#more /etc/rc.d/init.d/syslog |
# Source config |
#vi /etc/sysconfig/syslog |
# Options to syslogd |
#/etc/rc.d/init.d/syslog restart |
netstat -lunp |grep syslog |
udp 0 0 0.0.0.0:514 0.0.0.0:* 32711/syslogd |
接著要設定,此syslog server 所要紀錄之log內容(形式),為了要接收外部主機之syslog資料,我們當然不希望和syslog server 本機或其他外部主機之資料搞混,故我們要將之分門別類:
修改主機設定檔/etc/hosts 以便接收外部主機之syslog資料識別之用,此名稱等一下會使用於 /etc/syslog.conf 設定檔內。
#vi /etc/hosts 203.72.64.254 sssh254 sssh254.sssh.tp.edu.tw //加入此行 |
修改 Log 設定檔 (/etc/syslog.conf)
+sssh254 //接收所有來自於sssh254之log 並存放於 /var/log/sssh254.log
+@ //Localhost 產生的 syslog 採用下列方式處理並指定存放處(一般就是原/etc/syslog.conf之內容,一般不需改動) # Log all kernel messages to the console. … …
|
建立以上所指定的檔,以便準備寫入log
#touch /var/log/sssh254.log |
重啟syslog服務
#etc/init.d/syslog restart |
登錄檔的輪替(logrotate)是為了簡省磁碟空間,也可方便找到想看的log檔。
設定檔
# vi /etc/logrotate.conf |
include /etc/logrotate.d#此目錄內之log為以RPM或系統建立所產生的,會套用其預設之設定值,若非必要,不需改動。 #加入以下文字(範例) /var/log/sssh245 /var/log/sssh246 { #以空格分隔不同的log檔,套用一樣的設定 dateext #logrotate時在檔名加上日期 compress #壓縮,以gzip壓縮,壓縮檔可以vim直接檢視 /var/log/remote/10.25.1.2-local2.log { ##為了避免壓縮會掉log,故做兩次 #第一次做不壓縮的,只保留到192.168.80.254-local7.log.2即可 /var/log/remote/192.168.80.254-local7.log { #第二次針對192.168.80.254-local7.log.2做壓縮的,做完後192.168.80.254-local7.log.2大小為0 是正常的(看logrotate -vf /etc/logrotate.conf的輸出便知) /var/log/remote/192.168.80.254-local7.log.2 {
|
驗證,基本上不可以有錯誤訊息
#logrotate -v /etc/logrotate.conf |
強制執行,讓rotate現在就執行一次。
#logrotate -vf /etc/logrotate.conf |
奇怪的是,在使用syslog-ng,外部來的log若檔加入logrotate.conf中設定rotate,會有幾個問題:
syslog-ng
CentOS 5.3
# rpm -ivh eventlog-0.2.5-6.el5.kb.i386.rpm
# rpm -ivh syslog-ng-2.1.3-2.el5.i386.rpm
「暫存」
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
udp(ip(0.0.0.0) port(514));
};
#############add by ldc 2017/12/19
# 加入這個,讓統計資訊一小時才出現一次
#options { stats_freq(3600); }
# 反註解,以接受來自遠端到本機 port 514 的連線
source s_remote {
udp(ip(0.0.0.0) port(514));
};
# 自定的存 log 目標
destination d_remote {
file("/var/log/remote/$HOST-$FACILITY.log" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
};
destination d_remote_http_access {
file("/var/log/remote/httpd-access.log" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
};
# 自定的 filter (過濾出 local1 的 log,我們用來存 httpd-access )
filter f_remote_http_access {
facility(local1);
};
filter f_remote_general {
not (facility(local1));
};
# 最後,把它存進檔案
#log { source(s_remote); filter(f_remote_http_access); destination(d_remote_access); };
log { source(s_remote); filter(f_remote_general); destination(d_remote); };
##############add by ldc 2017/12/19
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };
filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
filter f_auth { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news { facility(uucp) or
(facility(news)
and level(crit..emerg)); };
filter f_boot { facility(local7); };
filter f_cron { facility(cron); };
#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: