分类: 系统运维
2008-12-17 21:59:32
|
By: michael earls - 2002-02-18 16:14:33 This article has been read: 101683 times. |
Synopsis: This documentation assumes that you have installed and have a working version of syslog-ng version 1.5.x and higher. This documentation assumes that you have installed and have a working version of mysql database. What is syslog-ng? Syslog-ng is the world's most flexible and scalable audit trail processing tool for organizations of any size. It provides a centralised, securely stored log of all devices on your network, whatever platform they run on. And syslog-ng also incorporates a host of powerful features, including filtering based on message content, as well as customisable data mining and analysis capabilities. syslog-ng comes as part of the Zorp product line or can be downloaded ((click here)) as a drop-in replacement for stock UNIX system logging software. What is mysql MySQL is an open source relational database management system (RDBMS) that uses Structured Query Language (SQL), the most popular language for adding, accessing, and processing data in a database. Configure syslog-ng to log to mysql database using fifo template: destination d_mysql { pipe("/tmp/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, date, time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG', '$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); }; log { source(net); destination(d_mysql); }; Comment out the following line #source src { unix-dgram("/dev/log"); internal(); }; Uncomment out the following lines source src { unix-dgram("/etc/log/log"); internal(); }; source net { udp(); }; Create the fifo pipe for syslog-ng to export out logs mkfifo /tmp/mysql.pipe Create syslog database CREATE DATABASE syslog USE syslog CREATE TABLE logs ( host varchar(32) default NULL, facility varchar(10) default NULL, priority varchar(10) default NULL, level varchar(10) default NULL, tag varchar(10) default NULL, date date default NULL, time time default NULL, program varchar(15) default NULL, msg text, seq int(10) unsigned NOT NULL auto_increment, PRIMARY KEY (seq), KEY host (host), KEY seq (seq), KEY program (program), KEY time (time), KEY date (date), KEY priority (priority), KEY facility (facility) ) TYPE=MyISAM; Create the fifo pipe for syslog-ng to export out logs mkfifo /tmp/mysql.pipe Restart syslog-ng process Stop syslog-ng /etc/init.d/syslog-ng stop Start syslog-ng /etc/ini.d/syslog-ng start Pipe Insert scripts # Created by Matthias Buch # In the syslog-ng.conf we use: destination d_oracle { pipe("/dev/ora.pipe" template("INSERT INTO logs (LL_HOST, LL_facility, LL_priority, LL_level, LL_tag, LL_DATE, LL_program, LL_msg) VALUES ( '$HOST', '$FACILILITY', '$PRIORITY', '$LEVEL', '$TAG', to_date('$YEAR.$MONTH.$DAY $HOUR:$MIN:$SEC', 'yyyy.mm.dd hh24:mi:ss'), '$PROGRAM', substr('$MSG',1,511));\n COMMIT;\n") template-escape(yes)); import-to-oracle.sh #to write files to the fifo we have a job import-to-oracle.sh #!/bin/sh nohup sqlplus username/password@dbname @/dev/ora.pipe >/dev/null & cronjob #and to check for running oracle clients #we have a cronjob running every 5 minutes: #!/bin/bash export ORACLE_HOME=/usr/oracle/product/8.1.7 export ORACLE_BASE=/usr/oracle export PATH=$ORACLE_HOME/bin:$PATH SQL=`ps ax|grep sqlplus|grep -v grep|wc -l` if [ $SQL -lt 1 ];then /opt/bin/import-to-oracle.sh fi This script is used to pipe syslog-ng to mysql # # Created by Tadghe Patrick Danu # #!/bin/bash if [ -e /tmp/mysql.pipe ]; then while [ -e /tmp/mysql.pipe ] do mysql -u theuserid --password=thepassword syslogdb < /tmp/mysql.pipe done else mkfifo /tmp/mysql.pipe fi This script is used to pipe syslog-ng to postgreSQL # Created by Ben Russo #!/bin/bash # run-syslog2pgsql-insert.sh # 23-April-2002 by Ben Russo # This script makes sure that the syslogs get # into the database. # It is designed to be started by CRON periodically. # I would run it every minute, or at least every # every few minutes. DATADIR="/spooldir/syslog2pgsql" WORKDIR="/var/lib/pgsql/syslog" LOGFILE="$WORKDIR/syslog2pgsql-insert.log" TZ=UCT export DATADIR WORKDIR TZ # Here we are going to make sure there isn't # already an instance of run-syslog2pgsql-insert.sh # that is running. if [ -f $WORKDIR/.syslog2pgsql-insert.pid ] then OLDPID=`cat $WORKDIR/.syslog2pgsql-insert.pid' NUMPROCS=`ps -e | grep $OLDPID | grep run-syslog2 | wc -l` if [ $NUMPROCS -gt 0 ] then exit 0 fi fi # # If this script has run this far then there should # not be another instance of run-syslog2pgsql-insert.sh # running, therefore let's make a PID file and do it. echo $$ > $WORKDIR/.syslog2pgsql-insert.pid # # Now start an endless loop that looks for control files. # while true do DATE=`date` if [ -f $WORKDIR/.insert-die ] then echo "=die===== $DATE $WORKDIR/.insert-die file found, exiting." >> $LOGFILE exit 0 fi if [ -f $WORKDIR/.insert-restart ] then echo "=restart= $DATE $WORKDIR/.insert-restart file found, exiting." >> $LOGFILE echo "=restart= $DATE Deleteing .insert-restart file." >> $LOGFILE echo "=restart= $DATE Expecting cron to restart this script." >> $LOGFILE fi if [ -f $WORKDIR/.insert-pause ] then echo "=pause=== $DATE $WORKDIR/.insert pause file found." >> $LOGFILE echo "=pause=== $DATE sleeping 3 secs." >> $LOGFILE sleep 3 else FILELIST=`find $DATADIR -name "fulllog.2[0-9][0-9][0-9].[0-1][0-9].[0-3][0-9].[0-2][0-9].[0-5][0-9].[0-6][0-9]"` usleep 999997 for i in $FILELIST do cat $i | psql -U postgres -d syslog-ng >> $LOGFILE 2>&1 DATE=`date` echo "========= $DATE finished $i" >> $LOGFILE rm -f $i done fi done # # END OF THE SCRIPT # This file is the functions" file distributed with Mandrake systems # -*-Shell-script-*- # # functions This file contains functions to be used by most or all # shell scripts in the /etc/init.d directory. # TEXTDOMAIN=initscripts TEXTDOMAINDIR=/etc/locale LOCPATH=/etc/locale export TEXTDOMAINDIR LOCPATH # Make sure umask is sane umask 022 # Set up a default search path. PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin" export PATH [ -z "${CONSOLETYPE:-}" ] && CONSOLETYPE="`/sbin/consoletype`" # Get a sane screen width [ -z "${COLUMNS:-}" ] && COLUMNS=80 if [ -f /etc/sysconfig/i18n -a -z "$NOLOCALE" ]; then . /etc/sysconfig/i18n if [ "$CONSOLETYPE" != "pty" ]; then [ "$CONSOLE_NOT_LOCALIZED" = "yes" ] && GP_LANG=C [ "$CONSOLE_NOT_LOCALIZED" = "yes" ] && GP_LANGUAGE=C fi if [ -z "$GP_LANG" ]; then [ -n "$LC_CTYPE" ] && GP_LANG=$LC_CTYPE || GP_LANG=$LC_MESSAGES fi if [ -z "$GP_LANGUAGE" ]; then [ -n "$LANGUAGE" ] && GP_LANGUAGE=$LANGUAGE || GP_LANGUAGE=$GP_LANG fi fi # Read in our configuration if [ -z "${BOOTUP:-}" ]; then if [ -f /etc/sysconfig/init ]; then . /etc/sysconfig/init else # This all seem confusing? Look in /etc/sysconfig/init, # or in /usr/share/doc/initscripts-*/sysconfig.txt BOOTUP=color RES_COL=60 MOVE_TO_COL="echo -en \\033[${RES_COL}G" SETCOLOR_SUCCESS="echo -en \\033[1;32m" SETCOLOR_FAILURE="echo -en \\033[1;31m" SETCOLOR_WARNING="echo -en \\033[1;33m" SETCOLOR_NORMAL="echo -en \\033[0;39m" LOGLEVEL=1 fi if [ "$CONSOLETYPE" = "serial" ]; then BOOTUP=serial MOVE_TO_COL= SETCOLOR_SUCCESS= SETCOLOR_FAILURE= SETCOLOR_WARNING= SETCOLOR_NORMAL= fi fi if [ "${BOOTUP:-}" != "verbose" ]; then INITLOG_ARGS="-q" else INITLOG_ARGS= fi gprintf() { if [ -x /bin/gettext -a -n "$1" ]; then if [ -n "$GP_LANG" ]; then local TEXT=`LC_ALL=$GP_LANG LANGUAGE=$GP_LANGUAGE gettext -e --domain=$TEXTDOMAIN "$1"` else local TEXT=`gettext -e --domain=$TEXTDOMAIN "$1"` fi else local TEXT=$1 fi [ "${1#*\\n}" ] || TEXT="$TEXT\n" shift printf "$TEXT" "$@" } # Frontend to gprintf (support up to 4 %s in format string) # returns the message transleted in GPRINTF_MSG and # the resting parms in GPRINTF_REST # This simplifies a lot the call of functions like action, # now with i18n support gprintf_msg_rest() { case "$1" in *%s*%s*%s*%s*) GPRINTF_MSG=$(gprintf "$1" "$2" "$3" "$4" "$5") shift 5;; *%s*%s*%s*) GPRINTF_MSG=$(gprintf "$1" "$2" "$3" "$4") shift 4;; *%s*%s*) GPRINTF_MSG=$(gprintf "$1" "$2" "$3") shift 3;; *%s*) GPRINTF_MSG=$(gprintf "$1" "$2") shift 2;; *) GPRINTF_MSG=$(gprintf "$1") shift;; esac GPRINTF_REST="$@" } # Check if $pid (could be plural) are running with # the same root as this script inmyroot() { local i r for i in $* ; do [ "/proc/$i/root" -ef "/proc/$$/root" ] && r="$r $i" done echo "$r" } # Check if $pid (could be plural) are running checkpid() { local i for i in $* ; do [ -d "/proc/$i" ] && return 0 done return 1 } # A function to start a program. daemon() { # Test syntax. local gotbase= force= local base= user= nice= bg= pid= nicelevel=0 while [ "$1" != "${1##[-+]}" ]; do case $1 in '') gprintf "%s: Usage: daemon [+/-nicelevel] {program}\n" $0 return 1;; --check) base=$2 gotbase="yes" shift 2 ;; --check=?*) base=${1#--check=} gotbase="yes" shift ;; --user) user=$2 shift 2 ;; --user=?*) user=${1#--user=} shift ;; --force) force="force" shift ;; [-+][0-9]*) nice="nice -n $1" shift ;; *) gprintf "%s: Usage: daemon [+/-nicelevel] {program}\n" $0 return 1;; esac done # Save basename. [ -z "$gotbase" ] && base=${1##*/} # See if it's already running. Look *only* at the pid file. if [ -f /var/run/${base}.pid ]; then local line p read line < /var/run/${base}.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" done fi [ -n "${pid:-}" -a -z "${force:-}" ] && return # make sure it doesn't core dump anywhere; while this could mask # problems with the daemon, it also closes some security problems ulimit -S -c 0 >/dev/null 2>&1 # if they set NICELEVEL in /etc/sysconfig/foo, honor it [ -n "$NICELEVEL" ] && nice="nice -n $NICELEVEL" # Echo daemon [ "${BOOTUP:-}" = "verbose" -a -z "$LSB" ] && echo -n " $base" # libsafe support if [ -r /etc/sysconfig/system ] && grep -q '^LIBSAFE=yes$' /etc/sysconfig/system && [ -r /lib/libsafe.so.2 ]; then LD_PRELOAD=/lib/libsafe.so.2 export LD_PRELOAD fi # And start it up. if [ -z "$user" ]; then $nice initlog $INITLOG_ARGS -c "$*" else $nice initlog $INITLOG_ARGS -c "su -s /bin/bash - $user -c \"$*\"" fi rc=$? [ $rc = 0 ] && success "%s startup" $base || failure "%s startup" $base unset LD_PRELOAD return $rc } # A function to stop a program. killproc() { RC=0 # Test syntax. if [ "$#" -eq 0 ]; then gprintf "Usage: killproc {program} [signal]\n" return 1 fi notset=0 # check for second arg to be kill level if [ -n "$2" ]; then killlevel=$2 else notset=1 killlevel="-9" fi # Save basename. base=${1##*/} # Find pid. pid= if [ -f /var/run/${base}.pid ]; then local line p read line < /var/run/${base}.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" done fi if [ -z "$pid" ]; then pid=`pidof -o $$ -o $PPID -o %PPID -x $1 || \ pidof -o $$ -o $PPID -o %PPID -x $base` fi # Avoid killing processes not running in the same root [ -n "$pid" ] && pid="`inmyroot $pid`" # Kill it. if [ -n "${pid:-}" ] ; then [ "$BOOTUP" = "verbose" -a -z "$LSB" ] && echo -n "$base " if [ "$notset" -eq "1" ] ; then if checkpid $pid 2>&1; then # TERM first, then KILL if not dead kill -TERM $pid usleep 100000 if checkpid $pid && sleep 1 && checkpid $pid && sleep 3 && checkpid $pid ; then kill -KILL $pid usleep 100000 fi fi checkpid $pid RC=$? [ "$RC" -eq 0 ] && failure "%s shutdown" $base || success "%s shutdown" $base RC=$((! $RC)) # use specified level only else if checkpid $pid; then kill $killlevel $pid RC=$? [ "$RC" -eq 0 ] && success "%s %s" $base $killlevel || failure "%s %s" $base $killlevel fi fi else failure "%s shutdown" $base RC=1 fi # Remove pid file if any. if [ "$notset" = "1" ]; then rm -f /var/run/$base.pid fi return $RC } # A function to find the pid of a program. Looks *only* at the pidfile pidfileofproc() { local base=${1##*/} # Test syntax. if [ "$#" -eq 0 ] ; then gprintf "Usage: pidfileofproc {program}\n" return 1 fi # First try "/var/run/*.pid" files if [ -f /var/run/$base.pid ] ; then local line p pid= read line < /var/run/$base.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d /proc/$p ] && pid="$pid $p" done if [ -n "$pid" ]; then echo $pid return 0 fi fi } # A function to find the pid of a program. pidofproc() { base=${1##*/} # Test syntax. if [ "$#" -eq 0 ] ; then gprintf "Usage: pidofproc {program}\n" return 1 fi # First try "/var/run/*.pid" files if [ -f /var/run/$base.pid ]; then local line p pid= read line < /var/run/$base.pid for p in $line ; do [ -z "${p//[0-9]/}" -a -d /proc/$p ] && pid="$pid $p" done if [ -n "$pid" ]; then echo $pid return 0 fi fi pidof -o $$ -o $PPID -o %PPID -x $1 || \ pidof -o $$ -o $PPID -o %PPID -x $base } status() { local base=${1##*/} local pid # Test syntax. if [ "$#" -eq 0 ] ; then gprintf "Usage: status {program}\n" return 1 fi # First try "pidof" pid=`pidof -o $$ -o $PPID -o %PPID -x $1 || \ pidof -o $$ -o $PPID -o %PPID -x ${base}` if [ -n "$pid" ] ; then gprintf "%s (pid %s) is running...\n" ${base} $pid return 0 fi # Next try "/var/run/*.pid" files if [ -f /var/run/${base}.pid ] ; then read pid < /var/run/${base}.pid if [ -n "$pid" ] ; then gprintf "%s dead but pid file exists\n" ${base} return 1 fi fi # See if /var/lock/subsys/${base} exists if [ -f /var/lock/subsys/${base} ]; then gprintf "%s dead but subsys locked\n" ${base} return 2 fi gprintf "%s is stopped\n" ${base} return 3 } echo_success() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS gprintf " OK " [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne "\r" return 0 } echo_failure() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE gprintf "FAILED" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne "\r" return 1 } echo_passed() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING gprintf "PASSED" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne "\r" return 1 } echo_warning() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING gprintf "WARNING" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne "\r" return 1 } # Log that something succeeded success() { gprintf_msg_rest "$@" if [ -z "$IN_INITLOG" ]; then initlog $INITLOG_ARGS -n $0 -s "$GPRINTF_MSG" -e 1 else # silly hack to avoid EPIPE killing rc.sysinit trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$GPRINTF_MSG\" -e 1" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_success return 0 } # Log that something failed failure() { rc=$? gprintf_msg_rest "$@" if [ -z "$IN_INITLOG" ]; then initlog $INITLOG_ARGS -n $0 -s "$GPRINTF_MSG" -e 2 else trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$GPRINTF_MSG\" -e 2" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_failure return $rc } # Log that something passed, but may have had errors. Useful for fsck passed() { rc=$? gprintf_msg_rest "$@" if [ -z "$IN_INITLOG" ]; then initlog $INITLOG_ARGS -n $0 -s "$GPRINTF_MSG" -e 1 else trap "" SIGPIPE echo "$INITLOG_ARGS -n $0 -s \"$GPRINTF_MSG\" -e 1" >&21 trap - SIGPIPE fi [ "$BOOTUP" != "verbose" ] && echo_passed return $rc } # Run some action. Log its output. action() { gprintf_msg_rest "$@" echo -n "$GPRINTF_MSG " # libsafe support if [ -r /etc/sysconfig/system ] && grep -q '^LIBSAFE=yes$' /etc/sysconfig/system && [ -r /lib/libsafe.so.2 ]; then LD_PRELOAD=/lib/libsafe.so.2 export LD_PRELOAD fi initlog $INITLOG_ARGS -c "$GPRINTF_REST" && success "$GPRINTF_MSG" || failure "$GPRINTF_MSG" rc=$? echo unset LD_PRELOAD return $rc } # returns OK if $1 contains $2 strstr() { #case "$1" in # *${2}*) return 0 ;; #esac #return 1 [ "$1" = "$2" ] && return 0 slice=${1#*$2*} [ "$slice" = "$1" ] && return 1 return 0 } # Confirm whether we really want to run this service confirm() { gprintf "Start service %s (Y)es/(N)o/(C)ontinue? [Y] \n" $1 local YES=`gprintf "yY"` local NOT=`gprintf "nN"` local CNT=`gprintf "cC"` read answer if strstr "$YES" "$answer" || [ "$answer" = "" ] ; then return 0 elif strstr "$CNT" "$answer" ; then return 2 elif strstr "$NOT" "$answer" ; then return 1 fi confirm $* } initsplash() { [[ -f /etc/sysconfig/bootsplash ]] && source /etc/sysconfig/bootsplash [[ -n $SPLASH ]] && splash_rc=$SPLASH [[ -n $THEME ]] && theme=$THEME [[ -x /sbin/splash.sh ]] || splash_rc=no if [[ -e /proc/splash ]]; then grep -q off /proc/splash && splash_rc=no else splash_rc=no fi splash_cfg=/etc/bootsplash/ [[ $splash_rc != "no" && $splash_rc != "No" && $splash_rc != "NO" ]] && export splash_rc=yes [[ -d $splash_cfg/themes ]] || splash_rc= if [[ $splash_rc = "yes" && -n $theme ]];then [[ ! -d $splash_cfg/themes/$theme ]] && theme=Mandrake function box() { true; } # ignore box descriptions in the config file tmpval=$LOGO_CONSOLE if [ -f /etc/bootsplash/themes/$theme/config/bootsplash-`fbresolution`.cfg ]; then . /etc/bootsplash/themes/$theme/config/bootsplash-`fbresolution`.cfg fi if [[ $tmpval != "theme" ]];then LOGO_CONSOLE=$tmpval fi fi if [[ -z "$1" ]]; then set `/sbin/runlevel` runlevel=$2 previous=$1 else runlevel=5 previous=N fi nbservices=0 # # for small dir, it is faster than echo /etc/rc$runlevel.d/* | wc -w # for i in /etc/rc$runlevel.d/* do a=$[nbservices++] done for i in /etc/rc$runlevel.d/*.rpm* do a=$[nbservices--] done a=$[nbservices++] # this is the number of step in rc.sysinit, could be ajusted [[ "$previous" = "N" ]] && nbservices=$(($nbservices+7)) && progress=6 export nbservices res progress text_x text_y text_color text_size splash_rc LOGO_CONSOLE } rc_splash() { [[ "$splash_rc" = "yes" ]] || return if [[ -n "$2" ]]; then progress=$2 else a=$[progress++] fi LANGUAGE=$LANGUAGE /sbin/splash.sh "$1" } #!/bin/bash # # sqlsyslogd This is a daemon that takes syslog-ng input and pipe it into # a MySQL database. # # chkconfig: 2345 92 10 # description: sqlsyslogd bridges syslog-ng and mysql. # author: Josh Kuo Thu 2004/08/12 13:21:56 PDT . /etc/rc.d/init.d/functions case "$1" in start) if [ -x /tmp/mysql.pipe ]; then mkfifo /tmp/mysql.pipe else # if the service is already running, do not start another one PIDS=`pidofproc mysql` if [ "$PIDS" ]; then gprintf "sqlsyslogd is already running.\n" exit 1 fi mysql -u DBUSERNAME --password=PASSWORD DBNAME < /tmp/mysql.pipe & fi ;; stop ) killproc mysql ;; *) gprintf "Usage: sqlsyslogd {start|stop}\n" exit 1; esac exit 0; |
