# make
# make install
在服务器和客户端都要装上syslog-ng
2.服务器端
默认情况下/usr/local/syslog-ng/ 下缺少配置文件,所以要新建所需的文件夹
# mkdir /usr/local/syslog-ng/etc
vi /usr/local/syslog-ng/etc/syslog-ng.conf
_____________________
#
# configuration file for syslog-ng, customized for remote logging
#
options {
use_fqdn(yes);
chain_hostnames(off);
keep_hostname(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
create_dirs(yes);
};
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };
source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_rsync { file("/var/log/rsync"); };
destination d_mlal { usertty("*"); };
filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail)
or facility(authpriv) or facility(cron)); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
filter f_filter9 { facility(daemon); };
filter f_filter10 { facility(local6); };
#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
# Remote logging
source s_remote {
udp(ip(0.0.0.0) port(514));
};
destination r_mesg {
file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/messages" owner("root")
group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination
r_auth { file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/secure"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes)); };
destination r_mail {
file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/maillog" owner("root")
group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination
r_spol { file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/spooler"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes)); };
destination r_boot {
file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/boot.log" owner("root")
group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination
r_cron { file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/cron"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes)); };
destination r_daemon {
file("/var/log/syslog-ng/$YEAR/$MONTH/$HOST/daemon" owner("root")
group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination
r_local6 { file("/var/log/syslog-ng/$YEAR/$MONTH/network/messages"
owner("root") group("root") perm(0640) dir_perm(0750)
create_dirs(yes)); };
#destination d_separatedbyhosts {
# file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
#};
#log { source(s_remote); destination(d_separatedbyhosts); };
log { source(s_remote); filter(f_filter2); destination(r_mesg); };
log { source(s_remote); filter(f_filter3); destination(r_auth); };
log { source(s_remote); filter(f_filter4); destination(r_mail); };
log { source(s_remote); filter(f_filter6); destination(r_spol); };
log { source(s_remote); filter(f_filter7); destination(r_boot); };
log { source(s_remote); filter(f_filter8); destination(r_cron); };
log { source(s_remote); filter(f_filter9); destination(r_daemon); };
log { source(s_remote); filter(f_filter10); destination(r_local6); };
3.客户端配置
cp ~/syslog-ng/doc/syslog-ng.conf.example(copy安装文档下的配置文件到安装文档路径)
/usr/loca/syslog-ng/etc/syslog-ng.conf
在配置文件syslog-ng.conf中加入两行:
destination d_udp { udp("loghost" port(514)); };
log { source(src); destination(d_udp); };
4.关闭服务器与客户端的syslog服务,开启syslog-ng服务
/etc/init.d/syslog stop
/usr/local/syslog-ng/sbin/syslog-ng