Linxu CentOS Syslog-ng安装和配置
第一章 概述
环境:CentOS Linux release 7.9.2009 (Core)
段落引用syslog-ng的一个设计原则就是建立更好的消息过滤粒度。
另一个设计原则是更容易进行不同防火墙网段的信息转发,它支持主机链,即使日志消息经过了许多计算机的转发,也可以找出原发主机地址和整个转发链。
最后的一个设计原则就是尽量使配置文件强大和简洁。
syslog-ng作为syslog的替代工具,可以完全替代syslog的服务,并且通过定义规则,实现更好的过滤功能。
本文简单介绍syslog-ng日志集中管理服务部署及配置情况。
第二章 syslog-ng安装
syslog-ng支持yum安装和rpm离线安装两种方式
1.1 yum安装
1.1.1 安装epel yum源
1.1.1.1 离线安装epel yum源
Extra Packages for Enterprise Linux (EPEL)存储库包含许多有用的包,这些包不包含在RHEL中。
这个repo提供了一些 syslog-ng的依赖项。您可以通过下载和安装RPM包来启用它(对于 EPEL7,将8替换为7):
- 下载epel yum源rpm安装包
[root@linuxsyslogserver opt]# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
- 安装
epel-release-latest-7.noarch.rpmrpm包
[root@linuxsyslogserver opt]# rpm -ivh epel-release-latest-7.noarch.rpm
warning: epel-release-latest-7.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:epel-release-7-14 ################################# [100%]
[root@linuxsyslogserver opt]#
- 查看epel的yum源
[root@linuxsyslogserver yum.repos.d]# ll /etc/yum.repos.d/
total 52
-rw-r--r--. 1 root root 2523 May 4 12:58 CentOS-Base.repo
-rw-r--r--. 1 root root 1664 Apr 7 2020 CentOS-Base.repo.backup
-rw-r--r--. 1 root root 1309 Nov 23 2020 CentOS-CR.repo
-rw-r--r--. 1 root root 649 Nov 23 2020 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root 314 Nov 23 2020 CentOS-fasttrack.repo
-rw-r--r--. 1 root root 630 Nov 23 2020 CentOS-Media.repo
-rw-r--r--. 1 root root 1331 Nov 23 2020 CentOS-Sources.repo
-rw-r--r--. 1 root root 8515 Nov 23 2020 CentOS-Vault.repo
-rw-r--r--. 1 root root 616 Nov 23 2020 CentOS-x86_64-kernel.repo
-rw-r--r--. 1 root root 1358 Sep 4 2021 epel.repo
-rw-r--r--. 1 root root 1457 Sep 4 2021 epel-testing.repo
[root@linuxsyslogserver yum.repos.d]#
1.1.1.2 使用yum安装epel yum源
[root@linuxsyslogserver]# yum install -y epel-release
1.1.2 使用yum安装syslog-ng
使用yum命令安装syslog-ng,并解决相关依耐问题。
[root@linuxsyslogserver yum.repos.d]# yum install syslog-ng -y
BDB2053 Freeing read locks for locker 0x191: 17758/140284236965696
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* epel: mirrors.bfsu.edu.cn
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Resolving Dependencies
--> Running transaction check
---> Package syslog-ng.x86_64 0:3.5.6-3.el7 will be installed
--> Processing Dependency: ivykis >= 0.36.1 for package: syslog-ng-3.5.6-3.el7.x86_64
--> Processing Dependency: libivykis.so.0(IVYKIS_0.29)(64bit) for package: syslog-ng-3.5.6-3.el7.x86_64
--> Processing Dependency: libivykis.so.0(IVYKIS_0.30)(64bit) for package: syslog-ng-3.5.6-3.el7.x86_64
--> Processing Dependency: libevtlog.so.0()(64bit) for package: syslog-ng-3.5.6-3.el7.x86_64
--> Processing Dependency: libivykis.so.0()(64bit) for package: syslog-ng-3.5.6-3.el7.x86_64
--> Processing Dependency: libnet.so.1()(64bit) for package: syslog-ng-3.5.6-3.el7.x86_64
--> Running transaction check
---> Package eventlog.x86_64 0:0.2.13-4.el7 will be installed
---> Package ivykis.x86_64 0:0.36.2-2.el7 will be installed
---> Package libnet.x86_64 0:1.1.6-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================================
Installing:
syslog-ng x86_64 3.5.6-3.el7 epel 453 k
Installing for dependencies:
eventlog x86_64 0.2.13-4.el7 epel 19 k
ivykis x86_64 0.36.2-2.el7 epel 35 k
libnet x86_64 1.1.6-7.el7 base 59 k
Transaction Summary
===========================================================================================================================================================
Install 1 Package (+3 Dependent packages)
Total download size: 567 k
Installed size: 1.8 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/eventlog-0.2.13-4.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for eventlog-0.2.13-4.el7.x86_64.rpm is not installed
(1/4): eventlog-0.2.13-4.el7.x86_64.rpm | 19 kB 00:00:00
(2/4): ivykis-0.36.2-2.el7.x86_64.rpm | 35 kB 00:00:00
(3/4): libnet-1.1.6-7.el7.x86_64.rpm | 59 kB 00:00:00
(4/4): syslog-ng-3.5.6-3.el7.x86_64.rpm | 453 kB 00:00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Total 676 kB/s | 567 kB 00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-14.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
json-c-0.13.1-0.4.el8.x86_64 is a duplicate with json-c-0.11-4.el7_0.x86_64
Installing : ivykis-0.36.2-2.el7.x86_64 1/4
Installing : eventlog-0.2.13-4.el7.x86_64 2/4
Installing : libnet-1.1.6-7.el7.x86_64 3/4
Installing : syslog-ng-3.5.6-3.el7.x86_64 4/4
Verifying : libnet-1.1.6-7.el7.x86_64 1/4
Verifying : eventlog-0.2.13-4.el7.x86_64 2/4
Verifying : ivykis-0.36.2-2.el7.x86_64 3/4
Verifying : syslog-ng-3.5.6-3.el7.x86_64 4/4
Installed:
syslog-ng.x86_64 0:3.5.6-3.el7
Dependency Installed:
eventlog.x86_64 0:0.2.13-4.el7 ivykis.x86_64 0:0.36.2-2.el7 libnet.x86_64 0:1.1.6-7.el7
Complete!
[root@linuxsyslogserver yum.repos.d]#
syslog-ng 安装成功了!!!
1.1.3 启动syslog-ng服务
[root@linuxsyslogserver]# systemctl start syslog-ng //启动syslog-ng服务
[root@linuxsyslogserver]# systemctl status syslog-ng //查看syslog-ng服务状态
● syslog-ng.service - System Logger Daemon
Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-07-01 11:55:06 EDT; 6s ago
Docs: man:syslog-ng(8)
Main PID: 17845 (syslog-ng)
CGroup: /system.slice/syslog-ng.service
└─17845 /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid
Jul 01 11:55:06 linuxsyslogserver systemd[1]: Starting System Logger Daemon...
Jul 01 11:55:06 linuxsyslogserver systemd[1]: Started System Logger Daemon.
1.2 rpm包离线安装
1.2.1 下载syslog-ng rpm安装包
syslog-ng和相关依赖rpm软件包下载地址:
wget -O syslog-ng-3.5.6-3.el7.x86_64.rpm --no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/s/syslog-ng-3.5.6-3.el7.x86_64.rpm
wget -O eventlog-0.2.13-4.el7.x86_64.rpm --no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/e/eventlog-0.2.13-4.el7.x86_64.rpm
wget -O ivykis-0.36.2-2.el7.x86_64.rpm --no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/i/ivykis-0.36.2-2.el7.x86_64.rpm
wget -O libnet-1.1.6-7.el7.x86_64.rpm http://mirrors.163.com/centos/7.9.2009/os/x86_64/Packages/libnet-1.1.6-7.el7.x86_64.rpm
将下载的rpm软件包,保存到/opt/syslog-ng目录
[root@linuxsyslogserver]# cd /opt/syslog-ng
[root@linuxsyslogserver syslog-ng]# wget --no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/s/syslog-ng-3.5.6-3.el7.x86_64.rpm
[root@linuxsyslogserver syslog-ng]# wget --no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/e/eventlog-0.2.13-4.el7.x86_64.rpm
[root@linuxsyslogserver syslog-ng]# wget --no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/i/ivykis-0.36.2-2.el7.x86_64.rpm
[root@linuxsyslogserver syslog-ng]# wget http://mirrors.163.com/centos/7.9.2009/os/x86_64/Packages/libnet-1.1.6-7.el7.x86_64.rpm
1.2.2 开始安装syslog-ng
[root@linuxsyslogserver]# cd /opt/syslog-ng
[root@linuxsyslogserver]# rpm -ivh *.rpm
syslog-ng 安装成功了!!!
1.2.2 启动syslog-ng服务
[root@linuxsyslogserver]# systemctl start syslog-ng //启动syslog-ng服务
[root@linuxsyslogserver]# systemctl status syslog-ng //查看syslog-ng服务状态
● syslog-ng.service - System Logger Daemon
Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-07-01 11:55:06 EDT; 6s ago
Docs: man:syslog-ng(8)
Main PID: 17845 (syslog-ng)
CGroup: /system.slice/syslog-ng.service
└─17845 /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid
Jul 01 11:55:06 linuxsyslogserver systemd[1]: Starting System Logger Daemon...
Jul 01 11:55:06 linuxsyslogserver systemd[1]: Started System Logger Daemon.
1.3 安装常见问题
1.3.1 缺少依赖
libjson-c.so.4()(64bit)
libc.so.6(GLIBC_2.28)(64bit)
libivykis.so.0(IVYKIS_0.40)(64bit)
搜索rpm软件网站:http://rpmfind.net/linux/rpm2html/search.php
CentOS 搜索rpm网站:https://centos.pkgs.org/
[root@syslogserver ~]# yum install syslog-ng
Loaded plugins: fastestmirror
Determining fastest mirrors
epel/x86_64/metalink | 7.8 kB 00:00:00
* base: mirrors.aliyun.com
* epel: mirrors.bfsu.edu.cn
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB 00:00:00
copr:copr.fedorainfracloud.org:czanik:syslog-ng336 | 3.3 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/3): epel/x86_64/updateinfo | 1.1 MB 00:00:01
(2/3): updates/7/x86_64/primary_db | 16 MB 00:00:01
(3/3): epel/x86_64/primary_db | 7.0 MB 00:00:01
Resolving Dependencies
--> Running transaction check
---> Package syslog-ng.x86_64 0:3.36.1-2.el8 will be installed
......
Error: Package: syslog-ng-3.36.1-2.el8.x86_64 (copr:copr.fedorainfracloud.org:czanik:syslog-ng336)
Requires: libjson-c.so.4()(64bit)
Error: Package: syslog-ng-3.36.1-2.el8.x86_64 (copr:copr.fedorainfracloud.org:czanik:syslog-ng336)
Requires: libc.so.6(GLIBC_2.28)(64bit)
Error: Package: syslog-ng-3.36.1-2.el8.x86_64 (copr:copr.fedorainfracloud.org:czanik:syslog-ng336)
Requires: libivykis.so.0(IVYKIS_0.40)(64bit)
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
第三章 syslog-ng配置
通常syslog-ng 配置文件保存在/etc/syslog-ng/目录下
# syslog 接收
source source_udp_514 {
udp(ip(0.0.0.0) port(514));
};
source source_tcp_514 {
tcp(ip(0.0.0.0) port(515));
};
# 设置数据接收保存路径
destination d_dest_1 {
file( "/data/log/${HOST}/${SOURCEIP}/${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes) dir-perm(0755) perm(0644) );
};
destination d_dest_2 {
file( "/data/log/${HOST}/${SOURCEIP}/${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes) dir-perm(0755) perm(0644) );
};
# 日志定义添加由Ryo-Ohki
log { source(source_udp_514); destination(d_dest_1); };
log { source(source_tcp_514); destination(d_dest_2); };
参考文档
https://support.oneidentity.com/zh-cn/technical-documents/syslog-ng-open-source-edition/3.36/administration-guide/11#TOPIC-1768522
https://www.syslog-ng.com/community/b/blog/posts/installing-latest-syslog-ng-on-rhel-and-other-rpm-distributions/
-d2979772834f4346a961b123d2a49447.jpg)
评论区