my syslog-ng.conf
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
chain_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src {
unix-stream("/dev/log" max-connections(256));
internal();
file("/proc/kmsg");
};
# mcelog
filter mcelog { program(mcelog); };
destination mcelog{ file("/var/log/mcelog"); };
log { source(src); filter(mcelog); destination(mcelog); };
# dhcpd
filter dhcpd { program("dhcpd"); };
destination dhcpd { file("/var/log/dhcpd"); };
log { source(src); filter(dhcpd); destination(dhcpd); };
# postfix
#filter postfix { facility(mail) or match("postfix"); };
filter mail { facility(mail); };
destination mail { file("/var/log/maillog"); };
log { source(src); filter(mail); destination(mail); };
# cron
filter cron { facility(cron); };
destination cron { file("/var/log/cron"); };
log { source(src); filter(cron); destination(cron); };
# sshd, su
#filter secure { facility(auth,authpriv) or program("sshd"); };
filter secure { facility(auth,authpriv); };
destination secure { file("/var/log/secure"); };
log { source(src); filter(secure); destination(secure); };
# syslog-ng
filter syslog { facility(syslog); };
destination syslog { file("/var/log/syslog"); };
log { source(src); filter(syslog); destination(syslog); };
# message log
filter messages { not filter(cron) and not filter(mail)
and not filter(dhcpd) and not filter(secure) and not filter(syslog); };
destination messages { file("/var/log/messages"); };
log { source(src); filter(messages); destination(messages); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
log { source(src); destination(console_all); };
iptables log to ulog
iptables: Getting full packets out of the kernel
syslog-ng howto
syslog-ng log server安裝說明
syslog-ng的特異功能
經常check system event一直是系統管理上很容易被忽略的重要細節,原因在於大部分的system logs傳達的資訊是不重要的,以至於將重要的警訊淹沒。
如同syslog-ng的名稱,它是用以取代syslogd的next generation版本,原來的syslog是只能夠依priority及facility作分類,syslog-ng可以根據log的內容,以 regular expression自訂分類及log的處理方式,並且支援以tcp/udp將log送到遠端的server,或是即時通知在線上的系統管理者,甚至能將 log值當成某個program的標準輸入字串,直接將log作加工及分析。
syslog-ng的應用與範例
Syslog-ng的message path全部在syslog-ng.conf作編輯。在syslog-ng的message path中,可以包括多個sources、多個filter rules及多個destinations的同步多工處理。一般來說,採用syslog-ng最大的用途除了運用它分類的功能外,就是運用它的網路功能。如前所提,syslog-ng可以透過tcp或是udp的協定將log送到遠端的server作集中式的監控。
現在我們先假設一個情境,我們希望將幾台提供網路服務的server的log集中到一台server作管理,我們希望能夠將log值中含有特定 facility code或特定priority的log儲存在本地端,並且將所有收集到的log值全部送到log server作分類以及儲存。原來的syslog做不到這麼多點,所以我們必須在每一台server安裝syslog-ng,各透過tcp送到log server,log server的syslog-ng.conf依server.conf的範例設定。詳細的syslog-ng config參數當然不只這些,實際設計系統時最好直接看看官方網站的reference manual (http://www.balabit.hu/static/syslog-ng/ ... book1.html) 。
server.conf
#設定options,語法為options { S1 ; S2 ; S3…};
#options主要是對整個configuration的共通設定
options { use_fqdn(yes); keep_hostname(yes); use_dns(yes); long_hostnames(off); sync(3); log_fifo_size(300); };
#設定input來源,語法為source source_ name {S1 ; S2 ; …};
#internal()表所有本機產生的log
# unix-stream("/dev/log")表來自本機的log檔,本機是Linux,若為BSD則需用
#unix-dgram,這是開啟一個AF_UNIX socket聽取目的檔案的message.
#收集本地端以及來自192.168.0.100 port 514這台server送來的log值,
#keep-alive(yes/no)決定是否保持連線直到收到sighup訊號
source src { unix-stream("/dev/log"); internal(); };
source remote { tcp(ip("127.0.0.100") port(514) keep-alive(yes)); };
#設定output目的地,語法為destination destination_ name {S1 ; S2 ; …};
#file(“path”):以檔案的方式存在local端
#usertty(“user_name”):即時通知特定的線上的使用者
destination lpr { file("/var/log/lpr.log"); };
destination mail { file("/var/log/mail.log"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
#設定filter條件,filter filter_name{expresson;}; expression為各條件以and or not
#連結
#facility(string1,string2):篩選出包含string1或string2其中之一個字串的log.
#level(S1..S2..S3) or priority(S1..S2..S3),篩選出包含其中之一level的log
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_messages { level(info..emerg) and not facility(mail,lpr); };
filter f_emergency { level(emerg); };
###############################################################
# 將設定好的source,filter,destination依需求作組合
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
###############################################################
#將收到的所有log依host分資料夾,再依該log的facility code分別儲存,
#並設定owner, group, permission, directory permission
destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
log { source(remote); destination(hosts); };
###############################################################
另外,我們必須將/etc/logrotate.d/syslog置換成以下syslog-ng:
/var/log/lpr.log {
postrotate
/bin/kill -HUP `cat /var/run/syslogd-ng.pid 2> /dev/null` 2> /dev/null ||
true
endscript
}
/var/log/mail.log {
postrotate
/bin/kill -HUP `cat /var/run/syslogd-ng.pid 2> /dev/null` 2> /dev/null ||
true
endscript
}
/var/log/messages {
postrotate
/bin/kill -HUP `cat /var/run/syslogd-ng.pid 2> /dev/null` 2> /dev/null ||
true
endscript
}
/var/log/lastlog {
postrotate
/bin/kill -HUP `cat /var/run/syslogd-ng.pid 2> /dev/null` 2> /dev/null ||
true
endscript
}
最後啟動syslog-ng!
#/etc/rc.d/init.d/syslog-ng start
結合database
(1)如果我們希望將log值存進資料庫的話,我們必須將先將database server建起來(這裡我們選擇mysql),我們必須產生一個syslog.sql以建立資料庫及資料表:
CREATE DATABASE syslog;
USE syslog;
CREATE TABLE logs (
host varchar(32) default NULL,
facility varchar(10) default NULL,
priority varchar(10) default NULL,
level varchar(10) default NULL,
tag varchar(10) default NULL,
date date default NULL,
time time default NULL,
program varchar(15) default NULL,
msg text,
seq int(10) unsigned NOT NULL auto_increment,
PRIMARY KEY (seq),
KEY host (host),
KEY seq (seq),
KEY program (program),
KEY time (time),
KEY date (date),
KEY priority (priority),
KEY facility (facility)
) TYPE=MyISAM;
然後執行mysql -u root -p < syslog.sql。
(1) 執行mkfifo /tmp/mysql.pipe
(2) 執行mysql -u root --password=passwd syslog < /tmp/mysql.pipe
(3) 最後,我們必須在syslog-ng.conf增加一條command:
destination d_mysql {
pipe("/tmp/mysql.pipe"
template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
};
log { source(net); destination(d_mysql);};
(4) 重開syslog-ng
/etc/init.d/syslog-ng stop # Stop syslog-ng
/etc/ini.d/syslog-ng start # Start syslog-ng
syslog(d) howto
syslog Overview
The standard UNIX syslog facilities are
kern – kernel
user – application or user processes (this is the default if the application sending a message does not specify the facility)
mail/news/UUCP/cron – electronic mail/NNTP/UUCP/cron subsystems
daemon – system daemons
auth – authentication and authorization related commands
lpr – line printer spooling subsystem
mark – inserts timestamp into log data at regular intervals
local0-local7 – 8 facilities for customized auditing
syslog – internal messages generated by syslog itself
authpriv – non-system authorization messages
* -- on most versions of UNIX, refers to all facilities except mark
syslog levels are nominally defined as:
emerg – system is or will be unusable if situation is not resolved
alert – immediate action required
crit – critical situations
warning – recoverable errors
notice – unusual situation that merits investigation; a significant event that is typically part of normal day-to-day operation
info – informational messages
debug – verbose data for debugging
0 comments:
Post a Comment