SuSE (SLES) install and configure the syslog-ng log server to integrate the splunk

Source: Internet
Author: User

Update History

April 25, 2014-draft written

Introduction

After the automated deployment of AutoYast and automated monitoring of BMC Patrol have taken shape, log collection, management, and analysis have become a problem we need to consider. Combined with the characteristics of our own business system platform, most systems are based on sles_11_sp1 or sp2. After comparing rsyslog and syslog-ng, syslog-ng ose (open source edition) is selected as the research object. For parameter explanations in the following content, refer to the official documentation. The Oracle log writing method will be added later. If the strength is insufficient, consider MySQL.

# Check the version

Rpm-qa | grep syslog-ng
Syslog-ng-2.0.9-27.32.1

Server Configuration

# Creating folders
Mkdir/var/log/syslog-ng

# Editing the configuration file
Vi/etc/syslog-ng/syslog-ng.conf

# ---------------------------- Code --------------------- start

# Global variables
Options {
Sync (0 );
Flush_lines (0 );
Time_reopen (10 );
Use_dns (no );
Use_fqdn (no );
Chain_hostnames (off );
Keep_hostname (off );
Create_dirs (yes );
Owner (root );
Group (root );
Perm (0640 );
Dir_perm (0750 );
};

Source src
{
# Message generated by Syslog-NG
# Internal ();
# Standard Linux log source (this is the default place for the syslog ()
# Function to send logs)
# Unix-stream ("/dev/log ");
# Messages from the kernel
# Pipe ("/proc/kmsg ");
# Remote port
TCP/IP (ip (0.0.0.0) port (514 ));
# Udp (ip (0.0.0.0) port (514 ));
};

# Define LOG filter rules
# Filter f_filter1 {level (info )};

# Define a log writing Template
# Template t_filetemplate {template ("$ {ISODATE }$ {HOST }$ {MSG} \ n"); template_escape (no );};
Template t_filetemplate {template ("$ {MSG} \ n"); template_escape (no );};

# Define the format, location, and permissions of client logs stored on the server
Destination d_mesg {file ("/var/log/syslog-ng/$ YEAR $ MONTH $ DAY/$ HOST/messages", perm (0777 ), template (t_filetemplate ));};

# Output custom message path
Log {source (src); destination (d_mesg );};
# Log {source (src); filter (f_filter1); destination (d_mesg );};

#-----------------------------------------------------------

# Splunk use 1999 port
Destination d_splunk {tcp ("127.0.0.1" port (1999) localport (999 ));};
Log {source (src); destination (d_splunk );};

# ---------------------------- Code --------------------- end

Client Configuration

# Configure the client
# Vi/etc/syslog. conf

# *. * @ Loghost

Vi/etc/syslog-ng/syslog-ng.conf
# Add as follows:

Source s_tail {file ("/monitor/auditlog/export udit.txt" follow_freq (1) flags (no-parse ));};

Destination d_loghost {tcp ("198.15.0.205" port (514 ));};

# Filter f_info {level (info );};

Log {source (s_tail); destination (d_loghost );};


-- Disable service restart syslog
Rcapparmor stop

Rcsyslog restart


# Start the server
Rcsyslog restart

Integrate splunk

 

To add syslog data, follow these steps:

Click New Input on Admin> Data Inputs> Network Ports. select TCP 1999 port, Set Source Type to Form List, and Source Type to Syslog, so that Syslog-ng can be uploaded.

To modify syslog-ng, follow these steps:

As shown in the above code, if it is not a paying user, there are m index restrictions, please help Crack


# References

Http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.5-guides/en/syslog-ng-ose-v3.5-guide-admin/html-single/index.html

Http://www.splunk.com/download? R = header

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.