Shulou(Shulou.com)06/01 Report--

This article is about how to use syslog-ng to build a log server. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Environment introduction

Log Server IP:192.168.90.20; client IP:192.168.90.10

System: RHEL5.4

Achieve the goal: automatically save the client's logs in the appropriate directory on the server side, and store them separately according to date, IP address and log type

Note: due to the operation in the virtual machine environment, the server time is not synchronized with the client time, so there will be inconsistent logging time.

[root@server2 ~] # cd / usr/local/src/tarbag/

[root@server2 tarbag] # wget http://www.balabit.com/downloads/files/eventlog/0.2/eventlog_0.2.9.tar.gz

[root@server2 tarbag] # tar-zxvf eventlog_0.2.9.tar.gz-C.. / software/

[root@server2 tarbag] # cd.. / software/eventlog-0.2.9/

[root@server2 eventlog-0.2.9] # / configure-- prefix=/usr/local/eventlog & & make & & make install

[root@server2 eventlog-0.2.9] # ls / usr/local/eventlog/

Include lib

[root@server2 syslog-ng-3.0.5] # cd-

/ usr/local/src/tarbag

[root@server2 tarbag] # wget http://www.balabit.com/downloads/files/libol/0.3/libol-0.3.9.tar.gz

[root@server2 tarbag] # tar-zxvf libol-0.3.9.tar.gz-C.. / software/

[root@server2 tarbag] # cd.. / software/libol-0.3.9/

[root@server2 libol-0.3.9] # / configure-- prefix=/usr/local/libol & & make & & make install

[root@server2 libol-0.3.9] # ls / usr/local/libol/

Bin include lib

[root@server2 tarbag] # wget http://www.balabit.com/downloads/files/syslog-ng/sources/3.0.5/source/syslog-ng_3.0.5.tar.gz

[root@server2 tarbag] # tar-zxvf syslog-ng_3.0.5.tar.gz-C.. / software/

[root@server2 tarbag] # cd.. / software/syslog-ng-3.0.5/

[root@server2 syslog-ng-3.0.5] # export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig

[root@server2 syslog-ng-3.0.5] # / configure-- prefix=/usr/local/syslog-ng-- with-libol=/usr/local/libol & & make & & make install

Configure: error: Cannot find eventlog version > = 0.2: is pkg-config in path? (if this error occurs, it is basically because the previous PKG_CONFIG_PATH variable is not well specified.)

[root@server2 syslog-ng-3.0.5] # ls / usr/local/syslog-ng/

Bin libexec sbin share

[root@server2 syslog-ng-3.0.5] # mkdir / usr/local/syslog-ng/etc

[root@server2 syslog-ng-3.0.5] # mkdir / usr/local/syslog-ng/var

[root@server2 syslog-ng-3.0.5] # cp contrib/syslog-ng.conf.RedHat / usr/local/syslog-ng/etc/

[root@server2 syslog-ng-3.0.5] # cp contrib/init.d.RedHat / etc/init.d/syslog-ng

[root@server2 syslog-ng-3.0.5] # cd / usr/local/syslog-ng/etc/

[root@server2 etc] # mv syslog-ng.conf.RedHat syslog-ng.conf

[root@server2 etc] # cat syslog-ng.conf

@ version:3.0

Options {

Long_hostnames (off)

Log_msg_size (8192)

Flush_lines (1)

Log_fifo_size (20480)

Time_reopen (10)

Use_dns (yes)

Dns_cache (yes)

Use_fqdn (yes)

Keep_hostname (yes)

Chain_hostnames (no)

Perm (0644)

Stats_freq (43200)

}

Source s_internal {internal ();}

Destination d_syslognglog {file ("/ var/log/syslog-ng.log");}

Log {source (s_internal); destination (d_syslognglog);}

Source s_local {

Unix-dgram ("/ dev/log")

File ("/ proc/kmsg" program_override ("kernel:"))

}

Filter f_messages {level (info..emerg);}; / / defines 7 log types

Filter f_secure {facility (authpriv);}

Filter f_mail {facility (mail);}

Filter f_cron {facility (cron);}

Filter f_emerg {level (emerg);}

Filter f_spooler {level (crit..emerg) and facility (uucp, news);}

Filter f_local7 {facility (local7);}

Destination d_messages {file ("/ var/log/messages");}; / / defines the location of seven types of logs on the client

Destination d_secure {file ("/ var/log/secure");}

Destination d_maillog {file ("/ var/log/maillog");}

Destination d_cron {file ("/ var/log/cron");}

Destination d_console {usertty ("root");}

Destination d_spooler {file ("/ var/log/spooler");}

Destination d_bootlog {file ("/ var/log/dmesg");}

Log {source (s_local); filter (f_emerg); destination (d_console);}

Log {source (s_local); filter (f_secure); destination (d_secure); flags (final);}

Log {source (s_local); filter (f_mail); destination (d_maillog); flags (final);}

Log {source (s_local); filter (f_cron); destination (d_cron); flags (final);}

Log {source (s_local); filter (f_spooler); destination (d_spooler);}

Log {source (s_local); filter (f_local7); destination (d_bootlog);}

Log {source (s_local); filter (f_messages); destination (d_messages);}

# Remote logging / / define the port for listening

Source s_remote {

Tcp (ip (0.0.0.0) port)

Udp (ip (0.0.0.0) port)

}

/ / define the format, location and permissions of the client log saved on the server

Destination r_console {file ("/ var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console" owner ("root") group ("root") perm (0640) dir_perm (0750) create_dirs (yes);}

Destination r_secure {file ("/ var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure" owner ("root") group ("root") perm (0640) dir_perm (0750) create_dirs (yes);}

Destination r_cron {file ("/ var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron" owner ("root") group ("root") perm (0640) dir_perm (0750) create_dirs (yes);}

Destination r_spooler {file ("/ var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler" owner ("root") group ("root") perm (0640) dir_perm (0750) create_dirs (yes);}

Destination r_bootlog {file ("/ var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog" owner ("root") group ("root") perm (0640) dir_perm (0750) create_dirs (yes);}

Destination r_messages {file ("/ var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages" owner ("root") group ("root") perm (0640) dir_perm (0750) create_dirs (yes);}

Log {source (s_remote); filter (f_emerg); destination (r_console);}

Log {source (s_remote); filter (f_secure); destination (r_secure); flags (final);}

Log {source (s_remote); filter (f_cron); destination (r_cron); flags (final);}

Log {source (s_remote); filter (f_spooler); destination (r_spooler);}

Log {source (s_remote); filter (f_local7); destination (r_bootlog);}

Log {source (s_remote); filter (f_messages); destination (r_messages);}

[root@server2 etc] # chmod + x / etc/init.d/syslog-ng

[root@server2 etc] # chkconfig-- add syslog-ng

Service syslog-ng does not support chkconfig (if this error occurs, modify the first four lines of the script as follows)

[root@server2 etc] # head-4 / etc/init.d/syslog-ng

#! / bin/bash

# chkconifg:-- add syslog-ng

# chkconfig: 2345 12 88

# Description: syslog-ng

The script also needs to modify the following three locations

[root@server2 etc] # grep 'PATH' / etc/init.d/syslog-ng

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/syslog-ng/bin:/usr/local/syslog-ng/sbin

[root@server2 etc] # grep 'INIT' / etc/init.d/syslog-ng | head-2

INIT_PROG= "/ usr/local/syslog-ng/sbin/syslog-ng" # Full path to daemon

INIT_OPTS= "- f / usr/local/syslog-ng/etc/syslog-ng.conf" # options passed to daemon

[root@server2 etc] # service syslog-ng start

Starting syslog-ng: / usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libevtlog.so.0: cannot open shared object file: No such file or directory

Starting Kernel Logger: this error occurs because the shared library link is not well done.

[root@server2 etc] # ln-s / usr/local/eventlog/lib/* / lib/

The following problem occurs because the line @ version:3.0 is missing from the main configuration file

Starting syslog-ng: Configuration file has no version number, assuming syslog-ng 2.1 format. Please add @ version: maj.min to the beginning of the file

[root@server2 ~] # service syslog-ng start

Starting Kernel Logger: [OK]

[root@server2 etc] # cat / var/log/syslog-ng.log

Jan 28 03:59:07 server2.yang.com syslog-ng [20225]: syslog-ng starting up; version='3.0.5'

Client configuration:

[root@client] # tail-1 / etc/syslog.conf

*. @ 192.168.90.20

[root@client ~] # logger-i just one test

[root@client] # tail-1 / var/log/messages

Jan 27 22:12:02 client root [2861]: just one test

[root@server2 ~] # cat / var/log/syslog-ng/20100128/192.168.90.10/messages

Jan 28 04:24:32 192.168.90.10 root [2861]: just one test

[root@server2 ~] # cat / var/log/syslog-ng/20100128/192.168.90.10/secure

Jan 28 04:01:04 192.168.90.10 sshd [2832]: Accepted publickey for root from 192.168.90.1 port 48834 ssh3

Jan 28 04:01:04 192.168.90.10 sshd [2832]: pam_unix (sshd:session): session opened for user root by (uid=0)

Reference website: http://blog.sina.com.cn/s/blog_4a071ed80100cssu.html

Now that syslog-ng is configured, the following is a brief overview of how to store Syslog in mysql

1: link the header file and library file of mysql to / usr/local

[root@server2] # ln-s / usr/local/mysql/lib/mysql / usr/local/lib/mysql

[root@server2] # ln-s / usr/local/mysql/include/mysql/ / usr/local/include

[root@server2 ~] # cd / usr/local/src/software/sqlsyslogd

2: download the sqlsyslogd source code package. Since the entire directory is downloaded, the index file that starts with index.html will be downloaded.

[root@server2 software] # wget-d-r-np http://www.frasunek.com/sources/security/sqlsyslogd/

[root@server2 software] # cd www.frasunek.com/sources/security/sqlsyslogd/

[root@server2 sqlsyslogd] # rm-rf index.html*

[root@server2 sqlsyslogd] # cd contrib/

[root@server2 contrib] # rm-rf index.html*

[root@server2 contrib] # cd

[root@server2 ~] # mv / usr/local/src/software/www.frasunek.com/sources/security/sqlsyslogd/ / usr/

Local/src/software/

3:make, copy the sqlsyslogd binary to the / usr/local/sbin directory

[root@server2 ~] # cd / usr/local/src/software/sqlsyslogd/

[root@server2 sqlsyslogd] # make

Cc-O6-Wall-pipe-I/usr/local/include-DCONF=\ "/ usr/local/etc/sqlsyslogd.conf\"-L/usr/local/lib/mysql-lmysqlclient sqlsyslogd.c-o sqlsyslogd

[root@server2 sqlsyslogd] # cp sqlsyslogd / usr/local/sbin/

4: execute the sqlsyslogd program, and the following command option indicates that the installation is successful

[root@server2 sqlsyslogd] # sqlsyslogd

Usage: sqlsyslogd [- h hostname] [- p] [database]

5: modify the / etc/ld.so.conf file to make it effective, which maintains the compiled dynamic link library location

[root@server2 sqlsyslogd] # cat / etc/ld.so.conf

Include ld.so.conf.d/*.conf

/ usr/local/lib/mysql

[root@server2 sqlsyslogd] # ldconfig

6: create the corresponding libraries and tables in the database

[root@server2 sqlsyslogd] # mysql

Welcome to the MySQL monitor. Commands end with; or\ g.

Your MySQL connection id is 158

Server version: 5.1.36-log Source distribution

Type 'help;' or'\ h' for help. Type'\ c'to clear the current input statement.

Mysql > create database syslog

Query OK, 1 row affected (0.00 sec)

Mysql > use syslog

Database changed

Mysql > create table logs (Id int (10) NOT NULL auto_increment,Timestamp varchar (16), Host varchar (50), Prog varchar (50), Mesg text,PRIMARY KEY (id)

Query OK, 0 rows affected (0.01 sec)

Mysql > exit

Bye

7: this file defines the password to connect to the database

[root@server2 sqlsyslogd] # cat / usr/local/etc/sqlsyslogd.conf

123456

8: add the following configuration to the syslog-ng main configuration file

[root@server2 sqlsyslogd] # vi / usr/local/syslog-ng/etc/syslog-ng.conf

Destination sqlsyslogd {

Program ("/ usr/local/sbin/sqlsyslogd-u root-t logs syslog-p")

}

Log {

Source (s_remote)

Destination (sqlsyslogd)

}

9: restart the syslog-ng service

[root@server2 sqlsyslogd] # service syslog-ng restart

Stopping Kernel Logger: [OK]

Starting Kernel Logger: [OK]

10: client messaging test

[root@server2 sqlsyslogd] # tail-1 / var/log/syslog-ng/20100226/192.168.90.1/messages

Feb 26 14:25:47 192.168.90.1 root [6058]: just for fun

Thank you for reading! This is the end of this article on "how to use syslog-ng to build a log server". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.