syslog-ng日志收集分析服务搭建及配置

Posted 花豆豆

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了syslog-ng日志收集分析服务搭建及配置相关的知识,希望对你有一定的参考价值。

syslog-ng日志收集分析服务搭建及配置:
1、网上下载eventlog_0.2.12.tar.gz、libol-0.3.18.tar.gz、syslog-ng_3.3.5.tar.gz三个软件;

2、解压及安装服务端:

[[email protected] tools]# tar xf eventlog_0.2.12.tar.gz 
[[email protected] tools]# cd eventlog-0.2.12/
[[email protected] eventlog-0.2.12]# yum -y install gcc*
[[email protected] eventlog-0.2.12]# ./configure --prefix=/usr/local/eventlog 
[[email protected] eventlog-0.2.12]# make &&make install

[[email protected] tools]# tar xf libol-0.3.18.tar.gz
[[email protected] tools]# cd libol-0.3.18
[[email protected] libol-0.3.18]# ./configure --prefix=/usr/local/libol 
[[email protected] libol-0.3.18]# make &&make install

[[email protected] tools]# tar xf syslog-ng_3.3.5.tar.gz 
[[email protected] tools]# cd syslog-ng-3.3.5/
[[email protected] syslog-ng-3.3.5]# export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig ##设置环境变量,不然安装不成功;
[[email protected] syslog-ng-3.3.5]# yum -y install glib* ##可能会需要安装glib依赖包;
[[email protected] syslog-ng-3.3.5]# ./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/
[[email protected] syslog-ng-3.3.5]# make &&make install
[[email protected] syslog-ng-3.3.5]# cp contrib/init.d.RedHat /etc/init.d/syslog-ng ##拷贝启动的文件;
[[email protected] syslog-ng-3.3.5]# chmod +x /etc/init.d/syslog-ng


[[email protected] etc]# vim /etc/init.d/syslog-ng ##编辑启动文件,修改下面三行;

INIT_PROG="/usr/local/syslog-ng/sbin/syslog-ng" 
INIT_OPTS="-f /usr/local/syslog-ng/etc/syslog-ng.conf"
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/syslog-ng/bin:/usr/local/syslog-ng/sbin ##给予执行权限;


[[email protected] syslog-ng-3.3.5]# cd /usr/local/syslog-ng/etc/
[[email protected] etc]# cp syslog-ng.conf syslog-ng.conf.bak	##把配置文件做个备份;
[[email protected] etc]# vim syslog-ng.conf
############################################################################# 
## Default syslog-ng.conf file which collects all local logs into a 
## single file called /var/log/messages. 

@version: 3.3
@include "scl.conf"

source s_local {
system();
internal();
};

options {
flush_lines(10);
flush-timeout(5000);
log-fifo-size(100000);
chain-hostnames(no);
use-dns(persist_only);
use-fqdn(no);
create-dirs(yes);
keep-timestamp(yes);
};

source s_network {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
}; 

filter f_111 {
level(info..emerg);
host("x.x.x.x"); ##定义过滤的日志源的地址;
message("dept=222") and message("task"); ##定义过滤的日志消息的内容;

};

destination d_file {
file("/data/log/syslog-ng/222/$YEAR$MONTH$DAY$HOUR$MIN/222-task.log" create_dirs(yes));
};

log {
source(s_network);
filter(f_111);
destination(d_file);
};

3、安装客户端:
安装方法和上面的一样,就是配置文件不一样;

[[email protected] etc]# vim syslog-ng.conf ##客户端配置文件;
@version:3.3
options {
log_msg_size(16384);
flush_lines(1);
log_fifo_size(1000000);
time_reopen(10);
use_dns(no);
dns_cache(yes);
use_fqdn(yes);
keep_hostname(yes);
check_hostname(yes);
create_dirs(yes);
dir_perm(0755);
perm(0644);
stats_freq(1800);
};

source s_internal { internal(); };

destination d_syslognglog { file("/var/log/syslog-ng.log"); };

log { source(s_internal); destination(d_syslognglog); };

source game_local {
file("/data/log/act.log" follow_freq(1) flags(no-parse)); ##指定客户端这边的日志源地址;
};

#destination d_game_local {file("/data/log/$YEAR$MONTH$DAY/act.log" perm(0644) dir_perm(0755) create_dirs(yes));};
destination d_game_remote {tcp("x.x.x.x" port(514));}; ##指定服务端的ip地址和端口号;

##log {source(s_game_local);destination(d_game_local);};
log {source(game_local);destination(d_game_remote);}; ##调用上面的source定义的名字和destination定义的名字生产的一条发送命令;

[[email protected] etc]# /etc/init.d/syslog-ng restart
Stopping Kernel Logger: [ OK ]
Starting Kernel Logger: [ OK ]

4、测试:
从别地地方导入一份文件是act1.log到客户端,改名为act.log测试:

[[email protected] log]# cat act1.log >>act.log

服务端查看:
[[email protected] ~]# ls /data/log/
syslog-ng
[[email protected] ~]# ls /data/log/syslog-ng/
222
[[email protected] ~]# ls /data/log/syslog-ng/game2/
20170214
[[email protected] ~]# ls /data/log/syslog-ng/game2/20170214/
222-task.log

 

以上是关于syslog-ng日志收集分析服务搭建及配置的主要内容,如果未能解决你的问题,请参考以下文章

Syslog-ng RHEL 的安装和配置

搭建ELK日志分析平台(下)—— 搭建kibana和logstash服务器

如何使用elasticsearchlogstashkibana快速搭建实时日志分析平台

您好,我是suse11企业版的用户,现在项目正在搭建集群环境。我想咨询下如何使用syslog-ng搭建中央日志服务

Linux ELK日志分析系统 | logstash日志收集 | elasticsearch 搜索引擎 | kibana 可视化平台 | 架构搭建 | 超详细

ELK日志收集分析系统配置