环境:
日志收集服务器:syslog-ng_V3.3.7
Tomcat客户端:syslog + tomcat
干扰:
1.为了方便调试将防火墙和SELinux关闭。
#service iptables stop //停止防火墙#chkconfig iptables off //开机不启动#service iptables status //查看防火墙状态
防火墙停止运行了。
2.将SELINUX=enforcing 改成 SELINUX=disabled
#vi /etc/selinux/config#setenforce 0 //临时关闭#/usr/sbin/sestatus -v //查看seliux状态
已经关闭了
3.系统默认安装了rsyslog会有514端口冲突,卸载或停用,这里就停用。
# chkconfig rsyslog off ///禁止开机启动# service rsyslog stop ///停止rsyslog
安装syslog-ng:
方法一:直接用 yum
#yum install -y syslog-ng
全局配置的是在 /etc/syslog-ng/syslog-ng.conf 中.
不建议新手用方法一安装,因为你没有了解到过程。
方法二:手动安装 (以下安装必须安装顺序执行,有依赖)
安装编译环境
#Yum install -y gcc gcc-c++ pcre libcurl libcurl-devel gmodule gthread glib2-devel
1、安装eventlog
#tar -zxvf eventlog_0.2.12.tar.gz#cd eventlog-0.2.12#./configure --prefix=/usr/local/eventlog#make && make install
2、安装libol
#tar -zxvf libol-0.3.18.tar.gz#cd libol-0.3.18#./configure --prefix=/usr/local/libol#make && make install
3、安装syslog-ng
vi /etc/profile //设置环境变量export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig/
//开始安装#tar -zxvf syslog-ng_3.3.7.tar.gz#cd syslog-ng-3.3.7#./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/#make && make install
4、配置syslog-ng
说明:一条日志的处理流程大概是这样的,如下
首先是 "日志的来源 source s_name { ... };"
然后是 "过滤规则 filter f_name { ... };"
再然后是 "消息链(执行)log { source(s_name); filter(f_name); destination(d_name) };"
最后是 "目标动作 destination d_name { ... };"
声明过程如上,但是在配置文件中,“目标动作”在“消息链”前面。和编程中的声明一样。
全局配置的是在 /usr/local/syslog-ng/etc/syslog-ng.conf 中
@version:3.3.5options { # 消息日志的最大值(bytes) log_msg_size(8192); #设置一次向目的地发送几行消息.如果设成0,一收到消息就发送 flush_lines(1); # 输出队列的行数 log_fifo_size(20480); # 对于死连接,到达多少秒,会重新连接 time_reopen(10); # 是否打开DNS查询功能 use_dns(yes); # 是否打开DNS缓存功能 dns_cache(yes); # 是否使用完整的域名 use_fqdn(yes); # 是否保留日志消息中保存的主机名称 keep_hostname(yes); # 是否打开主机名链功能,打开后可在多网络段转发日志时有效 chain_hostnames(no); # 当指定的目标目录不存在时,是否创建该目录 create_dirs(yes); # 文件的权限,同样,使用八进制方式标注 perm(0644); #两个状态消息(关于丢失日志消息的统计消息) #消息之间间隔的时间(以秒为单位).0表示禁用发送STATS消息. stats_freq(43200);}; #syslog-ng 内部产生的消息source s_internal { internal();}; source s_local { unix-stream("/dev/log" max-connections(50)); file("/proc/kmsg" program_override("kernel: "));}; # 表示日志来源为本机udp和tcp的514端口source s_src { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514));}; filter f_cron { facility(cron); };filter f_console { facility(kern); };filter f_bootlog {facility(local7); };filter f_messages { level(info) and not (facility(mail)or facility(authpriv) or facility(cron)); };filter f_secure { facility(authpriv); };filter f_spooler { facility(uucp) or (facility(news) andlevel(crit)); };filter f_local6 { facility(mail); };filter f_local4 { facility(local4); };filter f_catalina { facility(local5); }; destination d_syslognglog { file("/var/log/syslog-ng.log");}; destination d_loc_messages { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/loc_messages" owner("root") group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_messages { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };destination d_local7 { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/local7" owner("root") group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_localhost_access_log { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/tomcat-access" owner("root") group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_local6 { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/local6" owner("root") group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_console { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console" owner("root")group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_secure { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure" owner("root")group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_cron { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron" owner("root")group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_spooler { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler" owner("root")group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_bootlog { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog" owner("root")group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_syslog { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/syslog" owner("root")group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_catalina { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/catalina.out" owner("root") group("root") perm(0640)dir_perm(0750) create_dirs(yes)); };destination d_local4 { file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/localhost.log" owner("root") group("root") perm(0640)dir_perm(0750) create_dirs(yes)); }; log {source(s_internal); destination(d_syslognglog);};log {source(s_local); destination(d_loc_messages);};log {source(s_src);filter(f_messages);destination(d_messages);};log {source(s_src); filter(f_console); destination(d_console); };log {source(s_src); filter(f_secure); destination(d_secure); };log {source(s_src); filter(f_cron); destination(d_cron); };log {source(s_src); filter(f_spooler);destination(d_spooler); };log {source(s_src); filter(f_bootlog);destination(d_bootlog); };log {source(s_src); filter(f_bootlog); destination(d_local7);};log {source(s_src); filter(f_local6);destination(d_local6); };log {source(s_src); destination(d_localhost_access_log);};log {source(s_src); filter(f_catalina);destination(d_catalina); };log {source(s_src); filter(f_local4);destination(d_local4); };
5、添加为系统服务,
# vim /etc/init.d/syslog-ng #创建syslog-ng文件内容如下
#!/bin/bash # # chkconfig:- 60 27 # description:syslog-ng SysV script. ./etc/rc.d/init.d/functions syslog_ng=/usr/local/syslog-ng/sbin/syslog-ngprog=syslog-ng pidfile=/usr/local/syslog-ng/var/syslog-ng.pidlockfile=/usr/local/syslog-ng/var/syslog-ng.lockRETVAL=0 STOP_TIMEOUT=${STOP_TIMEOUT-10} start() { echo -n $"Starting $prog: " daemon --pidfile=$pidfile $syslog_ng$OPTIONS RETVAL=$? echo [ $RETVAL = 0 ] && touch${lockfile} return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc -p $pidfile -d $STOP_TIMEOUT$syslog_ng RETVAL=$? echo [ $RETVAL = 0 ] && rm -f $lockfile$pidfile } case"$1" in start) start ;; stop) stop ;; status) status -p $pidfile $syslog_ng RETVAL=$? ;; restart) stop start ;; *) echo $"Usage: $prog {start|stop|restart|status}" RETVAL=2 esac exit $RETVAL
加入开机启动:
# chmod a+x /etc/init.d/syslog-ng //给syslong-ng执行权限# killall syslogd //关闭# chkconfig --add syslog-ng # chkconfig syslog-ng on# service syslog-ng start //启动 syslog-ng
参考文章: