Syslog-NG 日志服务器安装与配置

8109阅读 2评论2009-01-05 kevinadmin
分类:LINUX

Syslog-NG日志服务器安装与配置
 
此安装配置可与Cacti服务器结合,用Syslog插件功能实现web浏览
 
一.服务器端安装及配置
1.从syslog-ng的官方网站上下载编译好的rpm包,针对rhel的.
我把需要的rpm打个包放在这里了.
文件: Syslog-NG.rar
大小: 859KB
下载: 下载
2.安装(服务器跟客户端安装都一样,这里指的是linux客户端,windows客户端需要另外的软件)
[root@Kevin syslog]# ls
libdbi8-0.8.2bb2-3.rhel5.i386.rpm  libdbi8-dev-0.8.2bb2-3.rhel5.i386.rpm  libevtlog0-0.2.8-1.i386.rpm  syslog-ng-2.1.3-1.i386.rpm
安装libevt
[root@Kevin syslog]# rpm -ivh libevtlog0-0.2.8-1.i386.rpm
Preparing...                ########################################### [100%]
   1:libevtlog0             ########################################### [100%]
安装syslog-ng
[root@Kevin syslog]# rpm -vih libdbi8-0.8.2bb2-3.rhel5.i386.rpm libdbi8-dev-0.8.2bb2-3.rhel5.i386.rpm syslog-ng-2.1.3-1.i386.rpm
warning: libdbi8-0.8.2bb2-3.rhel5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 2aa28252
Preparing...                ########################################### [100%]
   1:libdbi8                ########################################### [ 33%]
   2:libdbi8-dev            ########################################### [ 67%]
   3:syslog-ng              ########################################### [100%]
Shutting down kernel logger: [  OK  ]
Shutting down system logger: [  OK  ]
Starting syslog-ng: [  OK  ]
3.服务器端配置
[root@Kevin syslog]# cd /etc/syslog-ng
[root@Kevin syslog-ng]# cp syslog-ng.conf syslog-ng.conf.bak
[root@Kevin syslog-ng]# vim syslog-ng.conf  ---之前的一篇文章里已经有单独说到这个了
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20090105
#
#
options {
  sync(0);
  time_reopen(10);
  log_fifo_size(1024);
  long_hostnames(off);
  use_dns(no);
  use_fqdn(no);
  create_dirs(yes);
  keep_hostname(yes);
  };
source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
 
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
destination d_kernel  { file("/var/log/kern"); };

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and
                         not (facility(mail)
                             or facility(authpriv)
                             or facility(cron)
                             or program("kernel")); };
filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7); };
filter f_filter8     { facility(cron); };
filter f_kernel      { level(info) and program("kernel"); };
#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(s_sys); filter(f_kernel); destination(d_kernel); };
source net {
        udp();
#       tcp();
};
destination d_mysql {
        pipe("/tmp/mysql.pipe"
         template("INSERT INTO syslog_incoming (host, facility, priority, date, time, message) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$MSG' );\n")
         template-escape(yes)
        );
 };
log { source(net); destination(d_mysql); };
log { source(s_sys); destination(d_mysql); };
# vim: syntax=syslog-ng
 
[root@Kevin syslog-ng]# service syslog-net restart
Restarting syslog-ng:
Shutting down syslog-ng:                                   [  OK  ]
Starting syslog-ng:                                        [  OK  ]
 
二.客户端安装及配置
1.linux服务器客户端安装及配置
安装跟服务器端一样的,这里就不多说了.
配置
在/etc/syslog-ng/syslog.conf里只需要加三行就可以了 把其它的全部都注释掉
内容如下:
source s_local { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
destination d_udp { udp("172.16.16.18" port(514)); };
log { source(s_local); destination(d_udp); };
然后再重启syslog-ng服务就可以了.
注意:
上面的配置会导致本地没有任何日志信息了,因为全部都发送到了日志服务器上面了.如果想在本地保留一份日志信息,那么在syslog-ng里面再加入三行
内容如下:
source s_local { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_local); destination(d_syslognglog); };
这样本地也就有一份日志信息了,保存在/var/log/syslog-ng.log里面.
 
2.使用默认的syslog做为syslog-ng的客户端,这样可以避免在太多客户端的情况下需要安装syslog-ng软件,而且配置更容易.
[root@Kevin ~]# vim /etc/syslog.conf

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none               /var/log/messages
*.info;mail.none;authpriv.none;cron.none                @172.16.16.18
 
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron
cron.*                                                  @172.16.16.18
 
# Everybody gets emergency messages
*.emerg                                                 *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
local7.*                                                @172.16.16.18
 
其中有@标识的就是把日志发送到日志服务器的,例如:
cron.*                                                  @172.16.16.18
这一行表示把cron的日志发送到日志服务器172.16.16.18上面去.
原来的配置我并没有改动,因为这样就可以保持原来的日志一样写入到本地.方便查看.
完成配置后重启syslog服务
[root@Kevin syslog-ng]# service syslog restart
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]
 
3.windows服务器客户端配置
A.安装syslog-ng代理软件:SnareSetup-3.1.3-MultiArch.exe,为什么用这个呢,这个配置简单易用.
这个软件在之前的一篇文章里就已经有了,请到那里下载.谢谢~~~
安装很简单,双击exe文件,下一步,下一步.其中有一步是问需要不需要密码,是用默认的snare做为用户跟密码还是用本地系统的用户,还是创建一个帐号做为认证,这个就取决于个人了.点击安装完成.
B.配置snare
点击开始--程序--选择InterSect Alliance--snare for windows 后是一个web形式的,地址为:
默认是不需要密码的,可以配置为需要用户名跟密码来认证.
首先我们配置日志服务器这一部分,也是最主要的部分,如果这一部分配置不正确的话,那日志服务器上也就不会有这台机器的日志信息了.
点击左边的: 如下所示

SNARE Network Configuration


The following network configuration parameters of the SNARE unit is set to the following values:

Override detected DNS Name with:
Destination Snare Server address
Destination Port
Perform a scan of ALL objectives, and display the maximum criticality?
Allow SNARE to automatically set audit configuration?
Allow SNARE to automatically set file audit configuration?

Export Snare Log data to a file?

Enable active USB auditing?
(This option requires the service to be fully restarted)

Enable SYSLOG Header?
SYSLOG Facility
SYSLOG Priority

 
Destination Snare Server address ---这个就是日志服务器的IP地址了.一般不用域名,怕解释不到.
Destination Port --- 这个就是日志服务器的端口了 一般默认是514
Destination Snare Server address
Destination Port
Allow SNARE to automatically set audit configuration?
Allow SNARE to automatically set file audit configuration?
这两个默认是打上勾的了.
Enable SYSLOG Header?
SYSLOG Facility
SYSLOG Priority
Enable Syslog Header一般把勾打上.下面两个就根据你的需要来设置了.
设置完成后再点下面的 Change Configureation 应用配置
 
还有一个重要的配置,那就是决定把什么样的日志发送到日志服务器呢?
再点左边的:,如下所示:

SNARE Filtering Objectives Configuration


The following filtering objectives of the SNARE unit are active:

Action Required Criticality Event ID Include/Exclude Event ID Match User Include/Exclude User Match General Match Return Event Src
Information Include Logon_Logoff Include * * Success
Failure
Error
Information
Warning
Security
Clear Include Process_Events Include * cmd.exe Success
Failure
Error
Information
Warning
Security
Warning Include User_Group_Management_Events Include * * Success
Failure
Error
Information
Warning
Security
Information Include Reboot_Events Include *   Success
Failure
Security
Priority Include Security_Policy_Events Include *   Success
Failure
Error
Information
Warning
Security
Information Include * Include *   Success
Failure
Error
Information
Warning
System
Application

                           Select this button to add a new objective.
 
这个修改就要看个人的需求是什么样的了,我这里就不多说了.
全部完成后记得点左边的: 来应用所有的配置!
 
当然Snare还有其它的功能,比如远程操控这个代理软件,自己多摸索吧 呵呵 .
 
三、防火墙配置
在日志服务器上要让iptables允许514端口通过,不然服务器无法接收到客户端的日志信息。
加两条规则,如下:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state -m udp --dport 514 --state NEW -j ACCEPT
 
一般一条就够了,那就是第二条,一般的日志传输都会用到udp。效率高一些。
 
上一篇:Cacti FQA
下一篇:常用Mysql查询语句记录

文章评论