(f_cron); destination(d_cron); flags(final); ;log source(s_local); filter(f_spooler); destination(d_spooler); ;log source(s_local); filter(f_local7); destination(d_bootlog); ;log source(s_local); filter(f_messages); destination(d_messages); ;# Remote logging /定義監聽的端口source s_remote

14、 tcp(ip(O.O.O.O) port(514);udp(ip(O.O.O.O) port(514);/定義客戶端日志在服務器上保存的格式，位置和權限等destination r_console file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console owner(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_secure file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure owner

15、(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_cron file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron owner(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_spooler file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler owner(root) group(root) p

16、erm(0640) dir_perm(0750) create_dirs(yes);destination r_bootlog file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog owner(root) group(root) perm(0640) dir_perm(0750) create_dirs(yes);destination r_messages file(/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages owner(root) group(root) perm(0640) di

17、r_perm(0750) create_dirs(yes); log source(s_remote); filter(f_emerg); destination(r_console); ;log source(s_remote); filter(f_secure); destination(r_secure); flags(final); ;log source(s_remote); filter(f_cron); destination(r_cron); flags(final); ;log source(s_remote); filter(f_spooler); destination(

18、r_spooler); ;log source(s_remote); filter(f_local7); destination(r_bootlog); ;log source(s_remote); filter(f_messages); destination(r_messages); ;若岀現該錯誤，請修改該腳本前四行如下)/力口 services 不是在 usr下的 etcrootserver2 etc# chmod +x /etc/init.d/syslog-ng rootserver2 etc# chkconfig -add syslog-ng service syslog-ng d

19、oes not support chkconfig( rootserver2 etc# head -4 /etc/init.d/syslog-ng #!/bin/bash#chkconifg: -add syslog-ng#chkconfig: 2345 12 88 #Description: syslog-ng該腳本還需要修改下面的三個位置rootserver2 etc# grepPATH /etc/init.d/syslog-ngPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/syslog-ng/bin:/usr/local/syslog-ng/

20、sbinrootserver2 etc# grep INIT /etc/init.d/syslog-ng |head -2INIT_PROG=/usr/local/syslog-ng/sbin/syslog-ng # Full path to daemon# options passed to daemon/ 注意 cd /usr/local/syslog-ng/etc/INIT_OPTS=-f /usr/local/syslog-ng/etc/syslog-ng.confrootserver2 etc# service syslog-ng startStarting syslog-ng: /

21、usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libevtlog.so.0: cannot open shared object file: No such file or directoryStarting Kernel Logger:出現此錯誤是因為共享庫鏈接沒做好rootserver2 etc# ln -s /usr/local/eventlog/lib/* /lib/出現下面的問題是因為主配置文件中缺少：version:3.0這行Starting syslog-ng: Configur

22、ation file has no version number, assuming syslog-ng 2.1 format. Please add version: maj.min to the beginning of the file;rootserver2 # service syslog-ng startStarting Kernel Logger: OK rootserver2 etc# cat /var/log/syslog-ng .logJan 28 03:59:07 syslog-ng20225: syslog-ng starting up; version=3.0.5RH

23、EL5下使用syslog-ng構建集中型日志服務器第11頁共9頁客戶端配置：rootclient # tail -1 /etc/syslog.conf*.*0rootclient # logger -i just one testrootclient # tail -1 /var/log/messagesJan 27 22:12:02 client root2861: just one testrootserver2 # cat /var/log/syslog-ng/20100128/0/messagesJan 28 04:24:32 192.1

24、68.90.10 root2861: just one testrootserver2 # cat /var/log/syslog-ng/20100128/0/secureJan 28 04:01:04 0 sshd2832: Accepted publickey for root from port 48834 ssh2Jan 28 04:01:04 0 sshd2832: pam_unix(sshd:session): session opened for user root by (uid=

25、0)參考網站：.en/s/blog_4a071ed80100cssu.html前面配置好了 syslog-ng,下面簡要的概述下如何將系統日志存入mysql1:將mysql的頭文件和庫文件鏈接到/usr/local 下rootserver2 # ln -s /usr/local/mysql/lib/mysql /usr/local/lib/mysqlrootserver2 # ln -s /usr/local/mysql/include/mysql/ /usr/local/includerootserver2 # cd /usr/local/src/software/sqlsyslogd2：下

26、載sqlsyslogd源碼包，由于是整個目錄下載，所以會下載index.html打頭的索引文件rootserver2 software# wget -d -r -np rootserver2 software# cd rootserver2 sqlsyslogd# rm -rf index.html*rootserver2 sqlsyslogd# cd contrib/rootserver2 contrib# rm -rf index.html*rootserver2 contrib# cdrootserver2 # mv /usr/local/src/software/ /usr/local

27、/src/software/ 3:make,復制 sqlsyslogd 二進制程序到 /usr/local/sbin 目錄下rootserver2 # cd /usr/local/src/software/sqlsyslogd/rootserver2 sqlsyslogd# makecc -06 -Wall -pipe -l/usr/local/include -DCONF=/usr/local/etc/sqlsyslogd.conf -L/usr/local/lib/mysql -lmysqlclient sqlsyslogd.c -o sqlsyslogdrootserver2 sqlsy

28、slogd# cp sqlsyslogd /usr/local/sbin/4：執行下sqlsyslogd程序，出現下面的命令選項則說明安裝成功rootserver2 sqlsyslogd# sqlsyslogdusage: sqlsyslogd -h hostname -u username-p database5：修改/etc/ld.so.conf文件，并使其生效，這個文件維護著編譯的動態鏈接庫位置rootserver2 sqlsyslogd# cat /etc/ld.so.confinclude ld.so.conf.d/*.conf/usr/local/lib/mysqlrootserv

29、er2 sqlsyslogd# ldconfig6:在數據庫中創建相應的庫和表rootserver2 sqlsyslogd# mysqlWelcome to the MySQL monitor. Commands end with ; or g.Your MySQL connection id is 158Server version: 5.1.36-log Source distributionType help; or h for help. Type c to clear the current input statement.mysql create database syslog;Q

30、uery OK, 1 row affected (0.00 sec)mysql use syslogDatabase changedmysql create table logs (Id int(10) NOT NULL auto_increment,Timestamp varchar(16),Host varchar(50),Prog varchar(50),Mesg text,PRIMARY KEY (id);Query OK, 0 rows affected (0.01 sec)mysql exitBye7:該文件定義了連接數據庫的密碼rootserver2 sqlsyslogd# cat /usr/loca