Syslog-ng+Rsyslog收集日志：Syslog-ng安装（一）

环境：
日志收集服务器：syslog-ng_V3.3.7
Tomcat客户端：syslog + tomcat

干扰：
1.为了方便调试将防火墙和SELinux关闭。

#service iptables stop     //停止防火墙
#chkconfig iptables off    //开机不启动
#service iptables status    //查看防火墙状态

防火墙停止运行了。




2.将SELINUX=enforcing 改成 SELINUX=disabled

#vi /etc/selinux/config
#setenforce 0    //临时关闭
#/usr/sbin/sestatus -v    //查看seliux状态

已经关闭了




3.系统默认安装了rsyslog会有514端口冲突，卸载或停用，这里就停用。

# chkconfig rsyslog off    ///禁止开机启动
# service rsyslog stop    ///停止rsyslog

安装syslog-ng:方法一：直接用 yum#yum install -y syslog-ng
全局配置的是在 /etc/syslog-ng/syslog-ng.conf 中.
不建议新手用方法一安装，因为你没有了解到过程。
方法二：手动安装 （以下安装必须安装顺序执行，有依赖）

安装编译环境

#Yum install -y gcc gcc-c++ pcre libcurl libcurl-devel gmodule gthread glib2-devel

1、安装eventlog

#tar -zxvf eventlog_0.2.12.tar.gz
#cd  eventlog-0.2.12
#./configure --prefix=/usr/local/eventlog
#make && make install

2、安装libol

#tar -zxvf libol-0.3.18.tar.gz
#cd libol-0.3.18
#./configure --prefix=/usr/local/libol
#make && make install

3、安装syslog-ng

vi /etc/profile    //设置环境变量
export PKG_CONFIG_PATH=/usr/local/eventlog/lib/pkgconfig/

//开始安装
#tar -zxvf syslog-ng_3.3.7.tar.gz
#cd syslog-ng-3.3.7
#./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol/
#make && make install

4、配置syslog-ng

说明：一条日志的处理流程大概是这样的,如下
首先是 "日志的来源 source s_name { ... };"
然后是 "过滤规则 filter f_name { ... };"
再然后是 "消息链（执行）log { source(s_name); filter(f_name); destination(d_name) };"
最后是 "目标动作 destination d_name { ... };"
声明过程如上，但是在配置文件中，“目标动作”在“消息链”前面。和编程中的声明一样。

全局配置的是在 /usr/local/syslog-ng/etc/syslog-ng.conf 中

@version:3.3.5
options {
# 消息日志的最大值（bytes）
log_msg_size(8192);
#设置一次向目的地发送几行消息.如果设成0,一收到消息就发送
flush_lines(1);
# 输出队列的行数
log_fifo_size(20480);
# 对于死连接，到达多少秒，会重新连接
time_reopen(10);
# 是否打开DNS查询功能
use_dns(yes);
# 是否打开DNS缓存功能
dns_cache(yes);
# 是否使用完整的域名
use_fqdn(yes);
# 是否保留日志消息中保存的主机名称
keep_hostname(yes);
# 是否打开主机名链功能，打开后可在多网络段转发日志时有效
chain_hostnames(no);
# 当指定的目标目录不存在时，是否创建该目录
create_dirs(yes);
# 文件的权限，同样，使用八进制方式标注
perm(0644);
#两个状态消息（关于丢失日志消息的统计消息）
#消息之间间隔的时间（以秒为单位）.0表示禁用发送STATS消息.
stats_freq(43200);
};

#syslog-ng 内部产生的消息
source s_internal {
internal();
};

source s_local {
unix-stream("/dev/log" max-connections(50));
file("/proc/kmsg" program_override("kernel: "));
};

# 表示日志来源为本机udp和tcp的514端口
source s_src {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};

filter f_cron { facility(cron); };
filter f_console { facility(kern); };
filter f_bootlog  {facility(local7); };
filter f_messages { level(info) and not (facility(mail)or facility(authpriv) or facility(cron)); };
filter f_secure { facility(authpriv); };
filter f_spooler { facility(uucp) or (facility(news) andlevel(crit)); };
filter f_local6 { facility(mail); };
filter f_local4 { facility(local4); };
filter f_catalina { facility(local5); };

destination d_syslognglog {
file("/var/log/syslog-ng.log");
};

destination d_loc_messages {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/loc_messages"
owner("root") group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_messages {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages"
owner("root") group("root")
perm(0640) dir_perm(0750)
create_dirs(yes));
};
destination d_local7 {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/local7"
owner("root") group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_localhost_access_log {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/tomcat-access"
owner("root") group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_local6 {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/local6"
owner("root") group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_console {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console"
owner("root")group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_secure {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure"
owner("root")group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_cron {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron"
owner("root")group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_spooler {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler"
owner("root")group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_bootlog {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog"
owner("root")group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_syslog {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/syslog"
owner("root")group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_catalina {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/catalina.out"
owner("root") group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};
destination d_local4 {
file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/localhost.log"
owner("root") group("root")
perm(0640)dir_perm(0750)
create_dirs(yes));
};

log {source(s_internal); destination(d_syslognglog);};
log {source(s_local); destination(d_loc_messages);};
log {source(s_src);filter(f_messages);destination(d_messages);};
log {source(s_src); filter(f_console);  destination(d_console); };
log {source(s_src); filter(f_secure);  destination(d_secure);  };
log {source(s_src); filter(f_cron);  destination(d_cron); };
log {source(s_src); filter(f_spooler);destination(d_spooler); };
log {source(s_src); filter(f_bootlog);destination(d_bootlog); };
log {source(s_src); filter(f_bootlog); destination(d_local7);};
log {source(s_src); filter(f_local6);destination(d_local6); };
log {source(s_src); destination(d_localhost_access_log);};
log {source(s_src); filter(f_catalina);destination(d_catalina); };
log {source(s_src); filter(f_local4);destination(d_local4); };

5、添加为系统服务,
# vim /etc/init.d/syslog-ng #创建syslog-ng文件内容如下

#!/bin/bash
#
# chkconfig:-  60 27
# description:syslog-ng SysV script.
./etc/rc.d/init.d/functions

syslog_ng=/usr/local/syslog-ng/sbin/syslog-ng
prog=syslog-ng
pidfile=/usr/local/syslog-ng/var/syslog-ng.pid
lockfile=/usr/local/syslog-ng/var/syslog-ng.lock
RETVAL=0
STOP_TIMEOUT=${STOP_TIMEOUT-10}

start() {
echo -n $"Starting $prog: "
daemon --pidfile=$pidfile $syslog_ng$OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch${lockfile}
return $RETVAL
}

stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile -d $STOP_TIMEOUT$syslog_ng
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f $lockfile$pidfile
}

case"$1" in
start)
start
;;
stop)
stop
;;
status)
status -p $pidfile $syslog_ng
RETVAL=$?
;;
restart)
stop
start
;;
*)
echo $"Usage: $prog {start|stop|restart|status}"
RETVAL=2
esac
exit $RETVAL

加入开机启动：

# chmod a+x /etc/init.d/syslog-ng    //给syslong-ng执行权限
# killall syslogd                    //关闭
# chkconfig --add syslog-ng
# chkconfig syslog-ng on
# service syslog-ng start    //启动 syslog-ng

参考文章：
http://blog.clanzx.net/2013/12/31/rsyslog.htmlhttp://blogread.cn/it/article/4825?f=wbhttp://www.liaohuqiu.net/cn/posts/log-center/
http://luyongxin88.blog.163.com/blog/static/925580720112275183903/
https://mos.meituan.com/library/5/how-to-config-rsyslog/
http://www.liaohuqiu.net/cn/posts/log-center/
http://www.tuicool.com/articles/Jv2eUvn
http://blog.csdn.net/yab2012/article/details/50561627
http://blog.csdn.net/chenhao112358/article/details/40892239
http://my.oschina.net/0757/blog/198329?fromerr=wsJoMf7J

http://my.oschina.net/0757/blog/198329?fromerr=X23pzHkY
http://comments.gmane.org/gmane.comp.sysutils.rsyslog/9011
https://sourceforge.net/p/xcat/mailman/message/26333404/
http://comments.gmane.org/gmane.comp.sysutils.rsyslog/17495
http://www.rsyslog.com/doc/v8-stable/configuration/templates.html#legacy-format
http://ubuntuforums.org/archive/index.php/t-1690234.html
https://logtrust.atlassian.net/wiki/display/LD/File+monitoring+via+rsyslog
/article/7229159.html
http://blog.csdn.net/yab2012/article/details/50561627
/article/7121323.html
http://kubiops.com/2015/10/01/rsyslog模板/
http://www.rsyslog.com/article317/
http://www.rsyslog.com/doc/v8-stable/configuration/property_replacer.html
http://itindex.net/detail/41541-linux-日志-管理
http://bguncle.blog.51cto.com/3184079/957315/
本文出自 “悟透的杂货铺” 博客，请务必保留此出处http://wutou.blog.51cto.com/615096/1765271