Use syslog-ng to build a concentrated log server in RHEL5

In the production environment, there is a log server dedicated to recording the log information of other servers is a good idea, but with the Red Hat built-in syslog, the configuration is simple, however, there is no way to separate logs. By default, logs are all heap in the/var/log/message file, which is used to create a log server. The following describes how to use syslog-ng to build a log server, this also supports importing logs to the database and publishing logs through the web page. It sounds quite powerful. Next, let's take a good look ...... Environment Description Log Server IP: 192.1

In the production environment, there is a log server dedicated to recording the log information of other servers is a good idea, but with the Red Hat built-in syslog, the configuration is simple, however, there is no way to separate logs. By default, logs are all heap in the/var/log/message file, which is used to create a log server. The following describes how to use syslog-ng to build a log server, this also supports importing logs to the database and publishing logs through the web page. It sounds quite powerful. Next, let's take a good look ......

Environment Introduction
Log Server IP Address: 192.168.90.20; Client IP Address: 192.168.90.10
System: RHEL5.4
Purpose: automatically store client logs in the corresponding directory on the server, and save the logs separately Based on the date, IP address, and log type.
Note: Due to operations in the virtual machine environment, the time of the server on the client is not synchronized, so there will be inconsistent log recording time;

[Root @ server2 ~] # Cd/usr/local/src/tarbag/
[Root @ server2 tarbag] # wget http://www.linuxidc.com/system/systembak/syslogfile/eventlog/0.2/eventlog_0.2.9.tar.gz
[Root @ server2 tarbag] # tar-zxvf eventlog_0.2.9.tar.gz-C ../software/
[Root @ server2 tarbag] # cd ../software/eventlog-0.2.9/
[Root @ server2 eventlog-0.2.9] #./configure -- prefix =/usr/local/eventlog & make install
[Root @ server2 eventlog-0.2.9] # ls/usr/local/eventlog/
Include lib

[Root @ server2 syslog-ng-3.0.5] # cd-
/Usr/local/src/tarbag
[Root @ server2 tarbag] # wget http://www.linuxidc.com/system/systembak/syslogfile/libol/0.3/libol-0.3.9.tar.gz
[Root @ server2 tarbag] # tar-zxvf libol-0.3.9.tar.gz-C ../software/
[Root @ server2 tarbag] # cd ../software/libol-0.3.9/
[Root @ server2 libol-0.3.9] #./configure -- prefix =/usr/local/libol & make install
[Root @ server2 libol-0.3.9] # ls/usr/local/libol/
Bin include lib

[Root @ server2 tarbag] # wget http://www.linuxidc.com/system/systembak/syslogfile/syslog-ng/syslog-ng_3.0.5.tar.gz
[Root @ server2 tarbag] # tar-zxvf syslog-ng_3.0.5.tar.gz-C ../software/
[Root @ server2 tarbag] # cd ../software/syslog-ng-3.0.5/
[Root @ server2 syslog-ng-3.0.5] # export PKG_CONFIG_PATH =/usr/local/eventlog/lib/pkgconfig
[Root @ server2 syslog-ng-3.0.5] #./configure -- prefix =/usr/local/syslog-ng -- with-libol =/usr/local/libol & make install
Configure: error: Cannot find eventlog version >=0.2: is pkg-config in path? (If this error occurs, it is basically because the previous PKG_CONFIG_PATH variable is not specified)
[Root @ server2 syslog-ng-3.0.5] # ls/usr/local/syslog-ng/
Bin libexec sbin share
[Root @ server2 syslog-ng-3.0.5] # mkdir/usr/local/syslog-ng/etc
[Root @ server2 syslog-ng-3.0.5] # mkdir/usr/local/syslog-ng/var
[Root @ server2 syslog-ng-3.0.5] # cp contrib/syslog-ng.conf.RedHat/usr/local/syslog-ng/etc/
[Root @ server2 syslog-ng-3.0.5] # cp contrib/init. d. RedHat/etc/init. d/syslog-ng

[Root @ server2 syslog-ng-3.0.5] # cd/usr/local/syslog-ng/etc/
[Root @ server2 etc] # Music syslog-ng.conf.RedHat syslog-ng.conf
[Root @ server2 etc] # cat syslog-ng.conf
@ Version: 3.0
Options {
Long_hostnames (off );
Log_msg_size (8192 );
Flush_lines (1 );
Log_1_o_size (20480 );
Time_reopen (10 );
Use_dns (yes );
Dns_cache (yes );
Use_fqdn (yes );
Keep_hostname (yes );
Chain_hostnames (no );
Perm (0644 );
Stats_freq (43200 );
};
Source s_internal {internal ();};
Destination d_syslognglog {file ("/var/log/syslog-ng.log ");};
Log {source (s_internal); destination (d_syslognglog );};

Source s_local {
Unix-dgram ("/dev/log ");
File ("/proc/kmsg" program_override ("kernel :"));
};

Filter f_messages {level (info .. emerg) ;}; // defines 7 log types
Filter f_secure {facility (authpriv );};
Filter f_mail {facility (mail );};
Filter f_cron {facility (cron );};
Filter f_emerg {level (emerg );};
Filter f_spooler {level (crit .. emerg) and facility (uucp, news );};
Filter f_local7 {facility (local7 );};
Destination d_messages {file ("/var/log/messages") ;}; // defines the location of seven types of logs on the client
Destination d_secure {file ("/var/log/secure ");};
Destination d_maillog {file ("/var/log/maillog ");};
Destination d_cron {file ("/var/log/cron ");};
Destination d_console {usertty ("root ");};
Destination d_spooler {file ("/var/log/spooler ");};
Destination d_bootlog {file ("/var/log/dmesg ");};
Log {source (s_local); filter (f_emerg); destination (d_console );};
Log {source (s_local); filter (f_secure); destination (d_secure); flags (final );};
Log {source (s_local); filter (f_mail); destination (d_maillog); flags (final );};
Log {source (s_local); filter (f_cron); destination (d_cron); flags (final );};
Log {source (s_local); filter (f_spooler); destination (d_spooler );};
Log {source (s_local); filter (f_local7); destination (d_bootlog );};
Log {source (s_local); filter (f_messages); destination (d_messages );};

# Remote logging // define the listening port
Source s_remote {
TCP/IP (ip (0.0.0.0) port (514 ));
Udp (ip (0.0.0.0) port (514 ));
};
// Define the format, location, and permissions of client logs stored on the server
Destination r_console {file ("/var/log/syslog-ng/$ YEAR $ MONTH $ DAY/$ HOST/console" owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_secure {file ("/var/log/syslog-ng/$ YEAR $ MONTH $ DAY/$ HOST/secure" owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_cron {file ("/var/log/syslog-ng/$ YEAR $ MONTH $ DAY/$ HOST/cron" owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_spooler {file ("/var/log/syslog-ng/$ YEAR $ MONTH $ DAY/$ HOST/spooler" owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_bootlog {file ("/var/log/syslog-ng/$ YEAR $ MONTH $ DAY/$ HOST/bootlog" owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Destination r_messages {file ("/var/log/syslog-ng/$ YEAR $ MONTH $ DAY/$ HOST/messages" owner ("root") group ("root ") perm (0640) dir_perm (0750) create_dirs (yes ));};
Log {source (s_remote); filter (f_emerg); destination (r_console );};
Log {source (s_remote); filter (f_secure); destination (r_secure); flags (final );};
Log {source (s_remote); filter (f_cron); destination (r_cron); flags (final );};
Log {source (s_remote); filter (f_spooler); destination (r_spooler );};
Log {source (s_remote); filter (f_local7); destination (r_bootlog );};
Log {source (s_remote); filter (f_messages); destination (r_messages );};

[Root @ server2 etc] # chmod + x/etc/init. d/syslog-ng
[Root @ server2 etc] # chkconfig -- add syslog-ng
Service syslog-ng does not support chkconfig (if this error occurs, modify the first four lines of the script as follows)
[Root @ server2 etc] # head-4/etc/init. d/syslog-ng
#! /Bin/bash
# Chkconifg: -- add syslog-ng
# Chkconfig: 2345 12 88
# Description: syslog-ng