syslog-ng 安装、使用心得

1.安装

ubuntu环境下

sudo apt-get install syslog-ng

这时安装失败，

The following packages have unmet dependencies:
 syslog-ng : Depends: syslog-ng-core (>= 3.5.3)
             Depends: syslog-ng-mod-sql
             Depends: syslog-ng-mod-mongodb
             Depends: syslog-ng-mod-json
             Recommends: syslog-ng-mod-smtp
             Recommends: syslog-ng-mod-amqp
             Recommends: syslog-ng-mod-geoip
             Recommends: syslog-ng-mod-redis
             Recommends: syslog-ng-mod-stomp
E: Unable to correct problems, you have held broken packages.

显示依赖关系不正确，把需要的东西重新用apt装一下就可以了。
重新装一遍之后，再安装syslog-ng就成功了。

2 使用

官方文档
https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/so-contents.html
文档要细看
文档要细看
文档要细看
重要的事情说三遍！！
服务启动

service syslog-ng start

好了进入正题，这里不准备详细赘述，只提供简略版

@version: 3.5
@include "scl.conf"
@include "`scl-root`/system/tty10.conf"

# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.

# First, set some global options.
options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
      owner("root"); group("adm"); perm(0640); stats_freq(0);
      bad_hostname("^gconfd$");
};

########################
# Sources
########################
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
source s_src {
       file ("/etc/syslog-ng/log0.txt" follow-freq(1));
       udp(ip(0.0.0.0) port(514));  

};


destination d_test { file("/etc/syslog-ng/log1.txt"  owner("root") group("adm") perm(0600) dir_perm(0700) create_dirs(yes));  };


log { source(s_src); destination(d_test); };
# All messages send to a remote site
#
#log { source(s_src); destination(d_net); };

###
# Include all config files in /etc/syslog-ng/conf.d/
###
@include "/etc/syslog-ng/conf.d/*.conf"

简单的说，syslog-ng就像是一个实时监听的进程，通过syslog-ng.conf来配置其工作方式
也就是说关键在于配置

/etc/syslog-ng/syslog-ng.conf

options主要是用于配置一些全局变量，全局设置
SOURCE配置的是你消息的来源，也就是监听的位置，可以实tcp端口、udp端口、文件等等
DESTINATIONS则是配置获取消息之后，日志写到什么位置
FILTERS是过滤器，用于过滤消息，从而在海量信息中监听你所需要的，这里可以使用正则匹配
LOG 用于关联以上三者：SOURCE、DESTINATIONS、FILTERS
设定监听到何种消息，通过何种过滤器删选，日志写到何位置。
基本用法就是这样，这里配一个基本的写文件脚本。

import time
import random
def write_interl(fp):
    logtype=['status_log','attack_log','FlowLog']
    statuslog={'read':'1','write':'0','code':'%d'%random.randint(0, 1200),'ip':'%d.%d.%d.%d'%(random.randint(0, 255),random.randint(0, 255),random.randint(0, 255),random.randint(0, 255)),'date':str(time.time())}
    attacklog={'ip':'%d.%d.%d.%d'%(random.randint(0, 255),random.randint(0, 255),random.randint(0, 255),random.randint(0, 255)),'attack_type':"%d"%random.randint(0, 9),'date':"%9d"%(time.time())}
    #flowlog={'max':'1M','low':'10'}
    i=random.randint(0, 1)
    fp.write(logtype[i])
    fp.write(',')
    if i==0:
        attacklog['attack_type']=random.randint(0, 9)
        for j in statuslog:
            fp.write(j);fp.write('=');fp.write(statuslog[j]);fp.write(',')
    elif i==1:
        for j in attacklog:
            fp.write(j);fp.write('=');fp.write(attacklog[j]);fp.write(",")
    fp.write("\n")
fp=open("log0.txt",'w+')
while 1:
    for k in range(10):
        write_interl(fp)
    time.sleep(6)

在路径下运行直接写到文件中。
另外，附一个转来的udp脚本
转自http://genggeng.iteye.com/blog/1359887

#!/usr/bin/env python
#coding:utf-8
#filename:socket_log.py

'''
author: gavingeng
date:   2012-01-18 18:15:13 
'''
import socket
import sys 
import traceback

def main():
    pass

def sendMsg(msg):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.connect(('127.0.0.1',514))
        sock.sendall(msg)
        sock.close()
    except Exception,e:
        print traceback.print_exc(e)

if __name__=='__main__':
    if len(sys.argv) < 2 : 
        print "please input message"
    msg=sys.argv[1]
    sendMsg(str(msg))