syslog-ng日志收集分析服务搭建及配置:
1、网上下载eventlog_0.2.12.tar.gz、libol-0.3.18.tar.gz、syslog-ng_3.3.5.tar.gz三个软件;
2、解压及安装服务端:
[[email protected] tools]# tar xf eventlog_0.2.12.tar.gz [[email protected] tools]# cd eventlog-0.2.12/ [[email protected] eventlog-0.2.12]# yum -y install gcc* [[email protected] eventlog-0.2.12]# ./configure --prefix=/usr/local/eventlog [[email protected] eventlog-0.2.12]# make &&make install [[email protected] tools]# tar xf libol-0.3.18.tar.gz [[email protected] tools]# cd libol-0.3.18 [[email protected] libol-0.3.18]# ./configure --prefix=/usr/local/libol [[email protected] libol-0.3.18]# make &&make install [[email protected] tools]# tar xf syslog-ng_3.3.5.tar.gz [[email protected] tools]# cd syslog-ng-3.3.5/ [[email protected] syslog-ng-3.3.5]# export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig ##设置环境变量,不然安装不成功; [[email protected] syslog-ng-3.3.5]# yum -y install glib* ##可能会需要安装glib依赖包; [[email protected] syslog-ng-3.3.5]# ./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/ [[email protected] syslog-ng-3.3.5]# make &&make install [[email protected] syslog-ng-3.3.5]# cp contrib/init.d.RedHat /etc/init.d/syslog-ng ##拷贝启动的文件; [[email protected] syslog-ng-3.3.5]# chmod +x /etc/init.d/syslog-ng [[email protected] etc]# vim /etc/init.d/syslog-ng ##编辑启动文件,修改下面三行; INIT_PROG="/usr/local/syslog-ng/sbin/syslog-ng" INIT_OPTS="-f /usr/local/syslog-ng/etc/syslog-ng.conf" PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/syslog-ng/bin:/usr/local/syslog-ng/sbin ##给予执行权限; [[email protected] syslog-ng-3.3.5]# cd /usr/local/syslog-ng/etc/ [[email protected] etc]# cp syslog-ng.conf syslog-ng.conf.bak ##把配置文件做个备份; [[email protected] etc]# vim syslog-ng.conf ############################################################################# ## Default syslog-ng.conf file which collects all local logs into a ## single file called /var/log/messages. @version: 3.3 @include "scl.conf" source s_local { system(); internal(); }; options { flush_lines(10); flush-timeout(5000); log-fifo-size(100000); chain-hostnames(no); use-dns(persist_only); use-fqdn(no); create-dirs(yes); keep-timestamp(yes); }; source s_network { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); }; filter f_111 { level(info..emerg); host("x.x.x.x"); ##定义过滤的日志源的地址; message("dept=222") and message("task"); ##定义过滤的日志消息的内容; }; destination d_file { file("/data/log/syslog-ng/222/$YEAR$MONTH$DAY$HOUR$MIN/222-task.log" create_dirs(yes)); }; log { source(s_network); filter(f_111); destination(d_file); };
3、安装客户端:
安装方法和上面的一样,就是配置文件不一样;
[[email protected] etc]# vim syslog-ng.conf ##客户端配置文件; @version:3.3 options { log_msg_size(16384); flush_lines(1); log_fifo_size(1000000); time_reopen(10); use_dns(no); dns_cache(yes); use_fqdn(yes); keep_hostname(yes); check_hostname(yes); create_dirs(yes); dir_perm(0755); perm(0644); stats_freq(1800); }; source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; source game_local { file("/data/log/act.log" follow_freq(1) flags(no-parse)); ##指定客户端这边的日志源地址; }; #destination d_game_local {file("/data/log/$YEAR$MONTH$DAY/act.log" perm(0644) dir_perm(0755) create_dirs(yes));}; destination d_game_remote {tcp("x.x.x.x" port(514));}; ##指定服务端的ip地址和端口号; ##log {source(s_game_local);destination(d_game_local);}; log {source(game_local);destination(d_game_remote);}; ##调用上面的source定义的名字和destination定义的名字生产的一条发送命令; [[email protected] etc]# /etc/init.d/syslog-ng restart Stopping Kernel Logger: [ OK ] Starting Kernel Logger: [ OK ]
4、测试:
从别地地方导入一份文件是act1.log到客户端,改名为act.log测试:
[[email protected] log]# cat act1.log >>act.log 服务端查看: [[email protected] ~]# ls /data/log/ syslog-ng [[email protected] ~]# ls /data/log/syslog-ng/ 222 [[email protected] ~]# ls /data/log/syslog-ng/game2/ 20170214 [[email protected] ~]# ls /data/log/syslog-ng/game2/20170214/ 222-task.log
时间: 2024-08-26 02:03:36