[root@server2 software]# wget -d -r -np http://www.frasunek.com/sources/security/sqlsyslogd/
[root@server2 software]# cd www.frasunek.com/sources/security/sqlsyslogd/
[root@server2 sqlsyslogd]# rm -rf index.html*
[root@server2 sqlsyslogd]# cd contrib/
[root@server2 contrib]# rm -rf index.html*
[root@server2 contrib]# cd
[root@server2 ~]# mv /usr/local/src/software/www.frasunek.com/sources/security/sqlsyslogd/ /usr/
local/src/software/
3:make,複製sqlsyslogd二進制程序到/usr/local/sbin目錄下
[root@server2 ~]# cd /usr/local/src/software/sqlsyslogd/
[root@server2 sqlsyslogd]# make
cc -O6 -Wall -pipe -I/usr/local/include -DCONF=\"/usr/local/etc/sqlsyslogd.conf\" -L/usr/local/lib/mysql -lmysqlclient sqlsyslogd.c -o sqlsyslogd
[root@server2 sqlsyslogd]# cp sqlsyslogd /usr/local/sbin/
4:執行下sqlsyslogd程序,出現下面的命令選項則說明安裝成功
[root@server2 sqlsyslogd]# sqlsyslogd
usage: sqlsyslogd [-h hostname] <-u username> [-p] <-t table> [database]
5:修改/etc/ld.so.conf文件,並使其生效,這個文件維護着編譯的動態鏈接庫位置
[root@server2 sqlsyslogd]# cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/lib/mysql
[root@server2 sqlsyslogd]# ldconfig
6:在數據庫中創建相應的庫和表
[root@server2 sqlsyslogd]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 158
Server version: 5.1.36-log Source distribution
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database syslog;
Query OK, 1 row affected (0.00 sec)
mysql> use syslog
Database changed
mysql> create table logs (Id int(10) NOT NULL auto_increment,Timestamp varchar(16),Host varchar(50),Prog varchar(50),Mesg text,PRIMARY KEY (id));
Query OK, 0 rows affected (0.01 sec)
mysql> exit
Bye
7:該文件定義了連接數據庫的密碼
[root@server2 sqlsyslogd]# cat /usr/local/etc/sqlsyslogd.conf
123456
8:在syslog-ng主配置文件中添加下列配置
[root@server2 sqlsyslogd]# vi /usr/local/syslog-ng/etc/syslog-ng.conf
destination sqlsyslogd{
program("/usr/local/sbin/sqlsyslogd -u root -t logs syslog -p");
};
log {
source(s_remote);
destination(sqlsyslogd);
};
9:重啓syslog-ng服務
[root@server2 sqlsyslogd]# service syslog-ng restart
Stopping Kernel Logger: [ OK ]
Starting Kernel Logger: [ OK ]
10:客戶端發消息測試
[root@server2 sqlsyslogd]# tail -1 /var/log/syslog-ng/20100226/192.168.90.1/messages
Feb 26 14:25:47 192.168.90.1 root[6058]: just for fun
上面的安裝步驟中syslog-ng.conf文件的配置不夠形象,下面再詳細貼一個syslog-ng.conf的簡單配置作爲參考:
#############################################################################
# Default syslog-ng.conf file which collects all local logs into a
# single file called /var/log/messages.
#
@version: 3.3
@include "scl.conf"
source s_local {
system();
internal();
};
source s_network {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
filter f_outbound {
level(info..emerg);
host("ip|ip") and program("^node-syslog-outbound");
};
destination d_local {
file("/var/log/messages");
};
destination d_network {
file("/opt/apps/log/$YEAR$MONTH$DAY$HOUR$MIN.log" create_dirs(yes));
};
log {
#source(s_local);
#destination(d_local);
source(s_network);
filter(f_outbound);
destination(d_network);
};
filter f_inbound {
level(info..emerg);
host("ip|ip") and program("^node-syslog-inbound");
};
destination d_inbound {
file("/opt/apps/log_inbound/$YEAR$MONTH$DAY$HOUR$MIN.log" create_dirs(yes));
};
log {
source(s_network);
filter(f_softbound);
destination(d_softbound);
};
以上就配置好了日誌收集機器了,但是其它生產機怎麼將日誌發過來呢?
因爲其它生產機默認採用的syslogd寫syslog的,而syslogd自帶有發送日誌到網絡上,只需要添加配置即可。
在/etc/syslog.conf上添加一行:
*.* @ip
syslogd就會將服務器上的sysylog發送到這個ip上面,默認連接的端口是514,這一點可以在syslog-ng的配置裏面看到。
ok,一個日誌收集搭建完畢。