syslog-ng 3.x버전 설치 방법

스위치 / 리눅스 / 윈도우 서버의 로그들을 한군데에서 관리를 하기 위해서 통합 로그 솔루션을 찾던 중 가장 많이 사용되고 있는 syslog-ng 서버 설정에 대하여 찾아 보았는데 최신 자료가 없어서 직접 설정해보고 정리를 해서 올려 놓는다.

http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/downloads/download/syslog-ng-ose/3.4

---

서버에서 

libol 관련 패키지 설치

#yum install glib*

이벤트로그 우선 설치

#tar xvfz eventlog_0.2.12+20120504+1700

#./configure 

# ./make; make install

패키지 경로 추가

#export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH

syslog-ng설치

#tar xvfz syslog-ng_3.5.4.1.tar.gz

#cd syslog-ng

#./configure 

# ./make; make install

시스템 부팅시 실행 하도록 init.d등록

#cd contrib/
#cp init.d.RedHat-7.3 /etc/init.d/syslog-ng

#chmod 733 /etc/init.d/syslog-ng

#which syslog-ng

#chkconfig --add syslog-ng

syslog-ng.conf 내용 변경

#vi /usr/local/etc/syslog-ng.conf

아래내용 복사 붙이기

# # configuration file for syslog-ng, customized for remote logging # options { sync (0);           time_reopen (10);           log_fifo_size (1000);           long_hostnames (off);           use_dns (no);           use_fqdn (no);           create_dirs (no);           keep_hostname (yes);         }; source s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); }; # Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # #source s_local { #     unix-dgram("/dev/log"); #     file("/proc/kmsg" program_override("kernel")); #}; # # Local filters # #filter f_messages { level(info..emerg); }; #filter f_secure { facility(authpriv); }; #filter f_mail { facility(mail); }; #filter f_cron { facility(cron); }; #filter f_emerg { level(emerg); }; #filter f_spooler { level(crit..emerg) and facility(uucp, news); }; #filter f_local7 { facility(local7); }; # # Local destinations # #destination d_messages { file("/var/log/messages"); }; #destination d_secure { file("/var/log/secure"); }; #destination d_maillog { file("/var/log/maillog"); }; #destination d_cron { file("/var/log/cron"); }; #destination d_console { usertty("root"); }; #destination d_spooler { file("/var/log/spooler"); }; #destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # #log { source(s_local); filter(f_emerg); destination(d_console); }; #log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; #log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); }; #log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; #log { source(s_local); filter(f_spooler); destination(d_spooler); }; #log { source(s_local); filter(f_local7); destination(d_bootlog); }; #log { source(s_local); filter(f_messages); destination(d_messages); }; # Remote logging source s_remote {      tcp(ip(0.0.0.0) port(514));      udp(port(514)); }; destination d_separatedbyhosts {      file("/home/server_log/$YEAR$MONTH$DAY/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); }; log { source(s_remote); destination(d_separatedbyhosts); };

로그 저장소(확인)

#mkdir /home/server_log

시스로그 시작

#service syslog-ng start

---

클라이언트에서

#service syslog stop

#vi /etc/syslog.conf

# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.*                                   /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none          /var/log/messages # The authpriv file has restricted access. authpriv.*                              /var/log/secure # Log all the mail messages in one place. mail.*                                   -/var/log/maillog # Log cron stuff cron.*                                   /var/log/cron # Everybody gets emergency messages *.emerg                                   * # Save news errors of level crit and higher in a special file. uucp,news.crit                              /var/log/spooler # Save boot messages also to boot.log local7.*                              /var/log/boot.log *.*     @xxxx.xxxx.xxxx.xxxx (syslog-ng서버의 ip)