Centralized Log ภาคที่ 3 : Syslog-NG
1.ติดตั้ง Syslog-NG ที่ Log Server และ Server อื่น ๆ ที่เป็น linux
1 | apt-get install syslog-ng |
2.Config Log Server (/etc/syslog-ng/syslog-ng.conf)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | options { recv_time_zone (+07:00); send_time_zone (+07:00); sync (0); time_reopen (100); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); chain_hostnames(yes); keep_hostname (yes); }; source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); #udp(ip(0.0.0.0) port(514)); #tcp(ip(0.0.0.0) port(514) keep-alive(yes)); }; destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); }; filter f_filter1 { facility (kern); }; filter f_filter2 { level(info..emerg) and not facility(mail,authpriv,cron); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; log { source(s_sys); filter(f_filter1); destination(d_mysql); }; log { source(s_sys); filter(f_filter2); destination(d_mysql); }; log { source(s_sys); filter(f_filter3); destination(d_mysql); }; log { source(s_sys); filter(f_filter4); destination(d_mysql); }; log { source(s_sys); filter(f_filter5); destination(d_mysql); }; log { source(s_sys); filter(f_filter6); destination(d_mysql); }; log { source(s_sys); filter(f_filter7); destination(d_mysql); }; log { source(s_sys); filter(f_filter8); destination(d_mysql); }; ##################################################################### # Source from remote client source s_client { tcp(ip(0.0.0.0) port(514) keep-alive(yes) max-connections(300)); udp(ip(0.0.0.0) port(514)); }; log {source(s_client); destination(d_mysql); }; |
3.สร้างคำสั่งสำหรับเขียนลง mysql
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | vi syslog2mysql.sh #!/bin/bash if [ ! -e /var/log/mysql.pipe ] then mkfifo /var/log/mysql.pipe fi while [ -e /var/log/mysql.pipe ] do mysql -u root --password=xxx syslogng < /var/log/mysql.pipe >/dev/null done chmod +x syslog2mysql.sh ./syslog2mysql.sh & /etc/init.d/syslog-ng start |
4.Config Server อื่น ๆ ให้ส่ง log ไปให้ Log Server(/etc/syslog-ng/syslog-ng.conf)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 | options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); }; source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); #udp(ip(0.0.0.0) port(514)); #tcp(ip(0.0.0.0) port(5149) keep-alive(yes)); }; destination logserver { tcp("192.168.0.251" port(514)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" sync(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; # Remove the 'squid' log entries from 'user' log facility filter f_remove { not program("squid"); }; log { source(s_sys); filter(f_filter1); destination(d_cons); }; log { source(s_sys); filter(f_filter1); destination(d_kern); }; log { source(s_sys); filter(f_filter2); filter(f_remove); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_filter7); destination(d_boot); }; log { source(s_sys); filter(f_filter8); destination(d_cron); }; filter f_squid { program("squid") and facility(user); }; destination d_squid { file("/var/log/$HOST/$YEAR/$MONTH/squid.$YEAR-$MONTH-$DAY" owner(root) group(adm) perm(665) create_dirs(yes) dir_perm(0775)); }; log { source(s_sys); destination(logserver); }; |
5.ส่ง Log จาก Windows Server
5.1 Download Lasso (Windows Event Collector) จาก http://open.loglogic.com/
5.2 ตั้งค่า hostlist.ini
1 | localhost,*6 |
5.3 ตั้งค่า lasso.ini
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | SkipInitDLLScan,0 LogAppliance,192.168.0.251 RepositoryPath,C:\Program Files\Lasso\LassoRepository\ SpoolPath,C:\Program Files\Lasso\LassoRepository\Spool\ EventPollInterval,10 SpoolFileSize,1.0 WatermarkWriteInterval,100 MaxTraceFileSize,20 MaxNumWorkerThreads,4 DllLoadInterval,3600 HighWaterMarks,ON #DefaultLassoShare,LassoShare=C:\LassoTemp CheckHostListInterval,3600 NewHostSkipHistorical,0 EnableShareDlls,1 CheckRemHostAvail,0 EnableAdminSharesIfDisabled,0 DebugLevel,0 LogLevel,1 DebugHostFileSize,20 AccessReport,0 |
5.4 start service Lasso Windows Event Collector
Written by Komkid on November 22nd, 2009 with
no comments.
Read more articles on Admin and Internet and Networking and Ubuntu.
- [+] Digg: Feature this article
- [+] Del.icio.us: Bookmark this article
- [+] Furl: Bookmark this article