安装了syslog-ng统一管理服务器日志,安装方法是网上找的,现在有些问题需要解决;
1.日志服务器可以同步日子,但是由于要自定义管理想要的日志文件,一直不能同步到服务器,现在贴出配置文档,希望可以交流学习。
安装syslog-ng
service 端安装:
yum install gcc*
cd /usr/src
wget http://www.balabit.com/downloads/files/syslog-ng/sources/3.2.4/source/eventlog_0.2.12.tar.gz
wget http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.3.5/source/syslog-ng_3.3.5.tar.gz
tar xvf eventlog_0.2.12.tar.gz
cd eventlog-0.2.12
./configure --prefix=/usr/local/eventlog
make
make install
cd /usr/src
tar xvf syslog-ng_3.3.5.tar.gz
cd syslog-ng-3.3.5
export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig
./configure --prefix=/usr/local/syslog-ng
make
make install
将syslog-ng添加为系统服务,
vim /etc/init.d/syslog-ng #内容如下
#!/bin/bash
#
# chkconfig: - 60 27
# description: syslog-ng SysV script.
. /etc/rc.d/init.d/functions
syslog_ng=/usr/local/syslog-ng/sbin/syslog-ng
prog=syslog-ng
pidfile=/usr/local/syslog-ng/var/syslog-ng.pid
lockfile=/usr/local/syslog-ng/var/syslog-ng.lock
RETVAL=0
STOP_TIMEOUT=${STOP_TIMEOUT-10}
start() {
echo -n $"Starting $prog: "
daemon --pidfile=$pidfile $syslog_ng $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile -d $STOP_TIMEOUT $syslog_ng
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f $lockfile $pidfile
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status -p $pidfile $syslog_ng
RETVAL=$?
;;
restart)
stop
start
;;
*)
echo $"Usage: $prog {start|stop|restart|status}"
RETVAL=2
esac
exit $RETVAL
------------------------------------------------------------
chmod a+x /etc/init.d/syslog-ng
killall syslogd
chkconfig --add syslog-ng
chkconfig syslog-ng on
service syslog-ng start
配置文件/usr/local/syslog-ng/etc/syslog-ng.conf
#下文为完整配置文件,注意:
@version:3.3.5
@include "scl.conf"
options {
#long_hostnames(off);
log_msg_size(8192);
flush_lines(1);
log_fifo_size(20480);
time_reopen(10);
use_dns(yes);
dns_cache(yes);
use_fqdn(yes);
keep_hostname(yes);
chain_hostnames(no);
#chain_hostnames(off);
perm(0644);
stats_freq(43200);
};
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };
source s_local {
unix-dgram("/dev/log");
file("/proc/kmsg"program_override("kernel:"));
};
#定义7种日志类型
filter f_messages { level(info..emerg); };
filter f_secure { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
filter f_spooler { level(crit..emerg) and facility(uucp, news); };
filter f_local7 { facility(local7); };
filter f_local4 { facility(local4); };
#定义7种类型日志在客户端的位置
destination d_messages { file("/var/log/messages"); };
destination d_secure { file("/var/log/secure"); };
destination d_maillog { file("/var/log/maillog"); };
destination d_cron { file("/var/log/cron"); };
destination d_console { usertty("root"); };
destination d_spooler { file("/var/log/spooler"); };
destination d_bootlog { file("/var/log/dmesg"); };
destination d_usercmd { file("/var/log/usercmd.log"); };
log { source(s_local); filter(f_emerg); destination(d_console); };
log { source(s_local); filter(f_secure); destination(d_secure); flags(final);};
log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); };
log { source(s_local); filter(f_cron); destination(d_cron); flags(final); };
log { source(s_local); filter(f_spooler); destination(d_spooler); };
log { source(s_local); filter(f_local7); destination(d_bootlog); };
log { source(s_local); filter(f_messages); destination(d_messages); };
log { source(s_local); filter(f_local4); destination(d_usercmd); };
#定义监听的端口
# Remote logging
source s_remote {
tcp(ip(0.0.0.0)port(514));
udp(ip(0.0.0.0) port(514));
};
#定义客户端日志在服务器上保存的格式,位置和权限等
destination r_console{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console"owner("root") group("root") perm(0640) dir_perm(0750)create_dirs(yes));};
destination r_secure{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure" owner("root")group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_cron{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron"owner("root") group("root") perm(0640) dir_perm(0750)create_dirs(yes));};
destination r_spooler {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler"owner("root") group("root") perm(0640) dir_perm(0750)create_dirs(yes));};
destination r_bootlog{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog"owner("root") group("root") perm(0640) dir_perm(0750)create_dirs(yes));};
destination r_messages{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages"owner("root") group("root") perm(0640) dir_perm(0750)create_dirs(yes));};
destination r_usercmd{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/usercmd"owner("root") group("root") perm(0640) dir_perm(0750)create_dirs(yes));};
destination r_maillog{file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/maillog"owner("root") group("root") perm(0640) dir_perm(0750)create_dirs(yes));};
log { source(s_remote); filter(f_emerg); destination(r_console); };
log { source(s_remote); filter(f_secure); destination(r_secure); flags(final);};
log { source(s_remote); filter(f_cron); destination(r_cron); flags(final); };
log { source(s_remote); filter(f_spooler); destination(r_spooler); };
log { source(s_remote); filter(f_local7); destination(r_bootlog); };
log { source(s_remote); filter(f_messages); destination(r_messages); };
log { source(s_remote); filter(f_local4); destination(r_usercmd); };
log { source(s_remote); filter(f_mail); destination(r_usercmd); };
#############################################3
注:如果要新加监控的服务log,需要添加几个地方:标红的配置文件
在client 端加入
local4.* /var/log/usercmd.log
# /usr/local/syslog-ng/sbin/syslog-ng -e -F -d -v
测试syslog-ng配置文件是否正确
Client 端 我们使用rsyslog系统自带收集log服务
vi /etc/rsyslog.conf
最下边加入一行
*.info @10.0.11.53
vi /etc/syslog.conf
添加如下:
*.info;mail.none;news.none;authpriv.none;cron.none @service ip