【实战】Syslog-ng安装与配置

logo-syslog-ng

【实战】Syslog-ng安装与配置

第一章 概述

环境:CentOS Linux release 7.9.2009 (Core)

段落引用syslog-ng的一个设计原则就是建立更好的消息过滤粒度。
另一个设计原则是更容易进行不同防火墙网段的信息转发,它支持主机链,即使日志消息经过了许多计算机的转发,也可以找出原发主机地址和整个转发链。
最后的一个设计原则就是尽量使配置文件强大和简洁。
syslog-ng作为syslog的替代工具,可以完全替代syslog的服务,并且通过定义规则,实现更好的过滤功能。
本文简单介绍syslog-ng日志集中管理服务部署及配置情况。

第二章 syslog-ng安装

syslog-ng支持yum安装和rpm离线安装两种方式

1.1 yum安装

1.1.1 安装epel yum源

1.1.1.1 离线安装epel yum源

Extra Packages for Enterprise Linux (EPEL)存储库包含许多有用的包,这些包不包含在RHEL中。

这个repo提供了一些 syslog-ng的依赖项。您可以通过下载和安装RPM包来启用它(对于 EPEL7,将8替换为7):

  • 下载epel yum源rpm安装包
1
[root@linuxsyslogserver opt]# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  • 安装epel-release-latest-7.noarch.rpm rpm包
1
2
3
4
5
6
[root@linuxsyslogserver opt]# rpm -ivh epel-release-latest-7.noarch.rpm 
warning: epel-release-latest-7.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:epel-release-7-14                ################################# [100%]
[root@linuxsyslogserver opt]#
  • 查看epel的yum源
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@linuxsyslogserver yum.repos.d]# ll /etc/yum.repos.d/
total 52
-rw-r--r--. 1 root root 2523 May  4 12:58 CentOS-Base.repo
-rw-r--r--. 1 root root 1664 Apr  7  2020 CentOS-Base.repo.backup
-rw-r--r--. 1 root root 1309 Nov 23  2020 CentOS-CR.repo
-rw-r--r--. 1 root root  649 Nov 23  2020 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root  314 Nov 23  2020 CentOS-fasttrack.repo
-rw-r--r--. 1 root root  630 Nov 23  2020 CentOS-Media.repo
-rw-r--r--. 1 root root 1331 Nov 23  2020 CentOS-Sources.repo
-rw-r--r--. 1 root root 8515 Nov 23  2020 CentOS-Vault.repo
-rw-r--r--. 1 root root  616 Nov 23  2020 CentOS-x86_64-kernel.repo
-rw-r--r--. 1 root root 1358 Sep  4  2021 epel.repo
-rw-r--r--. 1 root root 1457 Sep  4  2021 epel-testing.repo
[root@linuxsyslogserver yum.repos.d]#

1.1.1.2 使用yum安装epel yum源

1
[root@linuxsyslogserver]# yum install -y epel-release

1.1.2 使用yum安装syslog-ng

使用yum命令安装syslog-ng,并解决相关依耐问题。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
[root@linuxsyslogserver yum.repos.d]# yum install syslog-ng -y
BDB2053 Freeing read locks for locker 0x191: 17758/140284236965696
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * epel: mirrors.bfsu.edu.cn
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
Resolving Dependencies
--> Running transaction check
---> Package syslog-ng.x86_64 0:3.5.6-3.el7 will be installed
--> Processing Dependency: ivykis >= 0.36.1 for package: syslog-ng-3.5.6-3.el7.x86_64
--> Processing Dependency: libivykis.so.0(IVYKIS_0.29)(64bit) for package: syslog-ng-3.5.6-3.el7.x86_64
--> Processing Dependency: libivykis.so.0(IVYKIS_0.30)(64bit) for package: syslog-ng-3.5.6-3.el7.x86_64
--> Processing Dependency: libevtlog.so.0()(64bit) for package: syslog-ng-3.5.6-3.el7.x86_64
--> Processing Dependency: libivykis.so.0()(64bit) for package: syslog-ng-3.5.6-3.el7.x86_64
--> Processing Dependency: libnet.so.1()(64bit) for package: syslog-ng-3.5.6-3.el7.x86_64
--> Running transaction check
---> Package eventlog.x86_64 0:0.2.13-4.el7 will be installed
---> Package ivykis.x86_64 0:0.36.2-2.el7 will be installed
---> Package libnet.x86_64 0:1.1.6-7.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===========================================================================================================================================================
 Package                                                Arch                                                Version                                                   Repository                                         Size
===========================================================================================================================================================
Installing:
 syslog-ng                                              x86_64                                              3.5.6-3.el7                                               epel                                              453 k
Installing for dependencies:
 eventlog                                               x86_64                                              0.2.13-4.el7                                              epel                                               19 k
 ivykis                                                 x86_64                                              0.36.2-2.el7                                              epel                                               35 k
 libnet                                                 x86_64                                              1.1.6-7.el7                                               base                                               59 k

Transaction Summary
===========================================================================================================================================================
Install  1 Package (+3 Dependent packages)

Total download size: 567 k
Installed size: 1.8 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/eventlog-0.2.13-4.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for eventlog-0.2.13-4.el7.x86_64.rpm is not installed
(1/4): eventlog-0.2.13-4.el7.x86_64.rpm                                                                                                                                                                |  19 kB  00:00:00     
(2/4): ivykis-0.36.2-2.el7.x86_64.rpm                                                                                                                                                                  |  35 kB  00:00:00     
(3/4): libnet-1.1.6-7.el7.x86_64.rpm                                                                                                                                                                   |  59 kB  00:00:00     
(4/4): syslog-ng-3.5.6-3.el7.x86_64.rpm                                                                                                                                                                | 453 kB  00:00:00     
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                         676 kB/s | 567 kB  00:00:00     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) <epel@fedoraproject.org>"
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-14.noarch (installed)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
json-c-0.13.1-0.4.el8.x86_64 is a duplicate with json-c-0.11-4.el7_0.x86_64
  Installing : ivykis-0.36.2-2.el7.x86_64                                                                                                              1/4 
  Installing : eventlog-0.2.13-4.el7.x86_64                                                                                                            2/4 
  Installing : libnet-1.1.6-7.el7.x86_64                                                                                                               3/4 
  Installing : syslog-ng-3.5.6-3.el7.x86_64                                                                                                            4/4 
  Verifying  : libnet-1.1.6-7.el7.x86_64                                                                                                               1/4 
  Verifying  : eventlog-0.2.13-4.el7.x86_64                                                                                                            2/4 
  Verifying  : ivykis-0.36.2-2.el7.x86_64                                                                                                              3/4 
  Verifying  : syslog-ng-3.5.6-3.el7.x86_64                                                                                                            4/4 

Installed:
  syslog-ng.x86_64 0:3.5.6-3.el7                  
Dependency Installed:
  eventlog.x86_64 0:0.2.13-4.el7                          ivykis.x86_64 0:0.36.2-2.el7                          libnet.x86_64 0:1.1.6-7.el7                 
Complete!
[root@linuxsyslogserver yum.repos.d]#

syslog-ng 安装成功了!!!

1.1.3 启动syslog-ng服务

1
2
3
4
5
6
7
8
9
10
11
12
[root@linuxsyslogserver]# systemctl start syslog-ng  //启动syslog-ng服务
[root@linuxsyslogserver]# systemctl status syslog-ng //查看syslog-ng服务状态
● syslog-ng.service - System Logger Daemon
   Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2022-07-01 11:55:06 EDT; 6s ago
     Docs: man:syslog-ng(8)
 Main PID: 17845 (syslog-ng)
   CGroup: /system.slice/syslog-ng.service
           └─17845 /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid

Jul 01 11:55:06 linuxsyslogserver systemd[1]: Starting System Logger Daemon...
Jul 01 11:55:06 linuxsyslogserver systemd[1]: Started System Logger Daemon.

1.2 rpm包离线安装

1.2.1 下载syslog-ng rpm安装包

syslog-ng和相关依赖rpm软件包下载地址:

wget -O syslog-ng-3.5.6-3.el7.x86_64.rpm –no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/s/syslog-ng-3.5.6-3.el7.x86_64.rpm
wget -O eventlog-0.2.13-4.el7.x86_64.rpm –no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/e/eventlog-0.2.13-4.el7.x86_64.rpm
wget -O ivykis-0.36.2-2.el7.x86_64.rpm –no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/i/ivykis-0.36.2-2.el7.x86_64.rpm
wget -O libnet-1.1.6-7.el7.x86_64.rpm http://mirrors.163.com/centos/7.9.2009/os/x86_64/Packages/libnet-1.1.6-7.el7.x86_64.rpm

将下载的rpm软件包,保存到/opt/syslog-ng目录

1
2
3
4
5
[root@linuxsyslogserver]# cd /opt/syslog-ng
[root@linuxsyslogserver syslog-ng]# wget --no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/s/syslog-ng-3.5.6-3.el7.x86_64.rpm
[root@linuxsyslogserver syslog-ng]# wget --no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/e/eventlog-0.2.13-4.el7.x86_64.rpm
[root@linuxsyslogserver syslog-ng]# wget --no-check-certificate https://mirror.lzu.edu.cn/epel/7/x86_64/Packages/i/ivykis-0.36.2-2.el7.x86_64.rpm
[root@linuxsyslogserver syslog-ng]# wget http://mirrors.163.com/centos/7.9.2009/os/x86_64/Packages/libnet-1.1.6-7.el7.x86_64.rpm

1.2.2 开始安装syslog-ng

1
2
[root@linuxsyslogserver]# cd /opt/syslog-ng
[root@linuxsyslogserver]# rpm -ivh *.rpm

syslog-ng 安装成功了!!!

1.2.2 启动syslog-ng服务

1
2
3
4
5
6
7
8
9
10
11
12
[root@linuxsyslogserver]# systemctl start syslog-ng  //启动syslog-ng服务
[root@linuxsyslogserver]# systemctl status syslog-ng //查看syslog-ng服务状态
● syslog-ng.service - System Logger Daemon
   Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2022-07-01 11:55:06 EDT; 6s ago
     Docs: man:syslog-ng(8)
 Main PID: 17845 (syslog-ng)
   CGroup: /system.slice/syslog-ng.service
           └─17845 /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid

Jul 01 11:55:06 linuxsyslogserver systemd[1]: Starting System Logger Daemon...
Jul 01 11:55:06 linuxsyslogserver systemd[1]: Started System Logger Daemon.

1.3 安装常见问题

1.3.1 缺少依赖

libjson-c.so.4()(64bit)
libc.so.6(GLIBC_2.28)(64bit)
libivykis.so.0(IVYKIS_0.40)(64bit)

搜索rpm软件网站:http://rpmfind.net/linux/rpm2html/search.php

CentOS 搜索rpm网站:https://centos.pkgs.org/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[root@syslogserver ~]# yum install syslog-ng
Loaded plugins: fastestmirror
Determining fastest mirrors
epel/x86_64/metalink                                                                                                             | 7.8 kB  00:00:00     
 * base: mirrors.aliyun.com
 * epel: mirrors.bfsu.edu.cn
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
base                                                                                                                             | 3.6 kB  00:00:00     
copr:copr.fedorainfracloud.org:czanik:syslog-ng336                                                                               | 3.3 kB  00:00:00     
epel                                                                                                                             | 4.7 kB  00:00:00     
extras                                                                                                                           | 2.9 kB  00:00:00     
updates                                                                                                                          | 2.9 kB  00:00:00     
(1/3): epel/x86_64/updateinfo                                                                                                    | 1.1 MB  00:00:01     
(2/3): updates/7/x86_64/primary_db                                                                                               |  16 MB  00:00:01     
(3/3): epel/x86_64/primary_db                                                                                                    | 7.0 MB  00:00:01     
Resolving Dependencies
--> Running transaction check
---> Package syslog-ng.x86_64 0:3.36.1-2.el8 will be installed
......
Error: Package: syslog-ng-3.36.1-2.el8.x86_64 (copr:copr.fedorainfracloud.org:czanik:syslog-ng336)
           Requires: libjson-c.so.4()(64bit)
Error: Package: syslog-ng-3.36.1-2.el8.x86_64 (copr:copr.fedorainfracloud.org:czanik:syslog-ng336)
           Requires: libc.so.6(GLIBC_2.28)(64bit)
Error: Package: syslog-ng-3.36.1-2.el8.x86_64 (copr:copr.fedorainfracloud.org:czanik:syslog-ng336)
           Requires: libivykis.so.0(IVYKIS_0.40)(64bit)
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

第三章 syslog-ng配置

通常syslog-ng 配置文件保存在/etc/syslog-ng/目录下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# syslog 接收
source source_udp_514 {
	udp(ip(0.0.0.0) port(514));
};

source source_tcp_514 {
	tcp(ip(0.0.0.0) port(515));
};

# 设置数据接收保存路径
destination d_dest_1 {
	file( "/data/log/${HOST}/${SOURCEIP}/${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes) dir-perm(0755) perm(0644) );
};

destination d_dest_2 {
 	file( "/data/log/${HOST}/${SOURCEIP}/${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes) dir-perm(0755) perm(0644) );
};

# 日志定义添加由Ryo-Ohki
log { source(source_udp_514); destination(d_dest_1); };
log { source(source_tcp_514); destination(d_dest_2); };

参考文档
https://support.oneidentity.com/zh-cn/technical-documents/syslog-ng-open-source-edition/3.36/administration-guide/11#TOPIC-1768522
https://www.syslog-ng.com/community/b/blog/posts/installing-latest-syslog-ng-on-rhel-and-other-rpm-distributions/

Linux > 日志分析 > syslog-ng > 日常文章 > 日常笔记
#日志分析 #日常笔记 #Linux
【实战】Syslog-ng安装与配置
https://hesc.info/7bc64465c19d/
作者
需要哈气的纸飞机
发布于
2022年7月2日
许可协议