Syslog-ng is installed to manage server logs in a unified manner. The installation method is found online. Some problems need to be solved now;
1. The log server can synchronize the log files on a daily basis, but the log files you want cannot be synchronized to the server because you need to customize the log files. Now, I have posted the configuration documents and hope to learn from them.
Install syslog-ng
Service installation:
Yum install GCC *
CD/usr/src
Wget http://www.balabit.com/downloads/files/syslog-ng/sources/3.2.4/source/eventlog_0.2.12.tar.gz
Wget http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.3.5/source/syslog-ng_3.3.5.tar.gz
Tar xvf eventlog_0.2.12.tar.gz
CD eventlog-0.2.12
./Configure -- prefix =/usr/local/EventLog
Make
Make install
CD/usr/src
Tar xvf syslog-ng_3.3.5.tar.gz
CD syslog-ng-3.3.5
Export pkg_config_path =/usr/local/EventLog/lib/pkgconfig
./Configure -- prefix =/usr/local/syslog-ng
Make
Make install
Add syslog-ng as a system service,
Vim/etc/init. d/syslog-ng # The content is as follows:
#! /Bin/bash
#
# Chkconfig:-60 27
# Description: syslog-ng sysv script.
./Etc/rc. d/init. d/functions
Syslog_ng =/usr/local/syslog-ng/sbin/syslog-ng
Prog = syslog-ng
Pidfile =/usr/local/syslog-ng/var/syslog-ng.pid.
Lockfile =/usr/local/syslog-ng/var/syslog-ng.lock
Retval = 0
Stop_timeout =$ {STOP_TIMEOUT-10}
Start (){
Echo-N $ "Starting $ prog :"
Daemon -- pidfile = $ pidfile $ syslog_ng $ options
Retval =$?
Echo
[$ Retval = 0] & touch $ {lockfile}
Return $ retval
}
Stop (){
Echo-N $ "Stopping $ prog :"
Killproc-p $ pidfile-d $ stop_timeout $ syslog_ng
Retval =$?
Echo
[$ Retval = 0] & Rm-F $ lockfile $ pidfile
}
Case "$1" in
Start)
Start
;;
Stop)
Stop
;;
Status)
Status-p $ pidfile $ syslog_ng
Retval =$?
;;
Restart)
Stop
Start
;;
*)
Echo $ "Usage: $ prog {START | stop | restart | status }"
Retval = 2
Esac
Exit $ retval
------------------------------------------------------------
Chmod A + x/etc/init. d/syslog-ng
Killall syslogd
Chkconfig -- add syslog-ng
Chkconfig syslog-ng on
Service syslog-ng start
Configuration File/usr/local/syslog-ng/etc/syslog-ng.conf
# The complete configuration file is shown below. Note:
@ Version: 3.3.5
@ Include "SCL. conf"
Options {
# Long_hostnames (off );
Log_msg_size (8192 );
Flush_lines (1 );
Log_1_o_size (20480 );
Time_reopen (10 );
Use_dns (yes );
Dns_cache (yes );
Use_fqdn (yes );
Keep_hostname (yes );
Chain_hostnames (NO );
# Chain_hostnames (off );
Perm (0644 );
Stats_freq (43200 );
};
Source s_internal {internal ();};
Destination d_syslognglog {file ("/var/log/syslog-ng.log ");};
Log {source (s_internal); destination (d_syslognglog );};
Source s_local {
Unix-dgram ("/dev/log ");
File ("/proc/kmsg" program_override ("kernel :"));
};
# Define 7 log types
Filter f_messages {level (info .. emerg );};
Filter f_secure {facility (authpriv );};
Filter f_mail {facility (Mail );};
Filter f_cron {facility (cron );};
Filter f_emerg {level (emerg );};
Filter f_spooler {level (CRIT .. emerg) and facility (uucp, News );};
Filter f_local7 {facility (local7 );};
Filter f_local4 {facility (local4 );};
# Define the location of seven types of logs on the client
Destination d_messages {file ("/var/log/messages ");};
Destination d_secure {file ("/var/log/secure ");};
Destination d_maillog {file ("/var/log/maillog ");};
Destination d_cron {file ("/var/log/cron ");};
Destination d_console {usertty ("root ");};
Destination d_spooler {file ("/var/log/Spooler ");};
Destination d_bootlog {file ("/var/log/dmesg ");};
Destination d_usercmd {file ("/var/log/usercmd. log ");};
Log {source (s_local); filter (f_emerg); destination (d_console );};
Log {source (s_local); filter (f_secure); destination (d_secure); flags (final );};
Log {source (s_local); filter (f_mail); destination (d_maillog); flags (final );};
Log {source (s_local); filter (f_cron); destination (d_cron); flags (final );};
Log {source (s_local); filter (f_spooler); destination (d_spooler );};
Log {source (s_local); filter (f_local7); destination (d_bootlog );};
Log {source (s_local); filter (f_messages); destination (d_messages );};
Log {source (s_local); filter (f_local4); destination (d_usercmd );};
# Define the listening port
# Remote logging
Source s_remote {
TCP/IP (IP (0.0.0.0) Port (514 ));
UDP (IP (0.0.0.0) Port (514 ));
};
# Define the format, location, and permissions of client logs stored on the server
Destination r_console {file ("/var/log/syslog-ng/$ year $ month $ day/$ host/console" Owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_secure {file ("/var/log/syslog-ng/$ year $ month $ day/$ host/secure" Owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_cron {file ("/var/log/syslog-ng/$ year $ month $ day/$ host/cron" Owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_spooler {file ("/var/log/syslog-ng/$ year $ month $ day/$ host/Spooler" Owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_bootlog {file ("/var/log/syslog-ng/$ year $ month $ day/$ host/bootlog" Owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_messages {file ("/var/log/syslog-ng/$ year $ month $ day/$ host/messages" Owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_usercmd {file ("/var/log/syslog-ng/$ year $ month $ day/$ host/usercmd" Owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_maillog {file ("/var/log/syslog-ng/$ year $ month $ day/$ host/maillog" Owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Log {source (s_remote); filter (f_emerg); destination (r_console );};
Log {source (s_remote); filter (f_secure); destination (r_secure); flags (final );};
Log {source (s_remote); filter (f_cron); destination (r_cron); flags (final );};
Log {source (s_remote); filter (f_spooler); destination (r_spooler );};
Log {source (s_remote); filter (f_local7); destination (r_bootlog );};
Log {source (s_remote); filter (f_messages); destination (r_messages );};
Log {source (s_remote); filter (f_local4); destination (r_usercmd );};
Log {source (s_remote); filter (f_mail); destination (r_usercmd );};
######################################## ##### 3
Note: If you want to add a new monitoring service log, you need to add a few places: the configuration file marked as red
Add to client
Local4. */var/log/usercmd. Log
#/Usr/local/syslog-ng/sbin/syslog-ng-e-f-D-V
Test whether the syslog-ng configuration file is correct.
On the client side, we use the rsyslog system's built-in log collection service.
VI/etc/rsyslog. conf
Add a row at the bottom
*. Info @ 10.0.11.53
VI/etc/syslog. conf
Add as follows:
*. Info; mail. None; news. None; authpriv. None; cron. None @ service IP
Install syslog-ng management logs