syslog-ng日志收集分析服务搭建及配置:
1、网上下载eventlog_0.2.12.tar.gz、libol-0.3.18.tar.gz、syslog-ng_3.3.5.tar.gz三个软件;
2、解压及安装服务端:
[root@localhost tools]# tar xf eventlog_0.2.12.tar.gz
[root@localhost tools]# cd eventlog-0.2.12/
[root@localhost eventlog-0.2.12]# yum -y install gcc*
[root@localhost eventlog-0.2.12]# ./configure --prefix=/usr/local/eventlog
[root@localhost eventlog-0.2.12]# make &&make install
[root@localhost tools]# tar xf libol-0.3.18.tar.gz
[root@localhost tools]# cd libol-0.3.18
[root@localhost libol-0.3.18]# ./configure --prefix=/usr/local/libol
[root@localhost libol-0.3.18]# make &&make install
[root@localhost tools]# tar xf syslog-ng_3.3.5.tar.gz
[root@localhost tools]# cd syslog-ng-3.3.5/
[root@localhost syslog-ng-3.3.5]# export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig ##设置环境变量,不然安装不成功;
[root@localhost syslog-ng-3.3.5]# yum -y install glib* ##可能会需要安装glib依赖包;
[root@localhost syslog-ng-3.3.5]# ./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/
[root@localhost syslog-ng-3.3.5]# make &&make install
[root@localhost syslog-ng-3.3.5]# cp contrib/init.d.RedHat /etc/init.d/syslog-ng ##拷贝启动的文件;
[root@localhost syslog-ng-3.3.5]# chmod +x /etc/init.d/syslog-ng
[root@localhost etc]# vim /etc/init.d/syslog-ng ##编辑启动文件,修改下面三行;
INIT_PROG="/usr/local/syslog-ng/sbin/syslog-ng"
INIT_OPTS="-f /usr/local/syslog-ng/etc/syslog-ng.conf"
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/syslog-ng/bin:/usr/local/syslog-ng/sbin ##给予执行权限;
[root@localhost syslog-ng-3.3.5]# cd /usr/local/syslog-ng/etc/
[root@localhost etc]# cp syslog-ng.conf syslog-ng.conf.bak ##把配置文件做个备份;
[root@localhost etc]# vim syslog-ng.conf
#############################################################################
## Default syslog-ng.conf file which collects all local logs into a
## single file called /var/log/messages.
@version: 3.3
@include "scl.conf"
source s_local {
system();
internal();
};
options {
flush_lines(10);
flush-timeout(5000);
log-fifo-size(100000);
chain-hostnames(no);
use-dns(persist_only);
use-fqdn(no);
create-dirs(yes);
keep-timestamp(yes);
};
source s_network {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
filter f_111 {
level(info..emerg);
host("x.x.x.x"); ##定义过滤的日志源的地址;
message("dept=222") and message("task"); ##定义过滤的日志消息的内容;
};
destination d_file {
file("/data/log/syslog-ng/222/$YEAR$MONTH$DAY$HOUR$MIN/222-task.log" create_dirs(yes));
};
log {
source(s_network);
filter(f_111);
destination(d_file);
};
3、安装客户端:
安装方法和上面的一样,就是配置文件不一样;
[root@localhost etc]# vim syslog-ng.conf ##客户端配置文件;
@version:3.3
options {
log_msg_size(16384);
flush_lines(1);
log_fifo_size(1000000);
time_reopen(10);
use_dns(no);
dns_cache(yes);
use_fqdn(yes);
keep_hostname(yes);
check_hostname(yes);
create_dirs(yes);
dir_perm(0755);
perm(0644);
stats_freq(1800);
};
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };
source game_local {
file("/data/log/act.log" follow_freq(1) flags(no-parse)); ##指定客户端这边的日志源地址;
};
#destination d_game_local {file("/data/log/$YEAR$MONTH$DAY/act.log" perm(0644) dir_perm(0755) create_dirs(yes));};
destination d_game_remote {tcp("x.x.x.x" port(514));}; ##指定服务端的ip地址和端口号;
##log {source(s_game_local);destination(d_game_local);};
log {source(game_local);destination(d_game_remote);}; ##调用上面的source定义的名字和destination定义的名字生产的一条发送命令;
[root@localhost etc]# /etc/init.d/syslog-ng restart
Stopping Kernel Logger: [ OK ]
Starting Kernel Logger: [ OK ]
4、测试:
从别地地方导入一份文件是act1.log到客户端,改名为act.log测试:
[root@localhost log]# cat act1.log >>act.log
服务端查看:
[root@localhost ~]# ls /data/log/
syslog-ng
[root@localhost ~]# ls /data/log/syslog-ng/
222
[root@localhost ~]# ls /data/log/syslog-ng/game2/
20170214
[root@localhost ~]# ls /data/log/syslog-ng/game2/20170214/
222-task.log