环境:
日志收集服务器:syslog-ng_V3.3.7
Tomcat客户端:syslog + tomcat
干扰:
1.为了方便调试将防火墙和SELinux关闭。
1
2
3
|
#service iptables stop //停止防火墙
#chkconfig iptables off //开机不启动
#service iptables status //查看防火墙状态
|
防火墙停止运行了。
2.将SELINUX=enforcing 改成 SELINUX=disabled
1
2
3
|
#vi /etc/selinux/config
#setenforce 0 //临时关闭
#/usr/sbin/sestatus -v //查看seliux状态
|
已经关闭了
3.系统默认安装了rsyslog会有514端口冲突,卸载或停用,这里就停用。
1
2
|
# chkconfig rsyslog off ///禁止开机启动
# service rsyslog stop ///停止rsyslog
|
安装syslog-ng:
方法一:直接用 yum
#yum install -y syslog-ng
全局配置的是在 /etc/syslog-ng/syslog-ng.conf 中.
不建议新手用方法一安装,因为你没有了解到过程。
方法二:手动安装 (以下安装必须安装顺序执行,有依赖)
安装编译环境
1
|
#Yum install -y gcc gcc-c++ pcre libcurl libcurl-devel gmodule gthread glib2-devel
|
1、安装eventlog
1
2
3
4
|
#tar -zxvf eventlog_0.2.12.tar.gz
#cd eventlog-0.2.12
#./configure --prefix=/usr/local/eventlog
#make && make install
|
2、安装libol
1
2
3
4
|
#tar -zxvf libol-0.3.18.tar.gz
#cd libol-0.3.18
#./configure --prefix=/usr/local/libol
#make && make install
|
3、安装syslog-ng
1
2
|
vi
/etc/profile
//
设置环境变量
export
PKG_CONFIG_PATH=
/usr/local/eventlog/lib/pkgconfig/
|
1
2
3
4
5
|
//
开始安装
#tar -zxvf syslog-ng_3.3.7.tar.gz
#cd syslog-ng-3.3.7
#./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/
#make && make install
|
4、配置syslog-ng
说明:一条日志的处理流程大概是这样的,如下
首先是 "日志的来源 source s_name { ... };"
然后是 "过滤规则 filter f_name { ... };"
再然后是 "消息链(执行)log { source(s_name); filter(f_name); destination(d_name) };"
最后是 "目标动作 destination d_name { ... };"
声明过程如上,但是在配置文件中,“目标动作”在“消息链”前面。和编程中的声明一样。
全局配置的是在 /usr/local/syslog-ng/etc/syslog-ng.conf 中
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
@version:3.3.5
options {
# 消息日志的最大值(bytes)
log_msg_size(8192);
#设置一次向目的地发送几行消息.如果设成0,一收到消息就发送
flush_lines(1);
# 输出队列的行数
log_fifo_size(20480);
# 对于死连接,到达多少秒,会重新连接
time_reopen(10);
# 是否打开DNS查询功能
use_dns(
yes
);
# 是否打开DNS缓存功能
dns_cache(
yes
);
# 是否使用完整的域名
use_fqdn(
yes
);
# 是否保留日志消息中保存的主机名称
keep_hostname(
yes
);
# 是否打开主机名链功能,打开后可在多网络段转发日志时有效
chain_hostnames(no);
# 当指定的目标目录不存在时,是否创建该目录
create_dirs(
yes
);
# 文件的权限,同样,使用八进制方式标注
perm(0644);
#两个状态消息(关于丢失日志消息的统计消息)
#消息之间间隔的时间(以秒为单位).0表示禁用发送STATS消息.
stats_freq(43200);
};
#syslog-ng 内部产生的消息
source
s_internal {
internal();
};
source
s_local {
unix-stream(
"/dev/log"
max-connections(50));
file
(
"/proc/kmsg"
program_override(
"kernel: "
));
};
# 表示日志来源为本机udp和tcp的514端口
source
s_src {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
filter f_cron { facility(
cron
); };
filter f_console { facility(kern); };
filter f_bootlog {facility(local7); };
filter f_messages { level(info) and not (facility(mail)or facility(authpriv) or facility(
cron
)); };
filter f_secure { facility(authpriv); };
filter f_spooler { facility(uucp) or (facility(news) andlevel(crit)); };
filter f_local6 { facility(mail); };
filter f_local4 { facility(local4); };
filter f_catalina { facility(local5); };
destination d_syslognglog {
file
(
"/var/log/syslog-ng.log"
);
};
destination d_loc_messages {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/loc_messages"
owner(
"root"
) group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_messages {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages"
owner(
"root"
) group(
"root"
)
perm(0640) dir_perm(0750)
create_dirs(
yes
));
};
destination d_local7 {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/local7"
owner(
"root"
) group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_localhost_access_log {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/tomcat-access"
owner(
"root"
) group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_local6 {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/local6"
owner(
"root"
) group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_console {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console"
owner(
"root"
)group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_secure {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure"
owner(
"root"
)group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_cron {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron"
owner(
"root"
)group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_spooler {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler"
owner(
"root"
)group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_bootlog {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog"
owner(
"root"
)group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_syslog {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/syslog"
owner(
"root"
)group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_catalina {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/catalina.out"
owner(
"root"
) group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
destination d_local4 {
file
(
"/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/localhost.log"
owner(
"root"
) group(
"root"
)
perm(0640)dir_perm(0750)
create_dirs(
yes
));
};
log {
source
(s_internal); destination(d_syslognglog);};
log {
source
(s_local); destination(d_loc_messages);};
log {
source
(s_src);filter(f_messages);destination(d_messages);};
log {
source
(s_src); filter(f_console); destination(d_console); };
log {
source
(s_src); filter(f_secure); destination(d_secure); };
log {
source
(s_src); filter(f_cron); destination(d_cron); };
log {
source
(s_src); filter(f_spooler);destination(d_spooler); };
log {
source
(s_src); filter(f_bootlog);destination(d_bootlog); };
log {
source
(s_src); filter(f_bootlog); destination(d_local7);};
log {
source
(s_src); filter(f_local6);destination(d_local6); };
log {
source
(s_src); destination(d_localhost_access_log);};
log {
source
(s_src); filter(f_catalina);destination(d_catalina); };
log {
source
(s_src); filter(f_local4);destination(d_local4); };
|
5、添加为系统服务,
# vim /etc/init.d/syslog-ng #创建syslog-ng文件内容如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
#!/bin/bash
#
# chkconfig:- 60 27
# description:syslog-ng SysV script.
.
/etc/rc
.d
/init
.d
/functions
syslog_ng=
/usr/local/syslog-ng/sbin/syslog-ng
prog=syslog-ng
pidfile=
/usr/local/syslog-ng/var/syslog-ng
.pid
lockfile=
/usr/local/syslog-ng/var/syslog-ng
.lock
RETVAL=0
STOP_TIMEOUT=${STOP_TIMEOUT-10}
start() {
echo
-n $
"Starting $prog: "
daemon --pidfile=$pidfile $syslog_ng$OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] &&
touch
${lockfile}
return
$RETVAL
}
stop() {
echo
-n $
"Stopping $prog: "
killproc -p $pidfile -d $STOP_TIMEOUT$syslog_ng
RETVAL=$?
echo
[ $RETVAL = 0 ] &&
rm
-f $lockfile$pidfile
}
case
"$1"
in
start)
start
;;
stop)
stop
;;
status)
status -p $pidfile $syslog_ng
RETVAL=$?
;;
restart)
stop
start
;;
*)
echo
$
"Usage: $prog {start|stop|restart|status}"
RETVAL=2
esac
exit
$RETVAL
|
加入开机启动:
1
2
3
4
5
|
# chmod a+x /etc/init.d/syslog-ng //给syslong-ng执行权限
# killall syslogd //关闭
# chkconfig --add syslog-ng
# chkconfig syslog-ng on
# service syslog-ng start //启动 syslog-ng
|
参考文章:
http://blogread.cn/it/article/4825?f=wb
http://www.liaohuqiu.net/cn/posts/log-center/
http://luyongxin88.blog.163.com/blog/static/925580720112275183903/
https://mos.meituan.com/library/5/how-to-config-rsyslog/
http://www.liaohuqiu.net/cn/posts/log-center/
http://www.tuicool.com/articles/Jv2eUvn
http://blog.csdn.net/yab2012/article/details/50561627
http://blog.csdn.net/chenhao112358/article/details/40892239
http://comments.gmane.org/gmane.comp.sysutils.rsyslog/9011
http://comments.gmane.org/gmane.comp.sysutils.rsyslog/17495
http://www.rsyslog.com/doc/v8-stable/configuration/templates.html#legacy-format
http://ubuntuforums.org/archive/index.php/t-1690234.html
http://961911.blog.51cto.com/951911/1590365
http://blog.csdn.net/yab2012/article/details/50561627
http://www.cnblogs.com/tobeseeker/archive/2013/03/10/2953250.html
http://kubiops.com/2015/10/01/rsyslog模板/
http://www.rsyslog.com/article317/
http://www.rsyslog.com/doc/v8-stable/configuration/property_replacer.html
http://itindex.net/detail/41541-linux-日志-管理
http://bguncle.blog.51cto.com/3184079/957315/
本文转自 piazini 51CTO博客,原文链接:http://blog.51cto.com/wutou/1765271