configure for syslog-ng , syslog-ng.conf , log server , remote log , syslog

by

 

// ----------------

Server: /etc/syslog-ng/syslog-ng.conf :

source remote_host {
        udp();
};

destination my_host { file("/var/log/$YEAR$MONTH$DAY.log"); };

log {
        source(remote_host);
        destination(my_host);
};

// —————-

 

Client: /etc/syslog-ng/syslog-ng.conf :

source src { unix-stream("/dev/log"); internal(); };

destination remote_server { udp("172.25.8.109" port(514)); };

log {
    source(src);
    destination(remote_server);
};

// —————- 改良版的 log server , 日期/時間比較容易看, remote server 的 IP address

 

其中 flush_lines 可以改大一點增加 log 的 performance ….

options {
  chain_hostnames(no);
  use_fqdn(no);
  use_dns(no);
  keep_hostname(no);
  flush_lines(0);
};

source remote_host {
  udp();
};

template t_rewritetime {
  template("${YEAR}-${MONTH}-${DAY} , ${HOUR}:${MIN}:${SEC} , ${HOST} , \"${MSG}\"\n");
  template_escape(no);
};

destination my_host {
  file("/var/log/$YEAR$MONTH$DAY-$HOUR.log" template(t_rewritetime) );
};

log {
  source(remote_host);
  destination(my_host);
};

// —— // —————- 改良版的 client , 保留一份 log 在本機備查

source src { unix-stream("/dev/log"); internal(); };

destination remote_server {
  udp( "172.25.8.109" port(514) );
  file("/var/log/local_log_file.log");
};

log {
  source(src);
  destination(remote_server);
};

// —–

log sample :

root@log_server:/etc/syslog-ng# tail -f /var/log/20111024-17.log
2011-10-24 , 17:21:06 , 172.25.x.107 , "crontab[12974]: (root) LIST (root)"
2011-10-24 , 17:22:01 , 172.25.x.108 , "CRON[4150]: pam_unix(cron:session): session opened for user root by (uid=0)"
2011-10-24 , 17:22:01 , 172.25.x.108 , "/USR/SBIN/CRON[4151]: (root) CMD (/usr/sbin/ntpdate 172.25.x.45)"
2011-10-24 , 17:22:01 , 172.25.x.108 , "CRON[4150]: pam_unix(cron:session): session closed for user root"
2011-10-24 , 17:22:49 , 172.30.x.43 , "sshd[5533]: Accepted keyboard-interactive/pam for monster from 172.30.x.89 port 56790 ssh2"
2011-10-24 , 17:22:49 , 172.30.x.43 , "sshd[5533]: pam_unix(sshd:session): session opened for user monster by (uid=0)"
2011-10-24 , 17:22:51 , 172.30.x.43 , "sshd[5533]: pam_unix(sshd:session): session closed for user monster"

// —- 測試 syslog 的 C – sample code :

用 C 的 sample code  

*PS: ubuntu 要先 apt-get update 再裝 apt-get install gcc build-essential

…. // —- 測試 syslog 的 PHP – sample code : , 跟 C 的版本長得一樣 ….

用 PHP 的 sample code

openlog("myScriptLog", LOG_PID | LOG_PERROR, LOG_LOCAL0);
syslog(LOG_WARNING, "Unauthorized client...." );
closelog();

….

URL: syslog-ng performance tuning 1.