Syslog-NG日志服务器安装与配置
此安装配置可与Cacti服务器结合,用Syslog插件功能实现web浏览
一.服务器端安装及配置
1.从syslog-ng的官方网站上下载编译好的rpm包,针对rhel的.
我把需要的rpm打个包放在这里了.
|  | 
 | 
2.安装(服务器跟客户端安装都一样,这里指的是linux客户端,windows客户端需要另外的软件)
[root@Kevin syslog]# ls
libdbi8-0.8.2bb2-3.rhel5.i386.rpm libdbi8-dev-0.8.2bb2-3.rhel5.i386.rpm libevtlog0-0.2.8-1.i386.rpm syslog-ng-2.1.3-1.i386.rpm
libdbi8-0.8.2bb2-3.rhel5.i386.rpm libdbi8-dev-0.8.2bb2-3.rhel5.i386.rpm libevtlog0-0.2.8-1.i386.rpm syslog-ng-2.1.3-1.i386.rpm
安装libevt
[root@Kevin syslog]# rpm -ivh libevtlog0-0.2.8-1.i386.rpm 
Preparing... ########################################### [100%]
1:libevtlog0 ########################################### [100%]
Preparing... ########################################### [100%]
1:libevtlog0 ########################################### [100%]
安装syslog-ng
[root@Kevin syslog]# rpm -vih libdbi8-0.8.2bb2-3.rhel5.i386.rpm libdbi8-dev-0.8.2bb2-3.rhel5.i386.rpm syslog-ng-2.1.3-1.i386.rpm 
warning: libdbi8-0.8.2bb2-3.rhel5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 2aa28252
Preparing... ########################################### [100%]
1:libdbi8 ########################################### [ 33%]
2:libdbi8-dev ########################################### [ 67%]
3:syslog-ng ########################################### [100%]
warning: libdbi8-0.8.2bb2-3.rhel5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 2aa28252
Preparing... ########################################### [100%]
1:libdbi8 ########################################### [ 33%]
2:libdbi8-dev ########################################### [ 67%]
3:syslog-ng ########################################### [100%]
Shutting down kernel logger: [  OK  ]
Shutting down system logger: [ OK ]
Starting syslog-ng: [ OK ]
Shutting down system logger: [ OK ]
Starting syslog-ng: [ OK ]
3.服务器端配置
[root@Kevin syslog]# cd /etc/syslog-ng
[root@Kevin syslog-ng]# cp syslog-ng.conf syslog-ng.conf.bak
[root@Kevin syslog-ng]# vim syslog-ng.conf  ---之前的一篇文章里已经有单独说到这个了
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20090105
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20090105
#
#
#
options {
sync(0);
time_reopen(10);
log_fifo_size(1024);
long_hostnames(off);
use_dns(no);
use_fqdn(no);
create_dirs(yes);
keep_hostname(yes);
};
sync(0);
time_reopen(10);
log_fifo_size(1024);
long_hostnames(off);
use_dns(no);
use_fqdn(no);
create_dirs(yes);
keep_hostname(yes);
};
source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
destination d_kernel { file("/var/log/kern"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
destination d_kernel { file("/var/log/kern"); };
filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail)
or facility(authpriv)
or facility(cron)
or program("kernel")); };
filter f_filter3     { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
filter f_kernel { level(info) and program("kernel"); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
filter f_kernel { level(info) and program("kernel"); };
#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(s_sys); filter(f_kernel); destination(d_kernel); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(s_sys); filter(f_kernel); destination(d_kernel); };
source net {
udp();
# tcp();
};
udp();
# tcp();
};
destination d_mysql {
pipe("/tmp/mysql.pipe"
template("INSERT INTO syslog_incoming (host, facility, priority, date, time, message) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$MSG' );\n")
template-escape(yes)
);
};
pipe("/tmp/mysql.pipe"
template("INSERT INTO syslog_incoming (host, facility, priority, date, time, message) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$MSG' );\n")
template-escape(yes)
);
};
log { source(net); destination(d_mysql); };
log { source(s_sys); destination(d_mysql); };
# vim: syntax=syslog-ng
log { source(s_sys); destination(d_mysql); };
# vim: syntax=syslog-ng
[root@Kevin syslog-ng]# service syslog-net restart
Restarting syslog-ng: 
Shutting down syslog-ng: [ OK ]
Starting syslog-ng: [ OK ]
Shutting down syslog-ng: [ OK ]
Starting syslog-ng: [ OK ]
二.客户端安装及配置
1.linux服务器客户端安装及配置
安装跟服务器端一样的,这里就不多说了.
配置
在/etc/syslog-ng/syslog.conf里只需要加三行就可以了 把其它的全部都注释掉
内容如下:
source s_local { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
destination d_udp { udp("172.16.16.18" port(514)); };
log { source(s_local); destination(d_udp); };
log { source(s_local); destination(d_udp); };
然后再重启syslog-ng服务就可以了.
注意:
上面的配置会导致本地没有任何日志信息了,因为全部都发送到了日志服务器上面了.如果想在本地保留一份日志信息,那么在syslog-ng里面再加入三行
内容如下:
source s_local { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_local); destination(d_syslognglog); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_local); destination(d_syslognglog); };
这样本地也就有一份日志信息了,保存在/var/log/syslog-ng.log里面.
2.使用默认的syslog做为syslog-ng的客户端,这样可以避免在太多客户端的情况下需要安装syslog-ng软件,而且配置更容易.
[root@Kevin ~]# vim /etc/syslog.conf 
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none @172.16.16.18
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none @172.16.16.18
# The authpriv file has restricted access.
authpriv.* /var/log/secure
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
cron.* @172.16.16.18
# Everybody gets emergency messages
*.emerg *
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
local7.* @172.16.16.18
local7.* /var/log/boot.log
local7.* @172.16.16.18
其中有@标识的就是把日志发送到日志服务器的,例如:
cron.*                                                  @172.16.16.18
这一行表示把cron的日志发送到日志服务器172.16.16.18上面去.
原来的配置我并没有改动,因为这样就可以保持原来的日志一样写入到本地.方便查看.
完成配置后重启syslog服务
[root@Kevin syslog-ng]# service syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
3.windows服务器客户端配置
A.安装syslog-ng代理软件:SnareSetup-3.1.3-MultiArch.exe,为什么用这个呢,这个配置简单易用.
这个软件在之前的一篇文章里就已经有了,请到那里下载.谢谢~~~
安装很简单,双击exe文件,下一步,下一步.其中有一步是问需要不需要密码,是用默认的snare做为用户跟密码还是用本地系统的用户,还是创建一个帐号做为认证,这个就取决于个人了.点击安装完成.
B.配置snare
点击开始--程序--选择InterSect Alliance--snare for windows 后是一个web形式的,地址为: 
默认是不需要密码的,可以配置为需要用户名跟密码来认证.
首先我们配置日志服务器这一部分,也是最主要的部分,如果这一部分配置不正确的话,那日志服务器上也就不会有这台机器的日志信息了.
点击左边的: 如下所示
SNARE Network Configuration 
The following network configuration parameters of the SNARE unit is set to the following values:
| Override detected DNS Name with: | |
| Destination Snare Server address | |
| Destination Port | |
| Perform a scan of ALL objectives, and display the maximum criticality? | |
| Allow SNARE to automatically set audit configuration? | |
| Allow SNARE to automatically set file audit configuration? | |
| Export Snare Log data to a file? | |
| Enable active USB auditing? (This option requires the service to be fully restarted) | |
| Enable SYSLOG Header? | |
| SYSLOG Facility | |
| SYSLOG Priority | 
Destination Snare Server address ---这个就是日志服务器的IP地址了.一般不用域名,怕解释不到.
Destination Port --- 这个就是日志服务器的端口了 一般默认是514
| Destination Snare Server address | |
| Destination Port | 
| Allow SNARE to automatically set audit configuration? | |
| Allow SNARE to automatically set file audit configuration? | 
| Enable SYSLOG Header? | |
| SYSLOG Facility | |
| SYSLOG Priority | 
Enable Syslog Header一般把勾打上.下面两个就根据你的需要来设置了.
设置完成后再点下面的 Change Configureation 应用配置
还有一个重要的配置,那就是决定把什么样的日志发送到日志服务器呢?
再点左边的:,如下所示: 
The following filtering objectives of the SNARE unit are active:
Select this button to add a new objective.
SNARE Filtering Objectives Configuration
The following filtering objectives of the SNARE unit are active:
| Action Required | Criticality | Event ID Include/Exclude | Event ID Match | User Include/Exclude | User Match | General Match | Return | Event Src | 
| Information | Include | Logon_Logoff | Include | * | * | Success Failure Error Information Warning | Security | |
| Clear | Include | Process_Events | Include | * | cmd.exe | Success Failure Error Information Warning | Security | |
| Warning | Include | User_Group_Management_Events | Include | * | * | Success Failure Error Information Warning | Security | |
| Information | Include | Reboot_Events | Include | * | Success Failure | Security | ||
| Priority | Include | Security_Policy_Events | Include | * | Success Failure Error Information Warning | Security | ||
| Information | Include | * | Include | * | Success Failure Error Information Warning | System Application | 
Select this button to add a new objective.
这个修改就要看个人的需求是什么样的了,我这里就不多说了.
全部完成后记得点左边的: 来应用所有的配置!
当然Snare还有其它的功能,比如远程操控这个代理软件,自己多摸索吧 呵呵 .
三、防火墙配置
在日志服务器上要让iptables允许514端口通过,不然服务器无法接收到客户端的日志信息。
加两条规则,如下:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state -m udp --dport 514 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state -m udp --dport 514 --state NEW -j ACCEPT
一般一条就够了,那就是第二条,一般的日志传输都会用到udp。效率高一些。
