我的 syslog-ng.conf:
@version: 3.0
# Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# http://www.balabit.com/dl/html/syslog...
#
options {
flush_lines (0);
time_reopen (10);
log_fifo_size (10000);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
ts_format (rfc3164);
};
######
# sources
source s_local {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" program_override("kernel: "));
};
source all_tcp { tcp(ip(0.0.0.0) port(1470));
};
source all_udp { udp(ip(0.0.0.0) port(514));
};
######
# destinations
destination d_messages { file("/var/log/messages"); };
destination d_perf_test { file("/apps/logs/syslog_ng/perf_test.1"); };
destination d_prod { file("/apps/logs/syslog_ng/prod.1"); };
destination d_dr { file("/apps/logs/syslog_ng/dr.1"); };
destination d_covad { file("/apps/logs/syslog_ng/covad.1"); };
filter f_perf_test { (host(10.253.16.1) or host(10.253.16.111) or host(10.253.99.1) or host(10.253.16.100) or host(10.253.7.1) or host(10.253.16.101) or host(10.253.16.102) or host(10.253.16.103) or host(172.21.189.128) or host(172.21.189.129) or host(172.21.154.128) or host(172.21.148.128) or host(10.253.8.1)or host(10.253.8.111) or host(172.20.111.10) or host(10.253.8.112) or host(10.253.8.100) or host(10.253.8.101) or host(10.253.8.224) or host(10.253.8.225)); };
filter f_prod { (host(10.253.253.1) or host(10.253.253.3) or host(10.253.253.4) or host(10.253.12.100) or host(10.253.12.1) or host(10.253.12.101) or host(10.253.12.102) or host(10.253.12.103) or host(172.19.189.128) or host(172.19.189.129) or host(172.19.154.128) or host(172.19.148.128) or host(10.253.13.100) or host(10.253.13.1) or host(10.253.13.101) or host(10.253.13.224) or host(10.253.13.225) or host(10.253.101.10)); };
filter f_dr { (host(10.253.253.101) or host(10.253.253.103) or host(10.253.253.104) or host(10.253.253.105) or host(10.253.112.100) or host(10.253.112.1) or host(10.253.112.101) or host(10.253.112.102) or host(10.253.112.103) or host(172.29.189.128) or host(172.29.154.128) or host(172.29.148.128) or host(172.29.148.28) or host(10.253.113.100) or host(10.253.113.1) or host(10.253.113.101) or host(10.253.113.224) or host(10.253.113.225)); };
filter f_covad { (host(10.253.99.150) or host(10.253.99.1)); };
log { source(s_local); destination(d_messages); };
log { source(all_udp); filter(f_perf_test); destination(d_perf_test); };
log { source(all_udp); filter(f_prod); destination(d_prod); };
log { source(all_udp); filter(f_dr); destination(d_dr); };
log { source(all_udp); filter(f_covad); destination(d_covad); };
===================================
Syslog-ng 能够捕获除 10.253.99.1 和 10.253.99.150 之外的所有其他源,目的地为 f_covad
问题:我的配置正确吗?还有其他选项可能有助于解决此问题吗?
如何检查我的网卡是否正在接收来自 covad 源的日志?
我如何检查 syslog-ng 是否正在监听并且能够读取来自 covad 地址的 syslog 消息?
任何帮助将不胜感激。
答案1
过去,我选择将 IP 地址引用为过滤字符串的主机部分。因此,以此为例,您应该进行以下更改:
filter f_covad { (host("10.253.99.150") or host("10.253.99.1")); };
否则,我认为您的配置没有任何问题。接下来,您应该检查主机防火墙,看看 UDP 端口 514 是否从日志源打开。接下来是查看日志是否正常那到目前为止。我经常喜欢做的是简单地使用 tcpdump 来测试 syslog 流量的接收情况。它将解析消息并显示相应的数据。例如:
packs@ node1:~> sudo tcpdump -i eth0 port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:53:35.633091 IP remote.host.local.47007 > node1.local.syslog: SYSLOG user.info, length: 688
13:53:35.646322 IP remote.host.local.47007 > node1.local.syslog: SYSLOG local5.info, length: 204
13:53:35.654178 IP remote.host.local.47007 > node1.local.syslog: SYSLOG local5.info, length: 204
这为我们提供了所需的所有信息,以查看消息是否均匀获得给主人。
答案2
我喜欢以稍微不同的方式组织我的 syslog-ng 配置,以便每个log
定义都flags(final);
像这样:
log { source(s_src); filter(f_auth); destination(d_auth); flags(final); };
这使得我可以在配置的底部有一个“捕获所有”日志。
destination d_catchall { file("/var/log/$YEAR/$MONTH/catchall.$DAY.log" template("$DATE $FULLHOST $PROGRAM $MSG\n") template_escape(no)); };
#filter f_catchall { not host("192.168.0.254"); };
#log { source(s_src); filter(f_catchall); destination(d_catchall); };
log { source(s_src); destination(d_catchall); };
文件中之前未明确记录的所有内容都将记录在 catchall 日志中。这意味着我绝不将任何原木丢在地上。当 DNS 条目丢失或只是输入了错误的 IP 地址时,很容易无法匹配正确的程序或标签名称或使用基于主机的名称。
您可以看到有两行注释掉的内容,用于当我确实需要或想要忽略某些日志时,例如当某些服务正在该debug
级别进行日志记录但我实际上并不想存储所有这些日志时。