昨天有个小弟问我关于syslog-ng的问题，我想与其给他费口舌给他解释一圈，不如写个文档让他自己去看。

syslog-ng，故名思义就是New generation的syslog。主要是解决现有syslogd的一些不足。有企业版本和开源版本。

一、syslog-ng集中日志存储的结构
上图是syslog-ng的官方管理员文档中的图，表达的已经非常清楚明白了。

二、syslog-ng集中日志存储的操作步骤

client端:
1.安装syslog-ng
2.配置收集本机log信息的local source
3.创建一个网络destination，直接指向syslog-ng server
4.创建一个log区段，将local source与syslog-ng server关联起来
5.为了保证本地也保存log文件，创建本地文件destination
6.创建一个log区段，将local source与本地文件destination关联起来

syslog-ng server端:
1.安装syslog-ng
2.配置用来收集客户端和中继发来的日志信息的网络source
3.创建用于存储日志信息的本地destination，如文件，数据库等
4.创建一个log区段，将网络source与本地destination关联起来
5.配置用来收集syslog-ng server本身日志信息的local source
6.创建一个log区段，将local source与本地destination关联起来
7.如果需要，可以配置filter和option

三、syslog-ng的配置文件解说

偷懒，从一个日本网站扒来一张图，不用看懂日文也能明白含义

首先说一下构成配置文件的组成部分:

source driver: 用于接收日志消息的通讯方法。例如，syslog-ng可以通过TCP/IP从远程主机接收日志消息，或者通过读取本地文件接收本地应用程序的日志消息。

source: 经过配置并命名的soruce driver。

destination driver: 用于发送日志消息的通讯方法。例如,syslog-ng可以通过TCP/IP向远程主机发送日志消息，或者将日志消息写入到本地文件或者数据库中。

destinantion: 经过配置并命名的destination driver。

filter: 用于筛选日志消息的表达式。例如，一个filter可以选择从一个指定主机发来的日志消息。

macro: 指向日志消息的一部分的识别器。例如，$HOST宏返回发送日志消息的主机名称。宏经常用于模板和文件名。

parser: 将日志消息使用预先定义的分隔符分成不同列的规则。每一列具有一个可以用于macro的不重复的名字。

rewrite rule: 改变日志消息部分内容的规则。例如，替换字符串或者设定一个值

log paths: source,destination,filter,parser,rewrite rule等对象的组合体。Log path也被称为log statements,log path中可以包含其他log path以组成非常复杂的log path。

template: 是一系列macro的组合，用于重新组织日志消息或者自动生成文件名。例如，一个template可以在每个日志消息前边增加hostname和日期。

option: 设置syslog-ng的全局参数，例如域名解析参数和时区等。

 

日志源的写法:

source { source-driver(params); source-driver(params); ... };

 

日志目的写法:

destination {

destination-driver(params); destination-driver(params); ... };

 

过滤器的写法:

filter { (""); };

 

log path的写法:

log {

source(s1); source(s2); ...

optional_element(filter1|parser1|rewrite1);

optional_element(filter2|parser2|rewrite2);...

destination(d1); destination(d2); ...

flags(flag1[, flag2...]);

};

 

以下是可用的source列表:

 

 以下是可用的destination列表:

以下是可用的filter列表:

 

下边的syslog-ng.conf配置文件，是使用syslog-ng完全模拟syslogd行为的，此配置是syslog-ng源码中自带的，不过想要运行在最新的3.3版本下，需要将原配置中的关键字换成红色字体部分。

#====================================================

#此处新增了版本号，如没有会默认为2.x版本的配置

@version: 3.3
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20000925 gb@sysfive.com
#
# Updated by Frank Crawford () - 10 Aug 2002
#       - for Red Hat 7.3
#       - totally do away with klogd
#       - add message "kernel" as is done with klogd.
#
# Updated by Frank Crawford () - 22 Aug 2002
#       - use the program_override option as per Balazs Scheidler's email
#

#原始的配置为

#sync(0);

#long_hostnames (off);

options { flush_lines (0);
          time_reopen (10);
          log_fifo_size (1000);
          chain_hostnames (off);
          use_dns (no);
          use_fqdn (no);
          create_dirs (no);
          keep_hostname (yes);
        };

#
# At around 1999 some distributions have changed from using SOCK_STREAM
# to SOCK_DGRAM sockets, see these posts about the issue:
#
# http://www.security-express.com/archives/bugtraq/1999-q4/0071.html
#
#
# libc and syslog clients generally automatically detect the socket type,
# so you are free to decide which of unix-stream or unix-dgram you want to use.
#
source s_sys { file ("/proc/kmsg" program_override("kernel")); unix-stream ("/dev/log"); internal(); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and
                     not (facility(mail)
                        or facility(authpriv) or facility(cron)); };
filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7); };
filter f_filter8     { facility(cron); };

#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };

#====================================================

下边是一个示例的典型集中存储日志的配置文件，是在上一个本地配置的基础上稍有修改。

粗体加重部分是关于网络配置部分。

服务器端配置文件
#sample syslog-ng.conf for a central logging server
options {
        flush_lines (0);
        time_reopen (10);
        log_fifo_size (2048);
        create_dirs (yes);
        chain_hostnames (off);
        use_dns (no);
        use_fqdn (no);
        keep_hostname (yes);
        perm (0640);
        dir_perm (0750);
    };

source s_local { internal(); unix-stream("/dev/log"); file("/proc/kmsg" program_override("kernel: ")); };
source s_remote { tcp(); };

destination d_local_cons { file("/dev/console"); };
destination d_local_mesg { file("/var/log/messages"); };
destination d_local_auth { file("/var/log/secure"); };
destination d_local_mail { file("/var/log/maillog"); };
destination d_local_spol { file("/var/log/spooler"); };
destination d_local_boot { file("/var/log/boot.log"); };
destination d_local_cron { file("/var/log/cron"); };
destination d_local_mlal { usertty("*"); };
destination d_remote_clients { file("/var/log/HOSTS/$HOST"); };

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and
                     not (facility(mail)
                        or facility(authpriv) or facility(cron)); };
filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7); };
filter f_filter8     { facility(cron); };

#log { source(s_local); filter(f_filter1); destination(d_local_cons); };
log { source(s_local); filter(f_filter2); destination(d_local_mesg); };
log { source(s_local); filter(f_filter3); destination(d_local_auth); };
log { source(s_local); filter(f_filter4); destination(d_local_mail); };
log { source(s_local); filter(f_filter5); destination(d_local_mlal); };
log { source(s_local); filter(f_filter6); destination(d_local_spol); };
log { source(s_local); filter(f_filter7); destination(d_local_boot); };
log { source(s_local); filter(f_filter8); destination(d_local_cron); };
log { source(s_remote); destination(d_remote_clients); };


客户端配置

#sample syslog-ng.conf for a remote client

source s_local { internal(); unix-stream("/dev/log"); file("/proc/kmsg" program_override("kernel: ")); };

destination d_local_cons { file("/dev/console"); };
destination d_local_mesg { file("/var/log/messages"); };
destination d_local_auth { file("/var/log/secure"); };
destination d_local_mail { file("/var/log/maillog"); };
destination d_local_spol { file("/var/log/spooler"); };
destination d_local_boot { file("/var/log/boot.log"); };
destination d_local_cron { file("/var/log/cron"); };
destination d_local_mlal { usertty("*"); };
destination d_remote_loghost {tcp("192.168.1.10" port(514));};

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and
                     not (facility(mail)
                        or facility(authpriv) or facility(cron)); };
filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7); };
filter f_filter8     { facility(cron); };

#log { source(s_local); filter(f_filter1); destination(d_local_cons); };
log { source(s_local); filter(f_filter2); destination(d_local_mesg); };
log { source(s_local); filter(f_filter3); destination(d_local_auth); };
log { source(s_local); filter(f_filter4); destination(d_local_mail); };
log { source(s_local); filter(f_filter5); destination(d_local_mlal); };
log { source(s_local); filter(f_filter6); destination(d_local_spol); };
log { source(s_local); filter(f_filter7); destination(d_local_boot); };
log { source(s_local); filter(f_filter8); destination(d_local_cron); };
log { source(s_local); destination(d_remote_loghost); };

 

如何测试

使用logger命令，写一条测试的日志消息，然后查看本地和远程syslog-ng server上是否有相应记录，如果有，则说明配置成功。

[root@localhost ~]# logger -p cron.err "I am a test log message"

如果正常本地/var/log/cron和远程syslog-ng server上的日志文件都应该有类似如下的记录；

Mar 26 16:30:35 localhost.localhost root: I am a test log message

未完待续o......

参考文档:

http://my.opera.com/blu3c4t/blog/2008/10/17/replacing-the-syslogd


~hal/sysadmin/SSH-SyslogNG.html


http://www.serverwatch.com/tutorials/article.php/3600641/Build-a-Secure-Logging-Server-With-syslogng.htm
http://netezy.blogspot.com/2007/09/easy-syslog-ng-configuration.html
http://asylum.madhouse-project.org/blog/2010/12/30/logging-mongodb-syslog-ng/