syslog是Linux系统默认的日志守护进程,默认的syslog配置文件是/etc/syslog.conf文件。syslog守护进程是可配置的,它允许人们为每一种类型的系统信息精确地指定一个存放地点。比较 syslog ,syslog-ng 具有众多高级的功能:更好的网络支持,更加方便的配置,集中式的网络日志存储,并且更具有弹性。比如,使用syslogd时,所有的iptables日志与其他内核日志一起全部存储到了kern.log文件里。Syslog-ng则可以让你有选择性的将iptables部分分出到另外的日志文件中。Syslogd仅能使用UDP协议,Syslog-ng 可以使用UDP和TCP协议。所以我们可以在加密的网络隧道中传输日志到集中日志服务器。
syslog-ng的一个设计原则就是建立更好的消息过滤粒度。syslog-ng能够进行基于内容和优先权/facility的过滤。另一个设计原则是更容易进行不同防火墙网段的信息转发,它支持主机链,即使日志消息经过了许多计算机的转发,也可以找出原发主机地址和整个转发链。最后的一个设计原则就是尽量使配置文件强大和简洁。syslog-ng作为syslog的替代工具,可以完全替代syslog的服务,并且通过定义规则,实现更好的过滤功能。之前介绍了Linux下rsyslog日志收集服务环境部署记录,下面简单介绍下syslog-ng日志集中管理服务部署记录:
下面部署实例目的:
实现接收远程客户端服务日志(nginx、mysql、php、apache)保存在本地一台日志服务器上提供查看。
即远程客户机采用syslog-ng将其日志通过管道pipe传送到本地的日志服务器上进行查看。
一、syslog-ng安装(服务端和客户端都要安装)
[root@syslog-ng ~]# wget Fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
[root@syslog-ng ~]# rpm -ivh epel-release-latest-6.noarch.rpm --force
[root@syslog-ng ~]# yum install syslog-ng -y
==============================================================================================
温馨提示:
由于日志集中管理服务syslog-ng采用的是C/S架构,所以客户端也需要安装syslog-ng。
如果客户端只是传输系统日志到syslog-ng服务器上,那么客户端就不需安装syslog-ng了,只需要在在syslog.conf配置里添加一条:
#vim /etc/syslog.conf //这是系统日志,所有级别的所有日志。
*.* @192.168.10.205 //此处IP地址为日志服务器IP【即客户端的ip】
==============================================================================================
二、syslog-ng服务端配置记录(192.168.10.205)
[root@syslog-ng ~]# cp /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.bak
[root@syslog-ng ~]# vim /etc/syslog-ng/syslog-ng.conf
......
options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes); #此行改为yes
keep_hostname (yes);
};
......
source s_log {
udp(ip(0.0.0.0) port(514));
};
......
destination d_log {
file("/data/syslog-ng/kevin.log");
};
......
log { source(s_log); destination(d_log); };
配置说明:
options 为全局配置参数
source 是日志从本机的哪个IP哪个端口接收信息
destination 接收到信息保存在哪个文件
log 就是将来源信息写入到目的文件中
创建日志存放文件
[root@syslog-ng ~]# mkdir /data/syslog-ng/
[root@syslog-ng ~]# touch /data/syslog-ng/kevin.log #此文件其实可以不用提前创建,会自动创建。
[root@syslog-ng ~]# chmod 600 /data/syslog-ng/kevin.log
启动syslog-ng服务
[root@syslog-ng ~]# /etc/init.d/syslog-ng start
Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
[ OK ]
三、syslog-ng客户端配置记录(192.168.10.206)
将客户端服务器nginx日志通过管道文件传输到日志服务器上(即输出到syslog-ng服务器端)
[root@web-node01 ~]# cp /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.bak
[root@web-node01 ~]# vim /etc/syslog-ng/syslog-ng.conf
......
options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes); #修改为yes
keep_hostname (yes);
};
......
source s_slog {
pipe("/data/kevin/log.pipe");
};
......
destination d_slog { udp(192.168.10.205 port(514)); }; #ip为syslog-ng服务端ip地址
......
log { source(s_slog); destination(d_slog); };
创建管道文件
[root@web-node01 ~]# mkdir /data/kevin
[root@web-node01 ~]# mkfifo /data/kevin/log.pipe
启动syslog-ng服务
[root@web-node01 ~]# /etc/init.d/syslog-ng start
Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
Starting syslog-ng: Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
[ OK ]
验证测试:
比如将客户端nginx服务日志信息导入到管道文件中
[root@web-node01 ~]# tail -f /etc/nginx/logs/access.log >> /data/kevin/log.pipe &
[root@web-node01 ~]# ps -ef|grep -v grep|grep "tail -f /etc/nginx/logs/access.log"
root 28598 25044 0 15:08 pts/2 00:00:00 tail -f /etc/nginx/logs/access.log
接着去syslon-ng的服务端查看,发现日志已经传过来了。
注意这个日志传输是实施在刷的,也就是说只要syslog-ng客户端那边的日志实时在刷,服务端这边就会实时地接收过来。
[root@syslog-ng ~]# tail -f /data/syslog-ng/kevin.log
Jul 4 15:08:40 web-node01 172.17.13.18 - [04/Jul/2018:15:05:04 +0800] "GET / HTTP/1.1" 403 571 "-" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 - 0.000 - - -
Jul 4 15:08:40 web-node01 172.17.13.18 - [04/Jul/2018:15:05:04 +0800] "GET /favicon.ico HTTP/1.1" 404 571 "http://192.168.10.206:8080/" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 - 0.000 - - -
Jul 4 15:08:40 web-node01 172.17.13.18 - [04/Jul/2018:15:05:32 +0800] "GET /a.txt HTTP/1.1" 200 10 "-" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 - 0.000 - - -
Jul 4 15:08:40 web-node01 172.17.13.18 - [04/Jul/2018:15:08:05 +0800] "GET /a.txt HTTP/1.1" 304 0 "-" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 - 0.000 - - -
Jul 4 15:08:40 web-node01 172.17.13.18 - [04/Jul/2018:15:08:06 +0800] "GET /a.txt HTTP/1.1" 304 0 "-" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 - 0.000 - - -
Jul 4 15:08:40 web-node01 172.17.13.18 - [04/Jul/2018:15:08:06 +0800] "GET /a.txt HTTP/1.1" 304 0 "-" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 - 0.000 - - -
Jul 4 15:08:40 web-node01 172.17.13.18 - [04/Jul/2018:15:08:07 +0800] "GET /a.txt HTTP/1.1" 304 0 "-" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 - 0.000 - - -
Jul 4 15:08:40 web-node01 172.17.13.18 - [04/Jul/2018:15:08:28 +0800] "GET /a.txt HTTP/1.1" 200 1136 "-" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 - 0.000 - - -
Jul 4 15:08:40 web-node01 172.17.13.18 - [04/Jul/2018:15:08:29 +0800] "GET /a.txt HTTP/1.1" 304 0 "-" Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 - 0.000 - - -
到此,一个简单的syslog-ng日志集中管理服务环境就部署成功了。
========================================================================================
需要注意的是:
上面实验仅仅是传输了客户端的nginx日志到远程日志服务器上,其实是可以配置传输多个日志的,只需要:
1)在syslog-ng服务端和客户端的syslog-ng.conf文件里配置多个source及destination即可!
2)多个配置时,记住端口一定不能配置成一样的,否则多个日志会被传输到远程服务器的同一个日志里!!默认端口是514,多配置的时候,可以用比如5514、5515、5516等端口。
如在上面配置传输nginx日志的基础上,再输出客户机的/var/log/message日志、/var/log/redis/redis.log日志和/var/log/slapd/slapd.log日志到syslog-ng服务器端,则需要添加操作:
1)在syslog-ng服务器端(192.168.10.205)需要添加配置:
[root@syslog-ng ~]# vim /etc/syslog-ng/syslog-ng.conf
......
source s_mem {
udp(ip(0.0.0.0) port(5514));
};
source s_redis {
udp(ip(0.0.0.0) port(5515));
};
source s_slapd {
udp(ip(0.0.0.0) port(5516));
};
......
destination d_mem {
file("/data/syslog-ng/mem.log");
};
destination d_redis {
file("/data/syslog-ng/redis.log");
};
destination d_slapd {
file("/data/syslog-ng/slapd.log");
};
......
log { source(s_mem); destination(d_mem); };
log { source(s_redis); destination(d_redis); };
log { source(s_slapd); destination(d_slapd); };
创建日志存放文件
[root@syslog-ng ~]# touch /data/syslog-ng/mem.log
[root@syslog-ng ~]# touch /data/syslog-ng/redis.log
[root@syslog-ng ~]# touch /data/syslog-ng/slapd.log
[root@syslog-ng ~]# chmod 600 /data/syslog-ng/mem.log
[root@syslog-ng ~]# chmod 600 /data/syslog-ng/redis.log
[root@syslog-ng ~]# chmod 600 /data/syslog-ng/slapd.log
重启syslog-ng服务
[root@syslog-ng ~]# /etc/init.d/syslog-ng restart
Stopping syslog-ng: [ OK ]
Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
Starting syslog-ng: Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
[ OK ]
[root@syslog-ng ~]# lsof -i:514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
syslog-ng 32260 root 10u IPv4 108534591 0t0 UDP *:syslog
[root@syslog-ng ~]# lsof -i:5514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
syslog-ng 32260 root 11u IPv4 108534592 0t0 UDP *:5514
[root@syslog-ng ~]# lsof -i:5515
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
syslog-ng 32260 root 12u IPv4 108534593 0t0 UDP *:5515
[root@syslog-ng ~]# lsof -i:5516
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
syslog-ng 32260 root 13u IPv4 108534594 0t0 UDP *:5516
2)在syslog-ng客户端(192.168.10.206)需要添加配置:
[root@web-node01 ~]# vim /etc/syslog-ng/syslog-ng.conf
......
source s_smem {
pipe("/data/kevin/mem.pipe");
};
source s_sredis {
pipe("/data/kevin/redis.pipe");
};
source s_slapd {
pipe("/data/kevin/slapd.pipe");
};
......
destination d_smem { udp(192.168.10.205 port(5514)); };
destination d_sredis { udp(192.168.10.205 port(5515)); };
destination d_slapd { udp(192.168.10.205 port(5516)); };
......
log { source(s_smem); destination(d_smem); };
log { source(s_sredis); destination(d_sredis); };
log { source(s_slapd); destination(d_slapd); };
创建管道文件
[root@web-node01 ~]# mkfifo /data/kevin/mem.pipe
[root@web-node01 ~]# mkfifo /data/kevin/redis.pipe
[root@web-node01 ~]# mkfifo /data/kevin/slapd.pipe
重启syslog-ng服务
[root@web-node01 ~]# /etc/init.d/syslog-ng restart
Stopping syslog-ng: [ OK ]
Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
Starting syslog-ng: Plugin module not found in 'module-path'; module-path='/lib64/syslog-ng', module='afsql'
[ OK ]
然后进行日志传输
[root@web-node01 ~]# tail -f /var/log/messages >> /data/kevin/mem.pipe &
[root@web-node01 ~]# tail -f /var/log/redis/redis.log >> /data/kevin/redis.pipe &
[root@web-node01 ~]# tail -f /var/log/slapd/slapd.log >> /data/kevin/slapd.pipe &
[root@web-node01 kevin]# ps -ef|grep "tail -f"
root 4296 4295 0 15:53 ? 00:00:00 tail -f /var/log/messages
root 4302 25044 0 15:54 pts/2 00:00:00 tail -f /etc/nginx/logs/access.log
root 4360 25044 0 15:54 pts/2 00:00:00 tail -f /var/log/redis/redis.log
root 4431 25044 0 15:54 pts/2 00:00:00 tail -f /var/log/slapd/slapd.log
3)最后去syslog-ng服务器查看,发现日志已经成功传输过来了!
[root@syslog-ng ~]# ll /data/syslog-ng
total 48
-rw-------. 1 root root 5062 Jul 4 15:54 kevin.log
-rw-------. 1 root root 30279 Jul 4 15:55 mem.log
-rw-------. 1 root root 984 Jul 4 15:54 redis.log
-rw-------. 1 root root 1049 Jul 4 15:54 slapd.log
[root@syslog-ng ~]# tail -f /data/syslog-ng/mem.log #如下日志的前面可以判断这些日志是从哪台客户机传过来的(web-node01这是客户机的主机名)
Jul 4 15:29:59 web-node01 openldap-slave Keepalived_vrrp[2637]: VRRP_Instance(VI_1) ignoring received advertisment...
Jul 4 15:30:01 web-node01 openldap-slave Keepalived_vrrp[2637]: (VI_1): ip address associated with VRID 51 not present in MASTER advert : 192.168.10.208
Jul 4 15:30:01 web-node01 openldap-slave Keepalived_vrrp[2637]: bogus VRRP packet received on eth0 !!!
Jul 4 15:30:01 web-node01 openldap-slave Keepalived_vrrp[2637]: VRRP_Instance(VI_1) ignoring received advertisment...
Jul 4 15:30:07 web-node01 openldap-slave Keepalived_vrrp[2637]: (VI_1): ip address associated with VRID 51 not present in MASTER advert : 192.168.10.208
[root@syslog-ng ~]# tail -f /data/syslog-ng/redis.log
Jul 4 15:54:19 web-node01 25274:S 07 May 10:37:15.851 * Background append only file rewriting started by pid 25277
Jul 4 15:54:19 web-node01 25274:S 07 May 10:37:15.910 * AOF rewrite child asks to stop sending diffs.
Jul 4 15:54:19 web-node01 25277:C 07 May 10:37:15.910 * Parent agreed to stop sending diffs. Finalizing AOF...
Jul 4 15:54:19 web-node01 25277:C 07 May 10:37:15.910 * Concatenating 0.00 MB of AOF diff received from parent.
Jul 4 15:54:19 web-node01 25277:C 07 May 10:37:15.910 * SYNC append only file rewrite performed
Jul 4 15:54:19 web-node01 25277:C 07 May 10:37:15.910 * AOF rewrite: 6 MB of memory used by copy-on-write
[root@syslog-ng syslog-ng]# tail -f slapd.log
May 22 16:20:13 web-node01 openldap-slave slapd[30022]: conn=1017 op=1 SRCH base="dc=kevin,dc=com" scope=2 deref=0 filter="(objectClass=*)"
May 22 16:20:13 web-node01 openldap-slave slapd[30022]: conn=1017 op=1 SRCH attr=* +
May 22 16:38:00 web-node01 openldap-slave slapd[30022]: conn=1018 fd=24 ACCEPT from IP=[::1]:60196 (IP=[::]:389)
May 22 16:38:00 web-node01 openldap-slave slapd[30022]: conn=1018 op=0 BIND dn="cn=Manager,dc=kevin,dc=com" method=128
May 22 16:38:00 web-node01 openldap-slave slapd[30022]: conn=1018 op=0 BIND dn="cn=Manager,dc=kevin,dc=com" mech=SIMPLE ssf=0