SuSE (SLES) install and configure the syslog-ng log server to integrate the splunk

Update History

April 25, 2014-draft written

Introduction

After the automated deployment of AutoYast and automated monitoring of BMC Patrol have taken shape, log collection, management, and analysis have become a problem we need to consider. Combined with the characteristics of our own business system platform, most systems are based on sles_11_sp1 or sp2. After comparing rsyslog and syslog-ng, syslog-ng ose (open source edition) is selected as the research object. For parameter explanations in the following content, refer to the official documentation. The Oracle log writing method will be added later. If the strength is insufficient, consider MySQL.

# Check the version

Rpm-qa | grep syslog-ng
Syslog-ng-2.0.9-27.32.1

Server Configuration

# Creating folders
Mkdir/var/log/syslog-ng

# Editing the configuration file
Vi/etc/syslog-ng/syslog-ng.conf

# ---------------------------- Code --------------------- start

# Global variables
Options {
Sync (0 );
Flush_lines (0 );
Time_reopen (10 );
Use_dns (no );
Use_fqdn (no );
Chain_hostnames (off );
Keep_hostname (off );
Create_dirs (yes );
Owner (root );
Group (root );
Perm (0640 );
Dir_perm (0750 );
};

Source src
{
# Message generated by Syslog-NG
# Internal ();
# Standard Linux log source (this is the default place for the syslog ()
# Function to send logs)
# Unix-stream ("/dev/log ");
# Messages from the kernel
# Pipe ("/proc/kmsg ");
# Remote port
TCP/IP (ip (0.0.0.0) port (514 ));
# Udp (ip (0.0.0.0) port (514 ));
};

# Define LOG filter rules
# Filter f_filter1 {level (info )};

# Define a log writing Template
# Template t_filetemplate {template ("$ {ISODATE }$ {HOST }$ {MSG} \ n"); template_escape (no );};
Template t_filetemplate {template ("$ {MSG} \ n"); template_escape (no );};

# Define the format, location, and permissions of client logs stored on the server
Destination d_mesg {file ("/var/log/syslog-ng/$ YEAR $ MONTH $ DAY/$ HOST/messages", perm (0777 ), template (t_filetemplate ));};

# Output custom message path
Log {source (src); destination (d_mesg );};
# Log {source (src); filter (f_filter1); destination (d_mesg );};

#-----------------------------------------------------------

# Splunk use 1999 port
Destination d_splunk {tcp ("127.0.0.1" port (1999) localport (999 ));};
Log {source (src); destination (d_splunk );};

# ---------------------------- Code --------------------- end

Client Configuration

# Configure the client
# Vi/etc/syslog. conf

# *. * @ Loghost

Vi/etc/syslog-ng/syslog-ng.conf
# Add as follows:

Source s_tail {file ("/monitor/auditlog/export udit.txt" follow_freq (1) flags (no-parse ));};

Destination d_loghost {tcp ("198.15.0.205" port (514 ));};

# Filter f_info {level (info );};

Log {source (s_tail); destination (d_loghost );};


-- Disable service restart syslog
Rcapparmor stop

Rcsyslog restart


# Start the server
Rcsyslog restart

Integrate splunk

 

To add syslog data, follow these steps:

Click New Input on Admin> Data Inputs> Network Ports. select TCP 1999 port, Set Source Type to Form List, and Source Type to Syslog, so that Syslog-ng can be uploaded.

To modify syslog-ng, follow these steps:

As shown in the above code, if it is not a paying user, there are m index restrictions, please help Crack

# References

Http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.5-guides/en/syslog-ng-ose-v3.5-guide-admin/html-single/index.html

Http://www.splunk.com/download? R = header