分类:
2012-05-28 09:22:24
今天为淘立方实现日志集中管理
1.程序下载
wget
wget
wget
2.安装eventlog
tar -zxvf eventlog_0.2.12.tar.gz
cd eventlog-0.2.12/
./configure --prefix=/usr/local/eventlog
make && make install
3.安装libol
tar zxvf libol-0.3.18.tar.gz
cd libol-0.3.18
./configure --prefix=/usr/local/libol-0.3.9
make && make install
报错configure: error: C++ preprocessor "/lib/cpp" fails sanity check 安装gcc-c++ yum install -y gcc-c++
4.安装syslog-ng
tar zxvf syslog-ng_3.3.5.tar.gz
cd syslog-ng-3.3.5/
export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig/ (若出现configure: error: Cannot find eventlog version >= 0.2: is pkg-config in path?基本上是由于PKG_CONFIG_PATH变量没指定好)
错误 :No package 'glib-2.0' found 解决:
./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol-0.3.9
make && make install
cp contrib/syslog-ng.conf.RedHat /usr/local/syslog-ng/etc/syslog-ng.conf
cp contrib/init.d.RedHat /etc/init.d/syslog-ng
vi /etc/init.d/syslog-ng 添加
#!/bin/bash
#chkconifg: --add syslog-ng
#chkconfig: 2345 12 88
#Description: syslog-ng
修改如下三行
INIT_PROG="/usr/local/syslog-ng/sbin/syslog-ng" # Full path to daemon
INIT_OPTS="-f /usr/local/syslog-ng/etc/syslog-ng.conf" # options passed to daemon
PATH=/usr/local/syslog-ng/bin:/usr/local/syslog-ng/sbin:/bin:/sbin:/usr/bin:/usr/sbin
chkconfig --add syslog-ng
chkconfig syslog-ng on
chmod +x /etc/init.d/syslog-ng
/etc/init.d/syslog-ng start
报错:1.Starting syslog-ng: Configuration file has no version number, assuming syslog-ng 2.1 format. Please add @version: maj.min to the beginning of the file;
在配置文件开头添加:@version:3.3
2:Your configuration file uses an obsoleted keyword, please update your configuration; keyword='sync', change='flush_lines'
Your configuration file uses an obsoleted keyword, please update your configuration; keyword='long_hostnames', change='chain_hostnames'
配置文件关键字过时 改为新关键字 sync改为flush_lines long_hostnames改为chain_hostnames
3.Starting syslog-ng: /usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libevtlog.so.0: cannot open shared object file: No such file or directory
Starting Kernel Logger: 出现此错误是因为共享库链接没做好
[root@server2 etc]# ln -s /usr/local/eventlog/lib/* /lib/
5.syslog-ng.conf配置
@version:3.3
options { flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source s_sys { file ("/proc/kmsg" program_override("kernel")); unix-stream ("/dev/log"); internal(); };
source r_remote {
tcp (ip(0.0.0.0) port(514) );
udp (ip(0.0.0.0) port(514) );
};
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog"); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
destination r_cons {file("/syslog-ng/$YEAR$MONTH$DAY/$HOST/console" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_mesg {file("/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_auth {file("/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_spol {file("/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_boot {file("/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_cron {file("/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
filter f_filter1 { facility(kern); };
filter f_filter2 { level(info) and
not (facility(mail)
or facility(authpriv) or facility(cron)); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(r_remote); filter(f_filter1); destination(r_cons); };
log { source(r_remote); filter(f_filter2); destination(r_mesg); };
log { source(r_remote); filter(f_filter3); destination(r_auth); };
log { source(r_remote); filter(f_filter6); destination(r_spol); };
log { source(r_remote); filter(f_filter7); destination(r_boot); };
log { source(r_remote); filter(f_filter8); destination(r_cron); };
6.客户端配置
vi /etc/syslog.conf
在开头加 *.* @192.168.177.3 (192.168.177.3是syslog-ng SERVER的IP)
/etc/init.d/syslog restart
7.测试
[root@client ~]# logger -i just one test
[root@client ~]# tail -1 /var/log/messages
Jan 27 22:12:02 client root[2861]: just one test
[root@server2 ~]# cat /var/log/syslog-ng/192.168.177.2/20120514/messages
Jan 28 04:24:32 192.168.90.10 root[2861]: just one test
[root@server2 ~]# cat /var/log/syslog-ng/192.168.177.2/20120514/secure
Jan 28 04:01:04 192.168.90.10 sshd[2832]: Accepted publickey for root from 192.168.90.1 port 48834 ssh2
Jan 28 04:01:04 192.168.90.10 sshd[2832]: pam_unix(sshd:session): session opened for user root by (uid=0)
