syslog-ngの内容をwebで見られるようにするツール
■本家サイト
http://www.phpwizardry.com/php-syslog-ng.php
syslog-ngの最近のブログ記事
※参照
http://www.balabit.com/products/syslog_ng/reference-1.6/syslog-ng.html/index.html#id2524536
FACILITY
The name of the facility from where the message originates.
PRIORITY or LEVEL
The priority of the message.
TAG
The priority and facility encoded as a 2 digit hexadecimal number.
PRI
The priority and facility encoded as a 2 or 3 digit decimal number as it is present in syslog messages.
DATE
Date of the message using the BSD-syslog style timestamp format (month/day/hour/minute/second, each expressed in two digits).
FULLDATE
Date of the message using the same format as DATE, but including the year as well.
ISODATE
Date of the message in the ISO standard timestamp format (yy-mm-ddThh:mm:ss+-ZONE). If possible, it is recommended to use ISODATE for timestamping.
YEAR
The year the message was sent. Time expansion macros can either use the time specified in the log message, e.g.: the time the log message is sent, or the time the message was received by the log server. This is controlled by the use_time_recvd() option (see the section called “Options reference”).
MONTH
The month the message was sent.
DAY
The day of month the message was sent.
WEEKDAY
The 3-letter name of the day of week the message was sent, e.g.: 'Thu'.
HOUR
The hour of day the message was sent.
MIN
The minute the message was sent.
SEC
The second the message was sent.
TZOFFSET
The time-zone as hour offset from GMT; e.g.: '-0700'.
TZ
The time zone or name or abbreviation; e.g.: 'PDT'.
HOST
The name of the source host where the message originates from. If the message traverses several hosts and the chain_hostnames() option is on (see the section called “Options reference”), the first host in the chain is used.
FULLHOST
The full FQDN of the host name chain, including the domain name.
HOST_FROM
Name of the host that sent the message to syslog-ng. If the message traverses several hosts, this is the last host in the chain.
FULLHOST_FROM
FQDN of the host that sent the message to syslog-ng. If the message traverses several hosts, this is the last host in the chain.
SOURCEIP IP
address of the host that sent the message to syslog-ng. (I.e. the IP address of the host in the FULLHOST_FROM macro.)
PROGRAM
The name of the program sending the message.
MSG or MESSAGE
Message contents including the program name and pid.
MSGONLY
Message contents without the program name.
■ログを吐く側の設定
○/etc/syslog.conf*.* @loghostこれだけ。 @の後ろには必ず名前解決できるログホストを記述する必要がある。
■ログホストの設定
○/etc/syslog-ng/syslog-ng.conf
#
# Remote logging
#
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
destination d_separatedbyhosts {
file("/var/log/syslog-ng/$HOST/$FACILITY-$YEAR$MONTH$DAY.log");
};
log { source(s_remote); destination(d_separatedbyhosts); };
ntsyslog日本語版とsyslog-ngを組み合わせてみようと思い立ったわけです。
以前は、VBScriptで作ったツールで毎日のタスクでcsvファイルにして保存してました。
その手間(手間じゃないけど)がなくなるのはうれしいことです。
ただ、Windowsのログは手ごわかったです。
以下のログ中の文字列を$HOSTとして認識してしまうのです。
例:ese、microsoft、msexchangeis、ntds、removable、rpc、secure、server、service、symantec、web
これはNTSyslogの仕様なのか、Windowsのイベントログの仕様なのかはわかりませんが、
このままじゃどうしようもないので、Windowsのログはlocal0.debugなどにそれぞれ割り振りました。
その結果、このようなsyslog-ngの設定ファイルになりました。
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (yes);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
stats(86400);
dir_perm(0750);
perm(0640);
owner(root);
group(root);
};
#
# configuration file for syslog-ng, customized for remote logging
#
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };
# Local sources, filters and destinations are commented out
# If you want to replace sysklogd simply uncomment the following
# parts and disable sysklogd
#
# Local sources
#
source s_local {
unix-stream ("/dev/log");
pipe ("/proc/kmsg" log_prefix ("kernel:"));
};
#
# Local filters
#
filter f_messages { level(info..emerg); };
filter f_secure { facility(authpriv); };
filter f_maillog { facility(mail); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
filter f_spooler { level(crit..emerg) and facility(uucp, news); };
filter f_local7 { facility(local7); };
#
# Local destinations
#
destination d_messages { file("/var/log/messages"); };
destination d_secure { file("/var/log/secure"); };
destination d_maillog { file("/var/log/maillog"); };
destination d_cron { file("/var/log/cron"); };
destination d_console { usertty("root"); };
destination d_spooler { file("/var/log/spooler"); };
destination d_bootlog { file("/var/log/boot.log"); };
#
# Local logs - order DOES matter !
#
log { source(s_local); filter(f_emerg); destination(d_console); };
log { source(s_local); filter(f_secure); destination(d_secure); flags(final); };
log { source(s_local); filter(f_maillog); destination(d_maillog); flags(final); };
log { source(s_local); filter(f_cron); destination(d_cron); flags(final); };
log { source(s_local); filter(f_spooler); destination(d_spooler); };
log { source(s_local); filter(f_local7); destination(d_bootlog); };
log { source(s_local); filter(f_messages); destination(d_messages); };
#
# Remote logging
#
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
#
# ネットワーク機器のフィルタ
#
filter f_internet-gw { host("internet-gw"); };
filter f_firewall { host("firewall"); };
filter f_L3Switch { host("L3Switch"); };
filter f_pppoe-router { host("pppoe-router"); };
filter f_subnet-gw { host("subnet-gw"); };
#
# Windows Serverのフィルタ
# ネットワーク機器のログとかぶらないようにしています。
#
filter f_domain_controler_1_application { facility(local0) and level(debug) and not host("firewall"); };
filter f_domain_controler_1_directory { facility(local0) and level(info) and not host("firewall"); };
filter f_domain_controler_1_dns { facility(local0) and level(notice) and not host("firewall"); };
filter f_domain_controler_1_file_replication { facility(local0) and level(warning) and not host("firewall"); };
filter f_domain_controler_1_security { facility(local0) and level(error) and not host("firewall"); };
filter f_domain_controler_1_system { facility(local0) and level(crit) and not host("firewall"); };
filter f_domain_controler_2_application { facility(local1) and level(emerg) and not host("internet-gw"); };
filter f_domain_controler_2_directory { facility(local1) and level(info) and not host("internet-gw"); };
filter f_domain_controler_2_dns { facility(local1) and level(notice) and not host("internet-gw"); };
filter f_domain_controler_2_file_replication { facility(local1) and level(warning) and not host("internet-gw"); };
filter f_domain_controler_2_security { facility(local1) and level(error) and not host("internet-gw"); };
filter f_domain_controler_2_system { facility(local1) and level(crit) and not host("internet-gw"); };
filter f_exchange_1_application { facility(local2) and level(debug) and not host("subnet-gw"); };
filter f_exchange_1_security { facility(local2) and level(info) and not host("subnet-gw"); };
filter f_exchange_1_system { facility(local2) and level(notice) and not host("subnet-gw"); };
filter f_exchange_2_application { facility(local2) and level(warning) and not host("subnet-gw"); };
filter f_exchange_2_security { facility(local2) and level(error) and not host("subnet-gw"); };
filter f_exchange_2_system { facility(local2) and level(crit) and not host("subnet-gw"); };
filter f_Citrix_1_application { facility(local4) and level(debug) and not host("pppoe-router"); };
filter f_Citrix_1_security { facility(local4) and level(info) and not host("pppoe-router"); };
filter f_Citrix_1_system { facility(local4) and level(notice) and not host("pppoe-router"); };
filter f_Citrix_2_application { facility(local4) and level(warning) and not host("pppoe-router"); };
filter f_Citrix_2_security { facility(local4) and level(error) and not host("pppoe-router"); };
filter f_Citrix_2_system { facility(local4) and level(crit) and not host("pppoe-router"); };
filter f_exchange_front_application { facility(local5) and level(debug); };
filter f_exchange_front_security { facility(local5) and level(error); };
filter f_exchange_front_system { facility(local5) and level(crit); };
filter f_exchange_front_virtual { facility(local5) and level(alert); };
filter f_isa2004_application { facility(local6) and level(debug); };
filter f_isa2004_security { facility(local6) and level(info); };
filter f_isa2004_system { facility(local6) and level(notice); };
filter f_citrix_gateway_application { facility(local6) and level(warning); };
filter f_citrix_gateway_security { facility(local6) and level(error); };
filter f_citrix_gateway_system { facility(local6) and level(crit); };
filter f_citrix_gateway_secure_gateway { facility(local6) and level(alert); };
#
# ネットワーク機器のログの出力先
#
destination d_internet-gw { file("/var/log/syslog-ng/internet-gw/$YEAR$MONTH$DAY.log"); };
destination d_firewall { file("/var/log/syslog-ng/firewall/$YEAR$MONTH$DAY.log"); };
destination d_L3Switch { file("/var/log/syslog-ng/L3Switch/$YEAR$MONTH$DAY.log"); };
destination d_pppoe-router { file("/var/log/syslog-ng/PPPoE-router/$YEAR$MONTH$DAY.log"); };
destination d_subnet-gw { file("/var/log/syslog-ng/subnet-gw/$YEAR$MONTH$DAY.log"); };
#
# Windows Serverのログの出力先
#
destination d_domain_controler_1_application { file("/var/log/syslog-ng/domain_controler_1/application/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_1_directory { file("/var/log/syslog-ng/domain_controler_1/directory/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_1_dns { file("/var/log/syslog-ng/domain_controler_1/dns/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_1_file_replication { file("/var/log/syslog-ng/domain_controler_1/file_replication/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_1_security { file("/var/log/syslog-ng/domain_controler_1/security/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_1_system { file("/var/log/syslog-ng/domain_controler_1/system/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_application { file("/var/log/syslog-ng/domain_controler_2/application/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_directory { file("/var/log/syslog-ng/domain_controler_2/directory/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_dns { file("/var/log/syslog-ng/domain_controler_2/dns/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_file_replication { file("/var/log/syslog-ng/domain_controler_2/file_replication/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_security { file("/var/log/syslog-ng/domain_controler_2/security/$YEAR$MONTH$DAY.log"); };
destination d_domain_controler_2_system { file("/var/log/syslog-ng/domain_controler_2/system/$YEAR$MONTH$DAY.log"); };
destination d_exchange_1_application { file("/var/log/syslog-ng/exchange_1/application/$YEAR$MONTH$DAY.log"); };
destination d_exchange_1_security { file("/var/log/syslog-ng/exchange_1/security/$YEAR$MONTH$DAY.log"); };
destination d_exchange_1_system { file("/var/log/syslog-ng/exchange_1/system/$YEAR$MONTH$DAY.log"); };
destination d_exchange_2_application { file("/var/log/syslog-ng/exchange_2/application/$YEAR$MONTH$DAY.log"); };
destination d_exchange_2_security { file("/var/log/syslog-ng/exchange_2/security/$YEAR$MONTH$DAY.log"); };
destination d_exchange_2_system { file("/var/log/syslog-ng/exchange_2/system/$YEAR$MONTH$DAY.log"); };
destination d_Citrix_1_application { file("/var/log/syslog-ng/Citrix_1/application/$YEAR$MONTH$DAY.log"); };
destination d_Citrix_1_security { file("/var/log/syslog-ng/Citrix_1/security/$YEAR$MONTH$DAY.log"); };
destination d_Citrix_1_system { file("/var/log/syslog-ng/Citrix_1/system/$YEAR$MONTH$DAY.log"); };
destination d_Citrix_2_application { file("/var/log/syslog-ng/Citrix_2/application/$YEAR$MONTH$DAY.log"); };
destination d_Citrix_2_security { file("/var/log/syslog-ng/Citrix_2/security/$YEAR$MONTH$DAY.log"); };
destination d_Citrix_2_system { file("/var/log/syslog-ng/Citrix_2/system/$YEAR$MONTH$DAY.log"); };
destination d_exchange_front_application { file("/var/log/syslog-ng/exchange_front/application/$YEAR$MONTH$DAY.log"); };
destination d_exchange_front_security { file("/var/log/syslog-ng/exchange_front/security/$YEAR$MONTH$DAY.log"); };
destination d_exchange_front_system { file("/var/log/syslog-ng/exchange_front/system/$YEAR$MONTH$DAY.log"); };
destination d_exchange_front_virtual { file("/var/log/syslog-ng/exchange_front/virtual/$YEAR$MONTH$DAY.log"); };
destination d_isa2004_application { file("/var/log/syslog-ng/isa2004/application/$YEAR$MONTH$DAY.log"); };
destination d_isa2004_security { file("/var/log/syslog-ng/isa2004/security/$YEAR$MONTH$DAY.log"); };
destination d_isa2004_system { file("/var/log/syslog-ng/isa2004/system/$YEAR$MONTH$DAY.log"); };
destination d_citrix_gateway_application { file("/var/log/syslog-ng/citrix_gateway/application/$YEAR$MONTH$DAY.log"); };
destination d_citrix_gateway_security { file("/var/log/syslog-ng/citrix_gateway/security/$YEAR$MONTH$DAY.log"); };
destination d_citrix_gateway_system { file("/var/log/syslog-ng/citrix_gateway/system/$YEAR$MONTH$DAY.log"); };
destination d_citrix_gateway_secure_gateway { file("/var/log/syslog-ng/citrix_gateway/secure_gateway/$YEAR$MONTH$DAY.log"); };
#
# ネットワーク機器のログの設定
#
log { source(s_remote); filter(f_internet-gw); destination(d_internet-gw); };
log { source(s_remote); filter(f_firewall); destination(d_firewall); };
log { source(s_remote); filter(f_L3Switch); destination(d_L3Switch); };
log { source(s_remote); filter(f_pppoe-router); destination(d_pppoe-router); };
log { source(s_remote); filter(f_subnet-gw); destination(d_subnet-gw); };
#
# Windows Serverのログの設定
#
log { source(s_remote); filter(f_domain_controler_1_application); destination(d_domain_controler_1_application); };
log { source(s_remote); filter(f_domain_controler_1_directory); destination(d_domain_controler_1_directory); };
log { source(s_remote); filter(f_domain_controler_1_dns); destination(d_domain_controler_1_dns); };
log { source(s_remote); filter(f_domain_controler_1_file_replication); destination(d_domain_controler_1_file_replication); };
log { source(s_remote); filter(f_domain_controler_1_security); destination(d_domain_controler_1_security); };
log { source(s_remote); filter(f_domain_controler_1_system); destination(d_domain_controler_1_system); };
log { source(s_remote); filter(f_domain_controler_2_application); destination(d_domain_controler_2_application); };
log { source(s_remote); filter(f_domain_controler_2_directory); destination(d_domain_controler_2_directory); };
log { source(s_remote); filter(f_domain_controler_2_dns); destination(d_domain_controler_2_dns); };
log { source(s_remote); filter(f_domain_controler_2_file_replication); destination(d_domain_controler_2_file_replication); };
log { source(s_remote); filter(f_domain_controler_2_security); destination(d_domain_controler_2_security); };
log { source(s_remote); filter(f_domain_controler_2_system); destination(d_domain_controler_2_system); };
log { source(s_remote); filter(f_exchange_1_application); destination(d_exchange_1_application); };
log { source(s_remote); filter(f_exchange_1_security); destination(d_exchange_1_security); };
log { source(s_remote); filter(f_exchange_1_system); destination(d_exchange_1_system); };
log { source(s_remote); filter(f_exchange_2_application); destination(d_exchange_2_application); };
log { source(s_remote); filter(f_exchange_2_security); destination(d_exchange_2_security); };
log { source(s_remote); filter(f_exchange_2_system); destination(d_exchange_2_system); };
log { source(s_remote); filter(f_Citrix_1_application); destination(d_Citrix_1_application); };
log { source(s_remote); filter(f_Citrix_1_security); destination(d_Citrix_1_security); };
log { source(s_remote); filter(f_Citrix_1_system); destination(d_Citrix_1_system); };
log { source(s_remote); filter(f_Citrix_2_application); destination(d_Citrix_2_application); };
log { source(s_remote); filter(f_Citrix_2_security); destination(d_Citrix_2_security); };
log { source(s_remote); filter(f_Citrix_2_system); destination(d_Citrix_2_system); };
log { source(s_remote); filter(f_exchange_front_application); destination(d_exchange_front_application); };
log { source(s_remote); filter(f_exchange_front_security); destination(d_exchange_front_security); };
log { source(s_remote); filter(f_exchange_front_system); destination(d_exchange_front_system); };
log { source(s_remote); filter(f_exchange_front_virtual); destination(d_exchange_front_virtual); };
log { source(s_remote); filter(f_isa2004_application); destination(d_isa2004_application); };
log { source(s_remote); filter(f_isa2004_security); destination(d_isa2004_security); };
log { source(s_remote); filter(f_isa2004_system); destination(d_isa2004_system); };
log { source(s_remote); filter(f_citrix_gateway_application); destination(d_citrix_gateway_application); };
log { source(s_remote); filter(f_citrix_gateway_security); destination(d_citrix_gateway_security); };
log { source(s_remote); filter(f_citrix_gateway_system); destination(d_citrix_gateway_system); };
log { source(s_remote); filter(f_citrix_gateway_secure_gateway); destination(d_citrix_gateway_secure_gateway); };
#
# とりあえず捕まえたログはtestディレクトリに入れておいて設定を確かめるためのおまけの行。
#
destination d_separatedbyhosts {
file("/var/log/syslog-ng/test/$HOST-$YEAR$MONTH$DAY.log");
};
log { source(s_remote); destination(d_separatedbyhosts); };
OSはRedHat9です。
RPMはlibolとsyslog-ngのソースから、RedHat9上でBuildしたRPMを使用します。
■RPMからのインストール
# ls libol-0.3.18-1.i386.rpm readme_RH9 libol-debuginfo-0.3.18-1.i386.rpm syslog-ng-1.6.10-1.i386.rpm libol-devel-0.3.18-1.i386.rpm syslog-ng-debuginfo-1.6.10-1.i386.rpm# rpm -ivh libol-0.3.18-1.i386.rpm Preparing... ########################################### [100%] 1:libol ########################################### [100%]
# rpm -ivh syslog-ng-1.6.10-1.i386.rpm Preparing... ########################################### [100%] 1:syslog-ng ########################################### [100%] Starting syslog-ng: [ OK ]
○ここで、syslog-ngがすぐに起動してしまうので、いったん止めることにする。
# ps aux | grep syslog root 29273 0.0 0.0 1452 240 ? S May04 0:01 syslogd -r -x -m 0 root 32629 0.0 0.3 1820 836 ? S 15:59 0:00 /sbin/syslog-ng root 32641 0.0 0.2 4576 664 pts/0 S 16:00 0:00 grep syslog# /etc/init.d/syslog-ng stop Shutting down syslog-ng: [ OK ]
○OS起動時にsyslog-ngが自動で起動し、syslogdが起動しないようにする。
# chkconfig --list | grep syslog syslog 0:オフ 1:オフ 2:オン 3:オン 4:オン 5:オン 6:オフ syslog-ng 0:オフ 1:オフ 2:オン 3:オン 4:オン 5:オン 6:オフ# chkconfig --level 2345 syslog off
# chkconfig --list | grep syslog syslog 0:オフ 1:オフ 2:オフ 3:オフ 4:オフ 5:オフ 6:オフ syslog-ng 0:オフ 1:オフ 2:オン 3:オン 4:オン 5:オン 6:オフ
■RedHatの通常のsyslogと同等の働きをするような設定ファイルを作る。 この場合だと、/etc/syslog-ng/syslog-ng.confが設定ファイルになる。
# cd /etc/syslog-ng/念のため、defaultの設定ファイルは保存しておく。# ls syslog-ng.conf
# cp syslog-ng.conf syslog-ng.conf.default
■syslog-ng.confの編集
○リモートからのsyslogを受け付ける。
# Remote logging
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
destination d_separatedbyhosts {
file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
};
log { source(s_remote); destination(d_separatedbyhosts); };
このままでも動くが、destinationの部分をちょっと工夫をすると
日付ごとにログファイルを自動的に変更できる
destination d_separatedbyhosts {
file("/var/log/syslog-ng/$HOST/$HOST-$YEAR$MONTH$DAY.log");
};
○optionsを設定する
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (yes);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
stats(86400);
dir_perm(0750);
perm(0640);
owner(root);
group(root);
};
■とりあえず動くsyslog-ng.confはこうなる。
# # configuration file for syslog-ng, customized for remote logging #■設定ファイルのチェック syslog-ng.confが文法的に正しいかどうかは syslog-ng -s [設定ファイル] コマンドで起動前にチェックできるsource s_internal { internal(); }; destination d_syslognglog { file("/var/log/syslog-ng.log"); }; log { source(s_internal); destination(d_syslognglog); };
# Local sources, filters and destinations are commented out # If you want to replace sysklogd simply uncomment the following # parts and disable sysklogd # # Local sources # source s_local { unix-stream ("/dev/log"); pipe ("/proc/kmsg" log_prefix ("kernel:")); }; # # Local filters # filter f_messages { level(info..emerg); }; filter f_secure { facility(authpriv); }; filter f_maillog { facility(mail); }; filter f_cron { facility(cron); }; filter f_emerg { level(emerg); }; filter f_spooler { level(crit..emerg) and facility(uucp, news); }; filter f_local7 { facility(local7); }; # # Local destinations # destination d_messages { file("/var/log/messages"); }; destination d_secure { file("/var/log/secure"); }; destination d_maillog { file("/var/log/maillog"); }; destination d_cron { file("/var/log/cron"); }; destination d_console { usertty("root"); }; destination d_spooler { file("/var/log/spooler"); }; destination d_bootlog { file("/var/log/boot.log"); }; # # Local logs - order DOES matter ! # log { source(s_local); filter(f_emerg); destination(d_console); }; log { source(s_local); filter(f_secure); destination(d_secure); flags(final); }; log { source(s_local); filter(f_maillog); destination(d_maillog); flags(final); }; log { source(s_local); filter(f_cron); destination(d_cron); flags(final); }; log { source(s_local); filter(f_spooler); destination(d_spooler); }; log { source(s_local); filter(f_local7); destination(d_bootlog); }; log { source(s_local); filter(f_messages); destination(d_messages); };
# Remote logging source s_remote { tcp(ip(0.0.0.0) port(514)); udp(ip(0.0.0.0) port(514)); };
destination d_separatedbyhosts { file("/var/log/syslog-ng/$HOST/$HOST-$YEAR$MONTH$DAY.log"); };
log { source(s_remote); destination(d_separatedbyhosts); };
options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (yes); use_fqdn (no); create_dirs (yes); keep_hostname (yes); stats(86400); dir_perm(0750); perm(0640); owner(root); group(root); };
# syslog-ng -s ./syslog-ng.conf #なにも表示されなかったらOK
■syslogからsyslog-ngへの切り替え
# /etc/init.d/syslog stop カーネルロガーを停止中: [ OK ] システムロガーを停止中: [ OK ]# /etc/init.d/syslog-ng start Starting syslog-ng: [ OK ]
# ps aux | grep syslog root 2405 0.0 0.3 1836 884 ? S 16:34 0:00 /sbin/syslog-ng root 2409 0.0 0.2 4572 660 pts/0 S 16:34 0:00 grep syslog
■syslog-ngの動作をログで確認する。
○/var/log/messageMay 5 16:34:41 localhost kernel: Kernel logging (proc) stopped. May 5 16:34:41 localhost kernel: Kernel log daemon terminating. May 5 16:34:42 localhost 5月 5 16:34:42 syslog: klogd停止 succeeded May 5 16:34:42 localhost exiting on signal 15 5月 5 16:34:49 localhost syslog-ng: syslog-ng起動 succeeded○/var/log/syslog-ng.log
May 5 15:59:47 s_internal@localhost syslog-ng[32629]: syslog-ng version 1.6.10 starting May 5 16:00:26 s_internal@localhost syslog-ng[32629]: syslog-ng version 1.6.10 goingdown May 5 16:34:49 localhost syslog-ng[2405]: syslog-ng version 1.6.10 starting
○上記の設定だと、syslog-ngはsyslogパケットを受け取ったときに
ソースIPアドレスからホスト名を逆引きし、そのホスト名で
/var/log/syslog-ng/[ホスト名]/[ホスト名]-年月日.log
という形式のログを記録しているはずなので、そこも確認する。
■ちまちまとした移行処理
# mv /etc/init.d/syslog /etc/init.d/.syslog○/etc/syslog.confも、もう使わないので隠してしまう
# mv /etc/syslog.conf /etc/.syslog.conf○/etc/logrotate.d/syslogの設定 syslog-ngファイルにいろいろ書き足すのはめんどくさいのでこれは使わない方針で。 むしろsyslogファイルの方をsyslog-ng用に書き換え、そのまま流用する。
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/syslog-ng.log {
sharedscripts
postrotate
/etc/rc.d/init.d/syslog-ng reload > /dev/null 2>&1
#/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
○/etc/logrotate.d/syslog-ngは隠してしまう
これをしないと、cron.dailyが動くときにエラーが出る。
# mv /etc/logrotate.d/syslog-ng /etc/logrotate.d/.syslog-ng
このRPMの作成はRedHat9で行いました。
他、CentOS4.3でbuildしたものがFedora Core 3で使用できることも確認しています。
こちら本家本元サイト
http://www.balabit.com/products/syslog_ng/
■ソースのダウンロード
「Upgrade source」からCurrent stable (version 1.6.x). をダウンロードする。# wget http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.10.tar.gz
--12:10:26-- http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.10.tar.gz
=> `syslog-ng-1.6.10.tar.gz'
www.balabit.com をDNSに問いあわせています... 完了しました。
www.balabit.com[212.92.18.33]:80 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 特定できません [application/octet-stream]
[ <=> ] 711,822 10.29M/s
12:10:37 (10.29 MB/s) - `syslog-ng-1.6.10.tar.gz' を保存しました [711822]
同社のフリーソフトlibolも必要になる。
これもソースをダウンロードしておく。
# wget http://www.balabit.com/downloads/libol/0.3/libol-0.3.18.tar.gz
--12:12:48-- http://www.balabit.com/downloads/libol/0.3/libol-0.3.18.tar.gz
=> `libol-0.3.18.tar.gz'
www.balabit.com をDNSに問いあわせています... 完了しました。
www.balabit.com[212.92.18.33]:80 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 特定できません [application/octet-stream]
[ <=> ] 345,794 10.64M/s
12:13:03 (10.64 MB/s) - `libol-0.3.18.tar.gz' を保存しました [345794]
とりあえず解凍して、中のspec(.bb)ファイルを取り出す。
その後、解凍されたディレクトリは用がないので削除してよい。
# ls libol-0.3.18.tar.gz syslog-ng-1.6.10.tar.gz # tar xzf libol-0.3.18.tar.gz # tar xzf syslog-ng-1.6.10.tar.gz # mv libol-0.3.18/libol.spec ./ # mv syslog-ng-1.6.10/syslog-ng.spec.bb ./ # rm -fr libol-0.3.18 # rm -fr syslog-ng-1.6.10■パッケージ作成
# ls libol-0.3.18.tar.gz libol.spec syslog-ng-1.6.10.tar.gz syslog-ng.spec.bb # mv *.spec* /usr/src/redhat/SPECS/ # mv *.gz /usr/src/redhat/SOURCES/ # cd /usr/src/redhat/SPECS/■まずは、libolから。
[root@localhost SPECS]# rpmbuild -bb ./libol.spec 。。。省略。。。 [root@localhost SPECS]# ls ../RPMS/i386/ libol-0.3.18-1.i386.rpm libol-debuginfo-0.3.18-1.i386.rpm libol-devel-0.3.18-1.i386.rpm
■syslog-ngのbuild
このバージョンのsyslog-ng.spec.bbには少々記述を修正する場所がありました。 Source: syslog-ng_%{version}.tar.gz ↓ Source: syslog-ng-%{version}.tar.gz[root@localhost SPECS]# rpmbuild -bb ./syslog-ng.spec.bb 。。。省略。。。Build完了。rpmが出来上がっている。
[root@localhost SOURCES]# ls ../RPMS/i386/ libol-0.3.18-1.i386.rpm syslog-ng-1.6.10-1.i386.rpm libol-debuginfo-0.3.18-1.i386.rpm syslog-ng-debuginfo-1.6.10-1.i386.rpm libol-devel-0.3.18-1.i386.rpm
■syslog-ngコマンドの引数
# syslog-ng --help■設定ファイルの文法チェックUsage: syslog-ng [options] Accept and manage system log messages
Options: -s, --syntax-only 設定ファイルの文法チェックができる -d, --debug デバッグメッセージを出力させる -v, --verbose 詳細な出力 -F, --foreground Don't fork into background -f < fname >, --cfgfile=< fname > Set config file name, default=/etc/syslog-ng/syslog-ng.conf -V, --version Display version number (syslog-ng 1.6.10) -p < fname >, --pidfile=< fname > Set pid file name, default=/var/run/syslog-ng.pid -C < dir >, --chroot=< dir > Chroot to directory -u < user >, --user=< user > Switch to user -g < group >, --group=< group > Switch to group
# syslog-ng -s syslog-ng.conf syntax error at 24 Parse error reading configuration file, exiting. (line 24)
