使用syslog-ng 和stunnel 创建集中式安全日志服务器-阿里云开发者社区

UNIX 系统管理员非常熟悉 syslog 守护进程，但是除非有人报告问题，否则它收集的信息通常处于未处理状态。在具有多台计算机的任何站点上，没有人会花时间去每天甚至每个月记录和检查多个日志文件。编写可以使这些计算机之间的数据相关的自动脚本十分困难，因为它们必须分别访问每台计算机。为减轻自动和手动数据处理的负担，许多站点实现了为网络中的所有计算机（最好运行 NTP 以使时间/日期相关变得更容易）收集数据的中心日志服务器，其中包括 UNIX 服务器、Windows 和 Mac 台式机，甚至包括联网设备（如路由器和交换机）。对于大多数通常的 UNIX syslog 守护进程来说，集中式日志记录是十分琐碎的，而 syslogd 与早期版本相比几乎没有更改，因而具有一些缺点。

标准 UNIX syslog 守护进程通过 UDP 以明文形式传输消息，这意味着任何人都可以发现潜在的敏感数据。facility.level 模型也具有较大限制，大多数操作系统附带的缺省 /etc/syslog.conf 文件疏于记录管理员可能感兴趣的许多消息。解析日志以便可以供人们阅读或者用于自动数据挖掘十分重要。例如，UNIX syslog 守护进程不会轻易允许按主机拆分日志文件或者按正则表达式匹配日志消息。因此，大多数集中式日志服务器（这些服务器使用通常的 syslog 守护进程）最后都会产生巨大的日志文件，这些文件仅在 syslogd 进程关闭它们之后才得到处理。

因此，集中日志记录的大多数站点也都是最后将通常的 syslog 守护进程替换为更安全更灵活的守护进程（如 Metalog、msyslog）或类似的守护进程。一个非常流行的 syslog 替代项是名为 syslog-ng 的开放源程序。组织可以在每个 UNIX 主机或者就在 syslog 服务器上运行 syslog-ng。如果仅在日志主机上运行 syslog-ng，则客户机照常通过 UDP 端口 514 发送数据，但可以在服务器上更好地组织和处理日志。

在每个 UNIX 主机上运行 syslog-ng 的优点是，能够使用 IPSec 或实用程序 Stunnel 对日志记录通道进行加密，以便偶然出现的嗅探器 (sniffer) 无法读取数据。与 Stunnel 组合在一起作为传输机制时，组织可以安全地将来自所有必需 UNIX 主机的日志消息集中在一起以供进一步处理。对于 syslog-ng，Stunnel 的工作方式如下：接受本地端口上的日志连接，将它们包装在 SSL 会话中，然后将其重定向到远程日志主机上的安全端口。然后远程日志主机上的 stunnel 进程对 SSL 会话进行解密，并将信息再传回到标准端口上的 syslog 服务器。传到日志服务器上之后，将利用 syslog-ng 的灵活性进行日志文件的组织和解析。

下面我将介绍在运行 Solaris 8 操作系统（SPARC 平台版）的计算机上安装及配置 syslog-ng 和 Stunnel 的过程，但是该过程通常还适用于 SPARC 和 x86 平台上 Solaris 操作系统的早期版本和较新版本。下面讨论的每台参考计算机都安装有 OpenSSL、tcp wrapper、Solaris 8 /dev/urandom 修补程序、GNU 开发环境（gcc 等）和若干其他免费软件包。充当日志服务器的计算机也进行了全面强化，因为它将存储来自网络中所有计算机的敏感信息和与安全性相关的信息。这些引用计算机都驻留在子网 192.168.1 上，日志服务器的 IP 地址为 192.168.1.10。

安装 Stunnel

实现安全日志服务器的第一步是在服务器和每个客户机上安装 Stunnel。Stunnel 还可以用于通常的 syslog 守护进程（而不是将 syslog 替换为 syslog-ng），但那样就没有了我们所寻求的灵活性。在下面的说明中，我将配置和生成 stunnel 以便随其自身的用户和组运行，并将 chroot 目录设置到其自身的目录下。要执行此操作，应首先创建 stunnel 组和用户（随机选取的 UID 和 GID）：

/usr/sbin/groupadd -g 122 stunnel
/usr/sbin/useradd -c stunnel -d /nonexistent -m -g 122 -u 122 stunnel

现在，请提取 Stunnel 源代码，将其解压缩并进行配置。在这些特定的主机上，OpenSSL 证书保存在 /usr/local/etc/openssl/certs 中，我希望将 doc 目录连同本地安装的其他 doc 安装一起保存在 /usr/local 中。我还将 localstatedir 设置为 /var/run/stunnel，因为在重新引导后它无需继续存在，我希望它位于 chroot 目录中。

wget http://www.stunnel.org/download/stunnel/src/stunnel-4.05.tar.gz
tar zxf stunnel-4.05.tar.gz
cd stunnel-4.05

./configure --localstatedir=/var/run/stunnel /
--with-pem-dir=/usr/local/etc/openssl/certs --datadir=/usr/local

make
make install

通过 Stunnel 为 syslog-ng 创建证书文件

在 Stunnel 安装过程中会创建您可能会选择使用的自签名证书。由于我运行自己的专用证书颁发机构并仅对 syslog-ng 运行 Stunnel，因此我将生成并签署自己的 syslog-ng 专用证书。有关设置自己的 CA 和签名证书的详细信息，请查看 SSL certificates HOWTO（SSL 证书指导）。

假定已设置为您自己的 CA，或者向公认的 CA 发出证书请求，请为服务器创建 pem 文件：

openssl req -new -days 3650 -nodes -config stunnel.cnf -out serverreq.pem /
-keyout syslog-ng-server.pem

此外，为每个客户机创建相应的 pem 文件：

openssl req -new -days 3650 -nodes -config stunnel.cnf -out clientreq.pem /
-keyout syslog-ng-client.pem

用本地 CA 签名每个 pem 文件，或者让公共 CA 对它们进行签名。我使用 apache mod_ssl 分发附带的 sign.sh 脚本：

sign.sh /tmp/serverreq.pem
sign.sh /tmp/client1req.pem
sign.sh /tmp/client2req.pem
sign.sh /tmp/client3req.pem

生成的 crt 文件包括每个相应 pem 文件的证书。服务器需要服务器 pem 文件 syslog-ng-server.pem，其中包含服务器的私钥和证书（从 /tmp/serverreq.pem.crt 文件复制）：

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDSAJ0kULvKxIhFtz1ctXlDWY0CcTpIscEAXy90nAuwwvshji39
abZH5Z9PfTOoT/zO6ZyQ0lOJ2LzYcS/JQmR+4wLggf5yi8K3BrBIwaAHbfAya8C9
5g9oINTkjM5Y3zdkMhvPwmivMV+lBa07Qk0SZg8xYblUiafisQplGzjWvwIDAQAB
AoGAEqYzTlJNGwixAV/wdxc2maCOQTVE88e1WA8b68Mf1qa6HpS9yM9mfKQLrcd0
mvHfhZCBcur6uDcjLiV/FORsgB7/3wRF0a08ZJdwlMSn9844jeRlSDbEE1wqAcyj
pnHwcxnErzA0REDuD+EmH0xsh23/Rn/mv7gBpm5Am/UK86ECQQDs5RmiJzQOprsT
ArcTQq3VTmHLtfu7HAQ7+You7XDL+iOVOsbJZWgBKc0oTcNNBpJzkHPrvaOBbFpg
dQZKE3BLAkEA4vBLWsojb0tosXiZuFxzMBrcMhzanzzXerOt0v6BbeZKMTXMaJX+
/4wyVc6lanZc/793S4aHY0/VvCDMLp7y3QJBAKPnX3Tx6vK4KXddyY1p9RxAvylT
IHi1Sbif49DpAkIfL79wi1mM8AjeAzR/mUER6wJKT+orq5VAgsd6MH/QM0ECQHvw
YDclTlTqCjNiehGF7CLJiJiVyZBN2iDZIIWrGWS78KkPiKNVx/4owxS51v1dx0yl
dLF6t1Y1s7Ua9GhBxsECQD3+/khj/lzYUC9KaDIHItO7LHkO1IcxZUZJ0YNaukUB
v1Vh9B3IK5m2bSsOYtOYxbpjoHL8pZG1Bf1lLH32dqw=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICZDCCAc0CAQIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
DTA0MDcxOTEzNTExNVoXDTA1MDcxOTEzNTExNVowgYMxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjElMCMGA1UEAxMcbG9naG9zdC5v
ZmZpcdaub2NlYW53YXZlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
0gCdJFC7ysSIRbc9XLV5Q1mNAnE6SLHBAF8vdJwLsML7IY4t/Wm2R+WfT30zqE/8
zumckNJTidi82HEvyUJkfuMC4IH+covCtwawSMGgB23wMmvAveYPaCDU5IzOWN83
ZDIbz8JorzFfpQWtO0JNEmYPMWG5VImn4rEKZRs41r8CAwEAATANBgkqhkiG9w0B
AQQFAAOBgQAvaaoVvP267QbxBOeBDBeP3CCpOskT5YJUHWQE2QmH5wR/5iwQqvrU
Fo8V2JbaaauN9sa5CQutthUK1D3Ub+nHuHgGPFfdkL0Ll+5+LVf1swKXy8H1Q8CA
Aiq0dK0EJQ+taQTw+KD7MBOzIJk0OF76uwdNxgaATQEVjxi6M0MG5g==
-----END CERTIFICATE-----

它还需要客户机 pem 文件 syslog-ng-client.pem，其中仅包含来自签名 CA 和每个客户机（此示例假定有三个 syslog-ng 客户机）的证书（来自 crt 文件）：

-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEW
MBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMGA1UE
ChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2ZS5j
b20wHhcNMDIwNjIzMjIyODIxWhcNMTIwNjIwMjIyODIxWjBxMQswCQYDVQQGEwJV
UzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMG
A1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2
ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSqIDhWZDLO2ptG9ebx
FUycmXoMNPCLWmsFgRBQKG5vgOQruX8jpXqHOFCxjhO4ZsSUWwd8eO4J/4A9kTao
VFzi4P63A8xyN92Gbh4BfvmFecDhLaoZ+5zMNclNOlom2Rda75Fj8iYhtSIrbOcq
Mc8KkRriG3+Hl6ptW0XibqznAgMBAAGjgc4wgcswHQYDVR0OBBYEFDlBMdhKkmEm
pQkan14xNA3a646MMIGbBgNVHSMEgZMwgZCAFDlBMdhKkmEmpQkan14xNA3a646M
oXWkczBxMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4G
A1UEBxMHQmV2ZXJseTEVMBMGA1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcN
AQkBFhJyb290QG9jZWFud2F2ZS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQB8Xzn/UioFZV2Osyt0oz8/3Eu1GmQx4Cpaw4o7GBKg52IQA0Sv
qfvUmeuFZ6sSDYEI6bC/u6MkyvRwV7pOtqzUoGbvtGDhnFIxdiyiEOfZosdvadBx
ilXHU/tYDXffxFBcBoeoFHkYyX1vAY4uFsPBEywF3NBUGuoP5Ed5+AS+rQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICZTCCAc4CAQMwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
0510MDcxOTEzNTc0M1oXDTA1MDcxOTEzNTc0M1owgYQxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjEmMCQGA1UEAxMdcmVhbHNvb24u
b2ZmaWNlLm9jZWFud2F2ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AKKXR7OTQYKDWHvh0jCYSM2Y6gx+Lh2iE1hEVR4xE5UnGNv+/LzgGIYalmD86Vok
KkwdI+5cVp0JhF3gIUgL2+OoerE68AEQwv+tpzx4Px4Ze1pRjw9f6UW+17C3PICG
P4SpC6avMljj8lnv9Rmb300/Yz8ZzyAIzt8CjNu7lTCFAgMBAAEwDQYJKoZIhvcN
AQEEBQADgYEAleB5Xk0BnHu3g6ron5qcjBtDgnOnvzsX3v+KVaFGZiufdWtILCMn
58HrXCV2zoUlUcbnrqHgov47qvZBlh2HR7fT7MQYXFTKOFDXwCdSDfXHTUmmQHzq
cctX025yo45obGgI9LWDjip0/PW0k3r4IuVRtfOz+gHf1ZyEVjIuXkE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICZDCCAc0CAQQwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
DTA0MDcxOTE0MTUwNloXDTA1MDcxOTE0MTUwNlowgYMxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjElMCMGA1UEAxMcbGl6YXJkby5v
ZmZpY2Uub2NlYW53YXZlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
ogtXoF+49I/CoSP+CUZ4jX+pLMsIXvta/MqqKlTuvEgauRSw385Aict7rGIR6B3u
BUEBFN4Q+WzuYVJfbBMsUq/A6bilMpq/vbBrPAB9s/BkC5FAx2tMuMpgWn6ZXs/W
iRiEWULAHa4k7rgmonXk47r0bBuSVrozdgKd4u2iB6sCAwEAATANBgkqhkiG9w0B
AQQFAAOBgQBCCMhUdlfRk5owxpUIgtNLQ6/wfPgyUtIm7M4Mg0tHLD2ILCiaJLie
x+Di5+09nciadYxn7fZhFdvnSpsthDX0/P6/H/iLTZnyK3k0PegzYx8Mwo4mnS/X
Bt1cOuciRrd1tPHZ+st2Zqz/UO1jhbtEx7RNjtpxypChFQ2SB63wuA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICYzCCAcwCAQUwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
DTA0MDcxOTE0MTUyMFoXDTA1MDcxOTE0MTUyMFowgYIxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjEkMCIGA1UEAxMbc2Vrcml0Lm9m
ZmljZS5vY2VhbndhdmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG
+OMOU6o3rCSyXMRRzwPKO/Yi9SjcT/5uwJh4x4a/iPlVNhbcG15PLpwmIiEvaKQe
PTwJNEWAMnDBWyT6bmdN9xa0X1pzCDiLGMKJ2PFzoL6b9VwQSx9zp9fTPinh+mVw
484Hf8nQOSs+HKVAltCvJWcFq04aqbauE817Og369wIDAQABMA0GCSqGSIb3DQEB
BAUAA4GBAJ6feAOv8bvGdk01QyupdIJVvp8IBv5ZJD1VLofoj/C4JYLsHWTV0IZI
rhw37hI9y9wAiiZVrbEM88N0FgFfHN2hoymvRmvg0Y7l7OuMQWz2vSMJYIyeI2Wb
uMWGN+klM77OxRXWseUOWaPp0RqW3MGqMV7+SU8sN9gVdEZdLxnj
-----END CERTIFICATE-----

每个客户机都需要 pem 文件 syslog-ng-client.pem 中其自身的证书和私钥：

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCil0ezk0GCg1h74dIwmEjNmOoMfi4dohNYRFUeMROVJxjb/vy8
4BiGGpZg/OlaJCpMHSPuXFadCYRd4CFIC9vjqHqxOvABEML/rac8eD8eGXtaUY8P
X+lFvtewtzyAhj+EqQumrzJY4/JZ7/UZm99NP2M/Gc8gCM7fAozbu5UwhQIDAQAB
AoGAGhMErqm44cNKl2NZn+1sD3ysXCCIKLxrOcaLl/Hq4AqLFAzKX0fY5viwkRE+
IvSVy+sIbhtk0H5MOfnNnI46TwCvgelMbb8FtRDpZrwA7AgH9+scnjfpuibVZdoW
9fR2HoOOevffDU9ZfFlthsOKJp+xb7PRFcsxlV3ihla9aKkCQQDNt3gcE9goGyBj
kWkgB1Ydmov155xC1ozGpeyEVm3fGtD+sfgIxYuaV1xFhQKZMR2QeEnX3v5mqP31
zf5dnj47AkEAylVB95ZGvG91H4uUXrSW53djD2a5GtVjXNoDWLs7Hp7sbUkbRexa
5cSZ7EFqbyXHYx1xKMgYwqgIhbV1CU2gPwJAZBnMtkzpt8pLXmfZcZ5gRxN223eS
T+u6oMcIafTsjc2suOK8wPfvUHEGE0X/169QpYYC2KpHvIiq2zsbdU6VFQJAYibZ
yXFs/xxShOsBHrAcREz2ERKT2SCLAw//b5vkIgaWSq2cPV9a+PtWb/WL3D9Hah1u
N4pZ+JPrDnHoRIsToQJBAJ4IG4AAgIPkmIVbROXXpt/2YBbP1WQI1suKzWy6r4V4
E0fiwYh1REik4+WRCRBabzjFA7GIDiD2QQGzTa8m0nQ=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICZTCCAc4CAQMwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
0510MDcxOTEzNTc0M1oXDTA1MDcxOTEzNTc0M1owgYQxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjEmMCQGA1UEAxMdcmVhbHNvb24u
b2ZmaWNlLm9jZWFud2F2ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AKKXR7OTQYKDWHvh0jCYSM2Y6gx+Lh2iE1hEVR4xE5UnGNv+/LzgGIYalmD86Vok
KkwdI+5cVp0JhF3gIUgL2+OoerE68AEQwv+tpzx4Px4Ze1pRjw9f6UW+17C3PICG
P4SpC6avMljj8lnv9Rmb300/Yz8ZzyAIzt8CjNu7lTCFAgMBAAEwDQYJKoZIhvcN
AQEEBQADgYEAleB5Xk0BnHu3g6ron5qcjBtDgnOnvzsX3v+KVaFGZiufdWtILCMn
58HrXCV2zoUlUcbnrqHgov47qvZBlh2HR7fT7MQYXFTKOFDXwCdSDfXHTUmmQHzq
cctX025yo45obGgI9LWDjip0/PW0k3r4IuVRtfOz+gHf1ZyEVjIuXkE=
-----END CERTIFICATE-----

每个客户机还需要 pem 文件 syslog-ng-server.pem，其中仅包含来自服务器和签名 CA 的证书：

-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEW
MBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMGA1UE
ChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2ZS5j
b20wHhcNMDIwNjIzMjIyODIxWhcNMTIwNjIwMjIyODIxWjBxMQswCQYDVQQGEwJV
UzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMG
A1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2
ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSqIDhWZDLO2ptG9ebx
FUycmXoMNPCLWmsFgRBQKG5vgOQruX8jpXqHOFCxjhO4ZsSUWwd8eO4J/4A9kTao
VFzi4P63A8xyN92Gbh4BfvmFecDhLaoZ+5zMNclNOlom2Rda75Fj8iYhtSIrbOcq
Mc8KkRriG3+Hl6ptW0XibqznAgMBAAGjgc4wgcswHQYDVR0OBBYEFDlBMdhKkmEm
pQkan14xNA3a646MMIGbBgNVHSMEgZMwgZCAFDlBMdhKkmEmpQkan14xNA3a646M
oXWkczBxMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4G
A1UEBxMHQmV2ZXJseTEVMBMGA1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcN
AQkBFhJyb290QG9jZWFud2F2ZS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQB8Xzn/UioFZV2Osyt0oz8/3Eu1GmQx4Cpaw4o7GBKg52IQA0Sv
qfvUmeuFZ6sSDYEI6bC/u6MkyvRwV7pOtqzUoGbvtGDhnFIxdiyiEOfZosdvadBx
ilXHU/tYDXffxFBcBoeoFHkYyX1vAY4uFsPBEywF3NBUGuoP5Ed5+AS+rQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICZDCCAc0CAQIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
DTA0MDcxOTEzNTExNVoXDTA1MDcxOTEzNTExNVowgYMxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjElMCMGA1UEAxMcbG9naG9zdC5v
ZmZpcdaub2NlYW53YXZlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
0gCdJFC7ysSIRbc9XLV5Q1mNAnE6SLHBAF8vdJwLsML7IY4t/Wm2R+WfT30zqE/8
zumckNJTidi82HEvyUJkfuMC4IH+covCtwawSMGgB23wMmvAveYPaCDU5IzOWN83
ZDIbz8JorzFfpQWtO0JNEmYPMWG5VImn4rEKZRs41r8CAwEAATANBgkqhkiG9w0B
AQQFAAOBgQAvaaoVvP267QbxBOeBDBeP3CCpOskT5YJUHWQE2QmH5wR/5iwQqvrU
Fo8V2JbaaauN9sa5CQutthUK1D3Ub+nHuHgGPFfdkL0Ll+5+LVf1swKXy8H1Q8CA
Aiq0dK0EJQ+taQTw+KD7MBOzIJk0OF76uwdNxgaATQEVjxi6M0MG5g==
-----END CERTIFICATE-----

在每台计算机上，确保只有超级用户可以读取证书文件（由于安全原因）：

chmod 400 /usr/local/etc/openssl/certs/syslog-ng-*
chown root:other /usr/local/etc/openssl/certs/syslog-ng-*

配置 Stunnel 以用于 syslog-ng

在服务器上，创建 syslog-ng 专用的 Stunnel 配置文件 /usr/local/etc/stunnel/stunnel.conf，该文件包含如下信息。此示例文件指定本地证书/密钥和服务器证书、stunnel 用户和组以及 chroot 目录。verify 的值为 3 可确保 stunnel 使用本地安装的证书验证对等方。缺省情况下，Stunnel 使验证处于关闭状态，所以此时打开验证十分重要。配置文件的最后一部分指定 SSL 包装会话的端口号和在其中接受和重定向连接的 IP:port。端口 514 是标准的 syslog 端口，5140 是随机选取的未用端口。有关其他信息和配置选项，请务必阅读 stunnel 手册页。

cert = /usr/local/etc/openssl/certs/syslog-ng-server.pem
CAfile = /usr/local/etc/openssl/certs/syslog-ng-client.pem
chroot = /var/run/stunnel
pid = /run/stunnel.pid
setuid = stunnel
setgid = stunnel
verify = 3
[5140]
accept = 192.168.1.10:5140
connect = 127.0.0.1:514

在每个客户机上，syslog-ng 专用的 /usr/local/etc/stunnel/stunnel.conf 文件包含与服务器的 stunnel.conf 文件相类似的指令。将交换 cert 和 CAfile 值以及 accept 和 connect 值，并添加 client 指令：

client = yes
cert = /usr/local/etc/openssl/certs/syslog-ng-client.pem
CAfile = /usr/local/etc/openssl/certs/syslog-ng-server.pem
chroot = /var/run/stunnel
pid = /run/stunnel.pid
setuid = stunnel
setgid = stunnel
verify = 3
[5140]
accept = 127.0.0.1:514
connect = 192.168.1.10:5140

现在已配置 Stunnel，可以安装和配置 syslog-ng 了。如果希望在此时测试 Stunnel，请将它配置为使用其他 TCP 端口或服务（如 IMAP 或 telnet），如 stunnel 示例页所述。
安装 syslog-ng

syslog-ng 的稳定版本首先要求安装（或至少生成）库 libol。请下载、解压缩并安装该库，如下所示：

wget http://www.balabit.com/downloads/libol/0.3/libol-0.3.14.tar.gz
tar zxf libol-0.3.14.tar.gz
cd libol-0.3.14

./configure
make
make install

现在，请检索 syslog-ng 的源代码，并对其进行解压缩、配置和安装。在配置时，我还添加了对 tcp wrapper 的支持，因为我已安装并有效地将其用于其他守护进程：

wget http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.5.tar.gz
tar zxf syslog-ng-1.6.5.tar.gz
cd ../syslog-ng-1.6.5

./configure --enable-tcp-wrapper
make
make install

请务必打开所有包过滤器和/或 tcp wrapper 中的相应端口。如果日志主机也在接受未加密的 syslog 消息，则服务器需要接受来自 TCP 端口 5140 上和 UDP 端口 514 上客户机的连接。要支持 tcp wrapper 的扩展语法，请将以下内容添加到服务器上的 /etc/hosts.deny：

syslog-ng : LOCAL 127.0.0.1 192.168.1. : ALLOW

此外，在客户机上将以下内容添加到 /etc/hosts.deny：

syslog-ng : LOCAL 127.0.0.1 : ALLOW

现在可以创建 stunnel/syslog-ng 启动脚本 /etc/init.d/syslog-ng，该脚本将在引导时运行于每台计算机上。以下脚本基于 Solaris 8 操作系统的 syslog 启动脚本，此外它还执行 savecore，并启动 stunnel 和 syslog-ng：

#!/sbin/sh
#

case "$1" in
'start')
if [ -f /usr/local/etc/syslog-ng/syslog-ng.conf -a -x /
/usr/local/sbin/syslog-ng ]; then
#
# Before syslogd starts, save any messages from previous
# crash dumps so that messages appear in chronological order.
#
/usr/bin/savecore -m
if [ -r /etc/dumpadm.conf ]; then
. /etc/dumpadm.conf
[ "x$DUMPADM_DEVICE" != xswap ] && /
/usr/bin/savecore -m -f $DUMPADM_DEVICE
fi
#
# Start stunnel so logs are sent encrypted
#
if [ -f /usr/local/etc/stunnel/stunnel.conf /
-a -x /usr/local/sbin/stunnel ]; then
echo "Starting stunnel"
mkdir -p /var/run/stunnel/run
chown stunnel:stunnel /var/run/stunnel/run
/usr/local/sbin/stunnel
echo "Starting syslog-ng"
/usr/local/sbin/syslog-ng
fi
fi
;;

'stop')
if [ -f /var/run/syslog-ng.pid ]; then
syspid=`/usr/bin/cat /var/run/syslog-ng.pid`
[ "$syspid" -gt 0 ] && kill -15 $syspid && /
echo "Killed syslog-ng"
fi
if [ -f /var/run/stunnel/run/stunnel.pid ]; then
syspid=`/usr/bin/cat /var/run/stunnel/run/stunnel.pid`
[ "$syspid" -gt 0 ] && kill -15 $syspid && /
echo "Killed stunnel"
fi

;;

*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac

删除本机 Solaris syslog 启动和关闭脚本的链接，并将其替换为指向新 syslog-ng 脚本的链接：

rm /etc/rc*.d/???syslog
ln -s /etc/init.d/syslog-ng /etc/rc0.d/K40syslog-ng
ln -s /etc/init.d/syslog-ng /etc/rc1.d/K40syslog-ng
ln -s /etc/init.d/syslog-ng /etc/rc2.d/S74syslog-ng
ln -s /etc/init.d/syslog-ng /etc/rcS.d/K40syslog-ng

配置 syslog-ng

syslog-ng 的灵活性取决于其配置文件。配置指令 source、filter、destination 和 log 对于日志处理十分重要。Source 指令表示本地日志消息和远程日志消息的来源。Filter 指令允许基于设备、级别/优先级、程序名称、主机名称或正则表达式匹配来分离日志消息。destination 可以是文件、管道、流和数据报、UDP 或 TCP 连接、ttys 或程序。log 指令是 source、filter 和 destination 指令的集合，这些指令定义如何处理匹配的日志消息。在 syslog-ng 参考手册中可找到所有可用指令的讨论，在 syslog-ng 常见问题解答中列出了各种示例。

以下示例显示了在每个本地主机的 /var/log 以及在中心日志服务器的 /var/log/clients/$YEAR/$MONTH/$HOST 中存储的日志文件。日志主机上的以下 /usr/local/etc/syslog-ng/syslog-ng.conf 支持来自本地主机、stunnel 加密主机和标准 UDP 主机（如无法使用 stunnel 的路由器和交换机）的消息。过滤器基于设备和级别、程序名称匹配以及这些项的某些组合。

# Options
options {
use_fqdn(yes);
sync(0);
keep_hostname(yes);
chain_hostnames(no);
create_dirs(yes);
};

# Sources of syslog messages (both local and remote messages on the server)
source s_local {
sun-streams("/dev/log" door("/etc/.syslog_door"));
internal();
};
source s_stunnel {
tcp(ip("127.0.0.1")
port(514)
max-connections(1));
};

source s_udp { udp(); };

# Level Filters
filter f_emerg { level (emerg); };
filter f_alert { level (alert .. emerg); };
filter f_crit { level (crit .. emerg); };
filter f_err { level (err .. emerg); };
filter f_warning { level (warning .. emerg); };
filter f_notice { level (notice .. emerg); };
filter f_info { level (info .. emerg); };
filter f_debug { level (debug .. emerg); };

# Facility Filters
filter f_kern { facility (kern); };
filter f_user { facility (user); };
filter f_mail { facility (mail); };
filter f_daemon { facility (daemon); };
filter f_auth { facility (auth); };
filter f_syslog { facility (syslog); };
filter f_lpr { facility (lpr); };
filter f_news { facility (news); };
filter f_uucp { facility (uucp); };
filter f_cron { facility (cron); };
filter f_local0 { facility (local0); };
filter f_local1 { facility (local1); };
filter f_local2 { facility (local2); };
filter f_local3 { facility (local3); };
filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); };

# Custom Filters
filter f_user_none { not facility (user); };
filter f_kern_debug { filter (f_kern) and filter (f_debug); };
filter f_daemon_notice { filter (f_daemon) and filter (f_notice); };
filter f_mail_crit { filter (f_mail) and filter (f_crit); };
filter f_mesg { filter (f_kern_debug) or
filter (f_daemon_notice) or
filter (f_mail_crit); };
filter f_authinfo { filter (f_auth) or program (sudo); };

# Destinations: local files, the console, and the client files
destination l_authlog { file ("/var/log/authlog"); };
destination l_messages { file ("/var/log/messages"); };
destination l_maillog { file ("/var/log/maillog"); };
destination l_ipflog { file ("/var/log/ipflog"); };
destination l_imaplog { file ("/var/log/imaplog"); };
destination l_syslog { file ("/var/log/syslog"); };

destination l_console { file ("/dev/console"); };

destination r_authlog { file
("/var/log/clients/$YEAR/$MONTH/$HOST/authlog"); };
destination r_messages { file
("/var/log/clients/$YEAR/$MONTH/$HOST/messages"); };
destination r_maillog { file
("/var/log/clients/$YEAR/$MONTH/$HOST/maillog"); };
destination r_ipflog { file
("/var/log/clients/$YEAR/$MONTH/$HOST/ipflog"); };
destination r_imaplog { file
("/var/log/clients/$YEAR/$MONTH/$HOST/imaplog"); };
destination r_console { file
("/var/log/clients/$YEAR/$MONTH/$HOST/consolelog"); };
destination r_syslog { file
("/var/log/clients/$YEAR/$MONTH/$HOST/syslog"); };
destination r_fallback { file
("/var/log/clients/$YEAR/$MONTH/$HOST/$FACILITY-$LEVEL"); };

# Log statements
# Local sources
log { source (s_local); filter (f_authinfo) destination (l_authlog); };
log { source (s_local); filter (f_mail); destination (l_maillog); };
log { source (s_local); filter (f_local0); destination (l_ipflog); };
log { source (s_local); filter (f_local1); destination (l_imaplog); };
log { source (s_local); filter (f_syslog); destination (l_syslog); };
log { source (s_local); filter (f_emerg); filter (f_user_none);
destination (l_console); };
log { source (s_local); filter (f_mesg); filter (f_user_none);
destination (l_messages); };

# All sources, since we want to archive local and remote logs
log { source (s_local); source (s_stunnel); filter (f_authinfo);
destination (r_authlog); };
log { source (s_local); source (s_stunnel); filter (f_mail);
destination (r_maillog); };
log { source (s_local); source (s_stunnel); filter (f_local0);
destination (r_ipflog); };
log { source (s_local); source (s_stunnel); filter (f_local1);
destination (r_imaplog); };
log { source (s_local); source (s_stunnel); filter (f_syslog);
destination (r_syslog); };
log { source (s_local); source (s_stunnel); filter (f_emerg);
filter (f_user_none);
destination (l_console); };
log { source (s_local); source (s_stunnel); filter (f_mesg);
filter (f_user_none);
destination (l_messages); };

在此示例客户机 syslog-ng.conf 中，过滤器仍然是相同的，但是配置的其他部分大多已更改为反映客户机状态或者被删除：

# Options
options {
sync(0);
use_fqdn(yes);
};

# Sources of syslog messages (only local on clients)
source s_local {
sun-streams("/dev/log" door("/etc/.syslog_door"));
internal();
};

# Destinations: local files, the console, and the remote syslog server
destination l_authlog { file ("/var/log/authlog"); };
destination l_messages { file ("/var/log/messages"); };
destination l_maillog { file ("/var/log/maillog"); };
destination l_ipflog { file ("/var/log/ipflog"); };
destination l_imaplog { file ("/var/log/imaplog"); };
destination l_console { file ("/dev/console"); };
destination l_syslog { file ("/var/log/syslog"); };
destination stunnel { tcp ("127.0.0.1", port(514)); };

# Level Filters
filter f_emerg { level (emerg); };
filter f_alert { level (alert .. emerg); };
filter f_crit { level (crit .. emerg); };
filter f_err { level (err .. emerg); };
filter f_warning { level (warning .. emerg); };
filter f_notice { level (notice .. emerg); };
filter f_info { level (info .. emerg); };
filter f_debug { level (debug .. emerg); };

# Facility Filters
filter f_kern { facility (kern); };
filter f_user { facility (user); };
filter f_mail { facility (mail); };
filter f_daemon { facility (daemon); };
filter f_auth { facility (auth); };
filter f_syslog { facility (syslog); };
filter f_lpr { facility (lpr); };
filter f_news { facility (news); };
filter f_uucp { facility (uucp); };
filter f_cron { facility (cron); };
filter f_local0 { facility (local0); };
filter f_local1 { facility (local1); };
filter f_local2 { facility (local2); };
filter f_local3 { facility (local3); };
filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); };

# Custom Filters
filter f_user_none { not facility (user); };
filter f_kern_debug { filter (f_kern) and filter (f_debug); };
filter f_daemon_notice { filter (f_daemon) and filter (f_notice); };
filter f_mail_crit { filter (f_mail) and filter (f_crit); };
filter f_mesg { filter (f_kern_debug) or
filter (f_daemon_notice) or
filter (f_mail_crit); };
filter f_authinfo { filter (f_auth) or program (sudo); };

# Log statements
# Log things locally
log { source (s_local); filter (f_authinfo); destination (l_authlog); };
log { source (s_local); filter (f_mail); destination (l_maillog); };
log { source (s_local); filter (f_local0); destination (l_ipflog); };
log { source (s_local); filter (f_local1); destination (l_imaplog); };
log { source (s_local); filter (f_syslog); destination (l_syslog); };
log { source (s_local); filter (f_emerg); filter (f_user_none);
destination (l_console); };
log { source (s_local); filter (f_mesg); filter (f_user_none);
destination (l_messages); };

# Log everything remotely via stunnel
log { source (s_local); destination (stunnel); };

syslog-ng 的更高级用法包括根据日志消息的重要性将其直接发送到数据挖掘软件、数据库、电子邮件或打印机。另一个有用的提示是，将高优先级日志消息发送到一个可以由实时日志分析器（如 swatch、logsurfer、Log Tool 或 Logwatch）监视的文件。自动数据挖掘和监视的可能性很大，原因是可以按各种方式组织和处理日志条目。