Monday, November 23, 2009

Centralized Log ภาคที่ 3 : Syslog-NG

1.ติดตั้ง Syslog-NG ที่ Log Server และ Server อื่น ๆ ที่เป็น linux
apt-get install syslog-ng

2.Config Log Server (/etc/syslog-ng/syslog-ng.conf)

options {
recv_time_zone (+07:00);
send_time_zone (+07:00);
sync (0);
time_reopen (100);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
chain_hostnames(yes);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
#udp(ip(0.0.0.0) port(514));
#tcp(ip(0.0.0.0) port(514) keep-alive(yes));
};

destination d_mysql {
pipe("/var/log/mysql.pipe"
template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
template-escape(yes));
};

filter f_filter1 { facility (kern); };
filter f_filter2 { level(info..emerg) and not facility(mail,authpriv,cron); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or (facility(news) and level(crit..emerg)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };

log { source(s_sys); filter(f_filter1); destination(d_mysql); };
log { source(s_sys); filter(f_filter2); destination(d_mysql); };
log { source(s_sys); filter(f_filter3); destination(d_mysql); };
log { source(s_sys); filter(f_filter4); destination(d_mysql); };
log { source(s_sys); filter(f_filter5); destination(d_mysql); };
log { source(s_sys); filter(f_filter6); destination(d_mysql); };
log { source(s_sys); filter(f_filter7); destination(d_mysql); };
log { source(s_sys); filter(f_filter8); destination(d_mysql); };
#####################################################################

# Source from remote client
source s_client {
tcp(ip(0.0.0.0) port(514) keep-alive(yes) max-connections(300));
udp(ip(0.0.0.0) port(514));
};
log {source(s_client); destination(d_mysql); };


3.สร้างคำสั่งสำหรับเขียนลง mysql

vi syslog2mysql.sh
#!/bin/bash
if [ ! -e /var/log/mysql.pipe ]
then
mkfifo /var/log/mysql.pipe
fi
while [ -e /var/log/mysql.pipe ]
do
mysql -u root --password=xxx syslogng < /var/log/mysql.pipe >/dev/null
done

chmod +x syslog2mysql.sh
./syslog2mysql.sh &
/etc/init.d/syslog-ng start


4.Config Server อื่น ๆ ให้ส่ง log ไปให้ Log Server(/etc/syslog-ng/syslog-ng.conf)

options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
#udp(ip(0.0.0.0) port(514));
#tcp(ip(0.0.0.0) port(5149) keep-alive(yes));
};

destination logserver { tcp("192.168.0.251" port(514)); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_filter1 { facility(kern); };
filter f_filter2 { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or (facility(news) and level(crit..emerg)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
# Remove the 'squid' log entries from 'user' log facility
filter f_remove { not program("squid"); };

log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter1); destination(d_kern); };
log { source(s_sys); filter(f_filter2); filter(f_remove); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };

filter f_squid { program("squid") and facility(user); };

destination d_squid {
file("/var/log/$HOST/$YEAR/$MONTH/squid.$YEAR-$MONTH-$DAY"
owner(root) group(adm) perm(665)
create_dirs(yes) dir_perm(0775));
};

log { source(s_sys); destination(logserver); };


5.ส่ง Log จาก Windows Server
5.1 Download Lasso (Windows Event Collector) จาก http://open.loglogic.com/
5.2 ตั้งค่า hostlist.ini
localhost,*6
5.3 ตั้งค่า lasso.ini

SkipInitDLLScan,0
LogAppliance,192.168.0.251
RepositoryPath,C:\Program Files\Lasso\LassoRepository\
SpoolPath,C:\Program Files\Lasso\LassoRepository\Spool\
EventPollInterval,10
SpoolFileSize,1.0
WatermarkWriteInterval,100
MaxTraceFileSize,20
MaxNumWorkerThreads,4
DllLoadInterval,3600
HighWaterMarks,ON
#DefaultLassoShare,LassoShare=C:\LassoTemp
CheckHostListInterval,3600
NewHostSkipHistorical,0
EnableShareDlls,1
CheckRemHostAvail,0
EnableAdminSharesIfDisabled,0
DebugLevel,0
LogLevel,1
DebugHostFileSize,20
AccessReport,0

5.4 start service Lasso Windows Event Collector

No comments: