个人工具

Quick HOWTO : Ch05 : Troubleshooting Linux with syslog/zh

来自Ubuntu中文

跳转至: 导航, 搜索


简介

目前市场上有数百种 Linux 应用软件,它们都有自己的配置文件和帮助文件。虽然这种多样性显示了 Linux 领域的活力,但给系统管理造成了不少的麻烦。幸运的是,大部分 Linux 应用程序都使用 syslog 工具来记录它们运行时产生的所有错误和状态信息。这些记录文件被保存在 /var/log 目录中。

这些日志对于我们分析系统中发生的事件的时间和起因非常有价值。记住,尽管很多软件经常不把错误信息显示在屏幕上,但是它们还是会把这些日志记录下来。了解这些输出信息对于解决错误来说是非常重要的。因为你可以根据这些信息从诸如产品手册、在线文档以及网页搜索中迅速找到答案。

syslog,以及清除日志文件的工具 -- logrotate,它们配置起来相对比较容易,但它们分析起来还是有些难度。我接下来将用专门的一章来讲解 syslog。以此来强调它们对于你的 Linux 知识的重要性,并帮助你学会一项有用的技能来帮助你将来解决各种不同的软件错误。

syslog

syslog是一个追踪和记录系统运行时所产生的所有信息的工具。从简单报告到一重错误一概记录。每条系统信息在发送到syslog服务器时,都会加上两条相关的标签以便将来处理。


  • 第一个标签描述的是产生这条信息的软件的功能。例如,一个邮件或者计划任务所产生的信息将分表表上mail和cron。
  • 第二个标签描述的是这条信息的严重程度。一个有八个级别,列在表5-1中:

你可以修改syslog的配置文件来将不同严重程度和功能的信息分别储存到不同的文件中。这将会在以后详细说明。


表 5-1 Syslog Facilities

严重程度

关键字

描述

0

emergencies

系统无法使用

1

alerts

急需处理

2

critical

危险

3

errors

出错

4

warnings

警告

5

notifications

一般问题但是很重要

6

informational

通知

7

debugging

调试


/etc/syslog.conf 文件

在/etc/syslog.conf配置文件中,可以设置各类信息将写入哪个文件。这个配置文件包括两列。第一列列出了应用程序所属分类名和预期的严重程度,第二列是这些信息将记录到哪个文件。默认情况下,主RedHat/Fedora的/etc/syslog.conf文件设置为为把大部分信息记录在/var/log/messages文件中。这里是一个范例:

*.info;mail.none;authpriv.none;cron.none /var/log/messages

在这个例子中,除了功能为“邮件”、“权限确认”和“计划任务”产生的信息不记录外,其他所有的严重程度为“通知”的信息将会全部记录。你只要将上面这句进行如下修改,日志系统将会更加敏感。它将会记录所有严重程度等于或高于“调试”级别的信息。这样将会更有利于解决系统使用中出现的错误。

*.debug /var/log/messages

在下面这个例子中,除了auth, authpriv, news 和 mail等类别外,其他所有的”调试”级别的错误都将会记录到/var/log/debug文件中。值得注意的是,你可以用每一行结尾加一个反斜杠(\)的方法将一行内容写成多行。

*.=debug;\
 auth,authpriv.none;\
 news.none;mail.none -/var/log/debug 

以下设置除auth,authpriv,news,mail类别外,其他所有类别的info、notice和warn级别的信息将会记录到/var/log/messages中。

*.=info;*.=notice;*.=warn;\
 auth,authpriv.none;\
 cron,daemon.none;\
 mail,news.none -/var/log/messages

你也可以让某些特定的信息发送到所有登陆的用户屏幕上。以下这个例子可以将所有严重级别等于或高于“emergencies”的信息发送出去。你只需要用星号代替其他就可以了。

*.emerg *

某些应用软件也会将自己的运行状况记录到特定的日志文件上,而这个功能是不受以上介绍的syslog.conf文件控制的。举例如下:

文件:

/var/log/maillog  : 邮件
/var/log/httpd/access_log  : Apache网页服务器访问记录

文件夹:

/var/log
/var/log/samba  : Samba文件共享服务器信息
/var/log/mrtg  : MRTG 信息
/var/log/httpd  : Apache网页服务器信息

注意:在某些老版本的Linux中,/etc/syslog.conf文件只识别tab键间隔。如果用空格,将导致一些不可预料的后果。为了保证安全请详细检查/etc/syslog.conf文件的格式。

使syslog配置文件的修改生效

对/etc/syslog.conf文件的修改只有在你下次重启syslog服务时才会生效。使用以下命令可以实现:

[[email protected] tmp]# service syslog restart

在 Ubuntu / Debian 系统中,请使用如下命令重启syslog服务:

[email protected]:~# /etc/init.d/sysklogd restart

怎样查看日志文件里最新的记录

如果你想让最新的日志记录显示在屏幕上,可以用如下命令实现:

[[email protected] tmp]# tail -f /var/log/messages

类似的命令可以用来查看所有日志文件。这有可能是Linux系统中最好的用来排除系统错误的工具。另外一个很好的工具是grep。grep可以帮你在一个日志文件中找到所有包含某个特定词条的事件;而且你还可以运用管道和more这个命令使得这些信息每次只显示一页:

[[email protected] tmp]# grep string /var/log/messages | more

当然你也可以只简简单单的用more来将日志文件一次一屏的显示出来:

[[email protected] tmp]# more /var/log/messages


将日志信息记录到远程Linux服务器上

Logging your system messages to a remote server is a good security practice. With all servers logging to a central syslog server, it becomes easier to correlate events across your company. It also makes covering up mistakes or malicious activities harder because the purposeful deletion of log files on a server cannot simultaneously occur on your logging server, especially if you restrict the user access to the logging server.

将你的系统信息记录到远程服务器上将是一个很好的安全措施。如果把公司所有的服务器的日志信息都记录到一个集中的syslog服务器上,这将会方便你管理各个服务器中发生的相关事件。特别是当你限制用户访问日志服务器时,这将会怎强整个网络的安全性能。因为由于错误或者一些恶意来删除日志文件的行为将会被制止。br>

配置Linux Syslog 服务器

By default syslog doesn't expect to receive messages from remote clients. Here's how to configure your Linux server to start listening for these messages.

在默认情况下,syslog并不会接受远程客户端的信息。下面将告诉你怎么样配置Linux服务器来监听来自其它客户端的信息。

As we saw previously, syslog checks its /etc/syslog.conf file to determine the expected names and locations of the log files it should create. It also checks the file /etc/sysconfig/syslog to determine the various modes in which it should operate. Syslog will not listen for remote messages unless the SYSLOGD_OPTIONS variable in this file has a -r included in it as shown below.

正如我们前面看到的,syslog会检查/etc/syslog.conf以决定日志文件名及日志文件的保存位置。它也检查/etc/sysconfig/syslog文件来决定操作的应属不同模式。如果SYSLOGD_OPTIONS参数不是像下面一样设置为 -r 的话,syslog将不会监听远程信息。

# Options to syslogd (syslogd服务的可选参数)
# -m 0 disables 'MARK' messages. (-m 0 取消‘MARK’信息)
# -r enables logging from remote machines (-r 允许记录远程机器的信息)
# -x disables DNS lookups on messages received with -r (-x 当-r参数开启时,禁止DNS查询)
# See syslogd(8) for more details (需要进一步了解请用man查看syslog(8) )

 SYSLOGD_OPTIONS="-m 0 -r"

# Options to klogd (klogd选项)
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops' (-2 将内核的oops信息打印两次;一次供klogd解码,一次供 #‘ksymoops’处理。
# -x disables all klogd processing of oops messages entirely (-x 完全取消klogd处理oops信息)
# See klogd(8) for more details (需要进一步了解请用man查看klogd(8) )

KLOGD_OPTIONS="-2"

Note: In Debian / Ubuntu systems you have to edit the syslog startup script /etc/init.d/sysklogd directly and make the SYSLOGD variable definition become "-r".

注意:在Debian/Ubuntu系统中,你必须直接编辑syslog启动脚本/etc/init.d/sysklogd,将SYSLOGD的参数定义为“-r”。

# Options for start/restart the daemons (启动/重启守护进程的选项)
# For remote UDP logging use SYSLOGD="-r" 远程UDP日志请使用SYSLOGD=“-r“
#
#SYSLOGD="-u syslog"
SYSLOGD="-r"

You will have to restart syslog on the server for the changes to take effect. The server will now start to listen on UDP port 514, which you can verify using either one of the following netstat command variations.

要使你的设置生效,你必须重启服务器上的syslog服务。现在服务器已经开始监听UDP端口514。你可以使用以下任何一个netstat命令来确认是否操作成功。

[[email protected] tmp]# netstat -a | grep syslog
udp 0 0 *:syslog *:*
[[email protected] tmp]# netstat -an | grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
[[email protected] tmp]#

配置Linux客户端

The syslog server is now expecting to receive syslog messages. You have to configure your remote Linux client to send messages to it. This is done by editing the /etc/hosts file on the Linux client named smallfry. Here are the steps:

syslog服务器现在可以接受syslog信息了。你还要设置好远程linux客户端向服务器发送信息。以下显示在客户端名为smallfry的机器上编辑/etc/hosts文件来实现。步骤如下:

1) Determine the IP address and fully qualified hostname of your remote logging host.

2) Add an entry in the /etc/hosts file in the format:

1)确定远程主机的IP地址和有效的域名。

2)在/etc/hosts文件中加入如下一条:

IP-address fully-qualified-domain-name hostname "loghost"

Example:

192.168.1.100 bigboy.my-site.com bigboy loghost

Now your /etc/hosts file has a nickname of "loghost" for server bigboy.

现在你的/etc/hosts文件中为服务器主机bigboy设置了一个别名loghost。

3) The next thing you need to do is edit your /etc/syslog.conf file to make the syslog messages get sent to your new loghost nickname.

3)下一步你要编辑你的/etc/syslog.conf 文件使得syslog信息能发送到你新设置的日志服务器loghost上。

*.debug @loghost
*.debug /var/log/messages

You have now configured all debug messages and higher to be logged to both server bigboy ("loghost") and the local file /var/log/messages. Remember to restart syslog to get the remote logging started.

现在你的机器将会将所有“调试”级别及以上级别的信息同时发送到服务器bigboy和本地文件/var/log/messeges上。记住,在你启动远程日志前请重启syslog服务。

You can now test to make sure that the syslog server is receiving the messages with a simple test such as restarting the lpd printer daemon and making sure the remote server sees the messages.

现在你可以做个简单测试看看syslog服务器是否在接受你的信息了。我们现在重启一下lpd打印机守护进程,看看能否在服务器上看到相关信息。

Linux 客户端

[[email protected] tmp]# service lpd restart
Stopping lpd: [ OK ]
Starting lpd: [ OK ]
[[email protected] tmp]#

Linux 服务器端

[[email protected] tmp]# tail /var/log/messages
...
...
Apr 11 22:09:35 smallfry lpd: lpd shutdown succeeded
Apr 11 22:09:39 smallfry lpd: lpd startup succeeded
...
...
[[email protected] tmp]#

syslog配置和Cisco网络设备

syslog reserves facilities "local0" through "local7" for log messages received from remote servers and network devices. Routers, switches, firewalls and load balancers each logging with a different facility can each have their own log files for easy troubleshooting. Appendix 4 has examples of how to configure syslog to do this with Cisco devices using separate log files for the routers, switches, PIX firewalls, CSS load balancers and LocalDirectors.

syslog保留从“local0”到“local7”这几个设备号来接受从远程服务器和网络设备上发送过来的日志信息。路由器,交换机,防火墙和负载均衡器都很容易给它们各自配置一个独立的日志文件。附录4以Cisco设备为例,显示了如何通过路由器,交换机,PIX防火墙,CSS 负载均衡器以及LocalDirectors(一款Cisco 服务器负载平衡产品)的单独日志文件来设置syslog。

Logrotate

The Linux utility logrotate renames and reuses system error log files on a periodic basis so that they don't occupy excessive disk space.

Logrote是用来定期重命名和重新使用系统错误日志文件的一个应用程序。它可以保证日志文件不会占用太大的磁盘空间。


/etc/logrotate.conf 文件

This is logrotate's general configuration file in which you can specify the frequency with which the files are reused.

它logrotate的一般性配置文件。你可以通过它设置那个文件被重用以及多久重用一次。

  • You can specify either a weekly or daily rotation parameter. In the case below the weekly option is commented out with a #, allowing for daily updates.
  • The rotate parameter specifies the number of copies of log files logrotate will maintain. In the case below the 4 copy option is commented out with a #, while allowing 7 copies.
  • The create parameter creates a new log file after each rotation
  • 你可以设定循环参数为每周或每天。在下面这个例子中,“每周”这个参数被“#”注释了,保留“每天”参数。
  • 循环参赛还可定义一个保留多少份日志文件备份。下面这个例子中保留4份,7份的参数被注释了。
  • 创建参数在每轮循环后新建一个日志文件。

Therefore, our sample configuration file will create daily archives of all the logfiles and store them for seven days. The files will have the following names with, logfile being current active version:

因此,在我们的示例中,将所有的日志文件每天备份,而且将他们保留7天。这些日志文件将会有如下的文件名形式:

logfile
logfile.0
logfile.1
logfile.2
logfile.3
logfile.4
logfile.5
logfile.6


/etc/logrotate.conf 文件示例

# rotate log files weekly (每周循环更新记录日志文件)
#weekly

# rotate log files daily (每天。。。 。。。)
daily

# keep 4 weeks worth of backlogs (保留4周内的日志文件备份)
#rotate 4

# keep 7 days worth of backlogs (保留七日内日志文件备份)
rotate 7

# create new (empty) log files after rotating old ones (在循环掉就的文件时创建新的空日志文件)
create


/etc/logrotate.d 文件夹

Most Linux applications that use syslog will put an additional configuration file in this directory to specify the names of the log files to be rotated. It is a good practice to verify that all new applications that you want to use the syslog log have configuration files in this directory. Here are some sample files that define the specific files to be rotated for each application.

许多需要使用syslog的Linux应用程序会将它们的设置文件放置在这个文件夹中以使它们的日志文件实现轮转,并且以它们特有的名字命名。你最好经常查证所有新安装的使用syslog的软件是否在这个文件夹中留有配置文件。下面给出一些示例,它们给特定的软件指定特定的日志轮转文件。

Here is an example of a custom file located in this directory that rotates files with the .tgz extension which are located in the /data/backups directory. The parameters in this file will override the global defaults in the /etc/logrotate.conf file. In this case, the rotated files won't be compressed, they'll be held for 30 days only if they are not empty, and they will be given file permissions of 600 for user root.

现在在这个目录下有一个示例文件,它将/data/backups文件将中的文件以.tgz格式来轮转。在这个文件中的参数将覆盖在/etc/logrotate.conf文件中的设置。在这个例子中,轮转文件将不会被压缩,而且它们非空的情况下将保存30天。它们的文件将所属为root,权限设置为600.

/data/backups/*.tgz {

 daily
 rotate 30
 nocompress
 missingok
 notifempty
 create 0600 root root
}


Note: In Debian / Ubuntu systems the /etc/cron.daily/sysklogd script reads the /etc/syslog.conf file and rotates any log files it finds configured there. This eliminates the need to create log rotation configuration files for the common system log files in the /etc/logrotate.d directory. As the script resides in the /etc/cron.daily directory it automatically runs every 24 hours. In Fedora / Redhat systems this script is replaced by the /etc/cron.daily/logrotate daily script which does not use the contents of the syslog configuration file, relying mostly on the contents of the /etc/logrotate.d directory.

注意:在Debian/Ubuntu系统中,/etc/cron.daily.sysklogd脚本将读取/etc/syslog.conf文件,并根据它轮转所有设定的日志文件。所以,对于一般的系统日志,你不必再在/etc/logrotate.d文件夹中重复设定了。因为在 /etc/cron.daily文件夹中它每24小时便运行一次。在Fedora/Redhat系统中,这个脚本被/etc/cron.daily/logrotate取代。而且它不读取syslog配置文件。所以,你必须在/etc/logrotate.d设置好。

激活logrotate

The above logrotate settings in the previous section will not take effect until you issue the following command:

以上对logrotate的设置只有在你使用下面命令时才会生效:

[[email protected] tmp]# logrotate -f

If you want logrotate to reload only a specific configuration file, and not all of them, then issue the logrotate command with just that filename as the argument like this:

如果你想让logrotate只读取特定的配置文件而不是所有,把配置文件名作为logrotate的参数运行:

[[email protected] tmp]# logrotate -f /etc/logrotate.d/syslog

Compressing Your Log Files

On busy Web sites the size of your log files can become quite large. Compression can be activated by editing the logrotate.conf file and adding the compress option.

如果你的网页访问量比较高,那么日志文件将变得异常大。你可以通过编辑logrotate.conf 文件加入压缩选项来实现对日志文件的压缩。

#
# File: /etc/logrotate.conf
#

# Activate log compression 激活日志压缩功能

compress

The log files will then start to become archived with the gzip utility, each file having a .gz extension.

这些日志文件将用gzip来压缩,所有的文件将会有一个.gz的扩展名。

[[email protected] tmp]# ls /var/log/messages*
/var/log/messages /var/log/messages.1.gz /var/log/messages.2.gz
/var/log/messages.3.gz /var/log/messages.4.gz /var/log/messages.5.gz
/var/log/messages.6.gz /var/log/messages.7.gz
[[email protected] tmp]#

Viewing the contents of the files still remains easy because the zcat command can quickly output their contents to the screen. Use the command with the compressed file's name as the argument as seen below.

查看这些文件的内容依然很容易,因为你可以用zcat命令快速的将它们的内容显示在屏幕上。

[[email protected] tmp]# zcat /var/log/messages.1.gz
...
...
Nov 15 04:08:02 bigboy httpd: httpd shutdown succeeded
Nov 15 04:08:04 bigboy httpd: httpd startup succeeded
Nov 15 04:08:05 bigboy sendmail[6003]: iACFMLHZ023165: to=<[email protected]>, delay=2+20:45:44, xdelay=00:00:02, mailer=esmtp, pri=6388168, relay=www.clematis4spiders.info. [222.134.66.34], dsn=4.0.0, stat=Deferred: Connection refused by www.clematis4spiders.info.
[[email protected] tmp]#


syslog-ng

The more recent syslog-ng application combines the features of logrotate and syslog to create a much more customizable and feature rich product. This can be easily seen in the discussion of its configuration file that follows.

现在使用越来越广泛的syslog-ng程序结合了logrotate和syslog的特性,它能给用户提供更多的自定义功能,从功能上也更加丰富了。这些特性你将很容易在我们下面的讨论中见到。下面我们将结合它的配置文件来详细说明。


/etc/syslog-ng/syslog-ng.conf 文件

The main configuration file for syslog-ng is the /etc/syslog-ng/sylog-ng.conf file but only rudimentary help on its keywords can be found using the Linux man pages.

/etc/syslog-ng/sylog-ng.conf文件是syslog-ng程序的主要配置文件。你可以通过man手册查到关于它的基本关键字说明。

[[email protected] tmp]# man syslog-ng.conf

Figure 5-1 has a sample syslog-ng.conf file and outlines some key features. The options section that covers global characteristics is fully commented, but it is the source, destination and log sections that define the true strength of the customizability of syslog-ng.

图5-1包含了一个syslog-ng.conf文件的示例,在其中标出了一些关键的特性。那些包含全局特性的选项部分全部被注释掉了。但是你必须知道,其实这些选项才是提供强大的自定义日志功能的源泉和目的。

图 5-1 一个syslog-ng.conf文件的示例

options {

 # Number of syslog lines stored in memory before being written to files 多少行日志在写入文件前将储存在内存中?
 sync (0);

 # Syslog-ng uses queues syslog-ng 使用多少个线程?
 log_fifo_size (1000);

 # Create log directories as needed 如果需要是否建立日志文件夹?
 create_dirs (yes);

 # Make the group "logs" own the log files and directories 是否使“logs”这个组拥有这些文件和文件夹?
 group (logs);
 dir_group (logs);

 # Set the file and directory permissions 请设置这些文件和文件夹的权限
 perm (0640);
 dir_perm (0750);

 # Check client hostnames for valid DNS characters 检测客户端主机名以便于验证DNA域名
 check_hostname (yes);

 # Specify whether to trust hostname in the log message. 明确说明是否相信日志信息中的主机名。
 # If "yes", then it is left unchanged, if "no" the server replaces 如果选“yes”,它将不会被改变。如果选“no”,主服务器将
 # it with client's DNS lookup value. 使用客户端DNS查找值覆盖它们。(不懂!!)
 keep_hostname (yes);

 # Use DNS fully qualified domain names (FQDN) 为日志文件夹的名字使用DNS全部确认的域名。
 # for the names of log file folders 
 use_fqdn (yes);
 use_dns (yes);

 # Cache DNS entries for up to 1000 hosts for 12 hours 给最多1000个主机,最长12个小时储存这些DNS入口。
 dns_cache (yes);
 dns_cache_size (1000);
 dns_cache_expire (43200);

 };


# Define all the sources of localhost generated syslog
# messages and label it "d_localhost"
source s_localhost {
 pipe ("/proc/kmsg" log_prefix("kernel: "));
 unix-stream ("/dev/log");
 internal();
};
 
# Define all the sources of network generated syslog
# messages and label it "d_network"
source s_network {
 tcp(max-connections(5000));
 udp();
};

# Define the destination "d_localhost" log directory
destination d_localhost {
 file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/localhost/$FACILITY.log");
};

# Define the destination "d_network" log directory
destination d_network {
 file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");
};

# Any logs that match the "s_localhost" source should be logged
# in the "d_localhost" directory

log { source(s_localhost);
 destination(d_localhost);
};

# Any logs that match the "s_network" source should be logged
# in the "d_network" directory
 
log { source(s_network);
 destination(d_network);
};


In our example, the first set of sources is labeled s_localhost. It includes all system messages sent to the Linux /dev/log device, which is one of syslog's data sources, all messages that syslog-ng views as being of an internal nature and additionally inserts the prefix "kernel" to all messages it intercepts on their way to the /proc/kmsg kernel message file.

Unlike a regular syslog server which listens for client messages on UDP port 514, syslog-ng also listens on TCP port 514. The second set of sources is labeled s_network and includes all syslog messages obtained from UDP sources and limits TCP syslog connections to 5000. Limiting the number of connections to help regulate system load is a good practice in the event that some syslog client begins to inundate your server with messages.

Our example also has two destinations for syslog messages, one named d_localhost, the other, d_network. These examples show the flexibility of syslog-ng in using variables. The $YEAR, $MONTH and $DAY variables map to the current year, month and day in YYYY, MM and DD format respectively. Therefore the example:

/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log

refers to a directory called /var/log/syslog-ng/2005.07.09 when messages arrive on July 9, 2005. The $HOST variable refers to the hostname of the syslog client and will map to the client's IP address if DNS services are deactivated in the options section of the syslog-ng.conf file. Similarly the $FACILITY variable refers to the facility of the syslog messages that arrive from that host.

Installing syslog-ng

The most recent syslog-ng and its companion eventlog tar files can be downloaded from the www.balabit.com website. The installation procedure is straightforward, but you will need to have the Linux gcc C programming language compiler preinstalled to be successful. Here are the steps.

1. Download the tar files from the BalaBit website. In this case we have browsed the website beforehand and know the exact URLs to use with the wget command.

[[email protected] tmp]# wget wget http://www.balabit.com/downloads/syslog-ng/2.0/src/eventlog-0.2.5.tar.gz
--12:34:17-- wget http://www.balabit.com/downloads/syslog-ng/2.0/src/eventlog-0.2.5.tar.gz
 => `eventlog-0.2.5.tar.gz'
...
...
...

12:34:19 (162.01 KB/s) - `eventlog-0.2.5.tar.gz' saved [345231]

[[email protected] tmp]# wget http://www.balabit.com/downloads/syslog-ng/2.0/src/syslog-ng-2.0.0.tar.gz
--12:24:21-- wget http://www.balabit.com/downloads/syslog-ng/2.0/src/syslog-ng-2.0.0.tar.gz
 => ` syslog-ng-2.0.0.tar.gz'
...
...
...

12:24:24 (156.15 KB/s) - ` syslog-ng-2.0.0.tar.gz' saved [383589]

[[email protected] tmp]#

2. Install the prerequisite glib libraries.

[[email protected] tmp]# yum -y install glib


3. Using the tar command we extract the files in the pre-requisite eventlog archive and then use the configure; make and make install commands to install them correctly. Pay special attention to the output of the configure command to make sure that all the pre-installation tests are passed. If not, install the packages the error messages request and then start again.

[[email protected] tmp]# tar -xzf eventlog-0.2.5.tar.gz
[[email protected] tmp]# cd eventlog-0.2.5
[[email protected] eventlog-0.2.5]# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
...
...
...
[[email protected] eventlog-0.2.5]# make
Making all in utils
make[1]: Entering directory `/tmp/eventlog-0.2.5/utils'
sed -e "s,_SCSH_,/usr/bin/scsh," make_class.in >make_class
...
...
...
[[email protected] eventlog-0.2.5]# make install
Making install in utils
make[1]: Entering directory `/tmp/eventlog-0.2.5/utils'
make[2]: Entering directory `/tmp/eventlog-0.2.5/utils'
...
...
...
make[2]: Leaving directory `/tmp/eventlog-0.2.5'
make[1]: Leaving directory `/tmp/eventlog-0.2.5'
[[email protected] eventlog-0.2.5]#


4. The next step is to install the prerequisite glib package on your system.

[[email protected] eventlog-0.2.5]# yum -y install glib

5. Some environmental variables also need to be set prior to the installation of the syslog-ng files.

[[email protected] eventlog-0.2.5]# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
[[email protected] eventlog-0.2.5]# export PKG_CONFIG_PATH


6. Using the tar command we extract the files in the pre-requisite syslog-ng archive and then use the configure, make clean, make and make install commands to install them correctly. In this case we the --sysconfdir directive with the configure command to make sure syslog-ng searches for its configuration file in the /etc directory. Once again, pay close attention to the pre-installation tests that the configure command executes.

[[email protected] eventlog-0.2.5]# cd /tmp
[[email protected] tmp]# tar -xzf syslog-ng-2.0.0.tar.gz
[[email protected] tmp]# cd syslog-ng-2.0.0
[[email protected] syslog-ng-2.0.0]# make clean
[[email protected] syslog-ng-2.0.0]# ./configure --sysconfdir=/etc
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
...
...
...
[[email protected] syslog-ng-2.0.0]# make; make install
Making all in src
make[1]: Entering directory `/tmp/ syslog-ng-2.0.0/src'
...
...
...
[[email protected] syslog-ng-2.0.0]#


7. The installation has template init.d/syslog-ng scripts and syslog-ng.conf files in the contribs/ directory.

[[email protected] syslog-ng-2.0.0]# ls contrib/
fedora-packaging init.d.RedHat-7.3 init.d.SuSE
Makefile.in rhel-packaging syslog-ng.conf.HP-UX
syslog-ng.vim init.d.HP-UX init.d.solaris 
Makefile README syslog2ng 
init.d.RedHat syslog-ng.conf.RedHat init.d.SunOS
Makefile.am relogger.pl syslog-ng.conf.doc 
syslog-ng.conf.SunOS
[[email protected] syslog-ng-2.0.0]#


8. Copy the versions for your operating system to the /etc/init.d and /etc , /etc/logrotate.d , /etc/sysconfig directories. The /etc/syslog-ng/ directory needs to be created beforehand. Redhat and Fedora installations have their own subdirectories contrib/.

[[email protected] syslog-ng-2.0.0]# mkdir /etc/syslog-ng/
[[email protected] syslog-ng-2.0.0]# cp contrib/fedora-packaging/syslog-ng.init \
 /etc/init.d/syslog-ng
[[email protected] syslog-ng-2.0.0]# cp contrib/fedora-packaging/syslog-ng.conf \
 /etc
[[email protected] syslog-ng-2.0.0]# cp contrib/fedora-packaging/syslog-ng.sysconfig \
 /etc/sysconfig/syslog-ng
[[email protected] syslog-ng-2.0.0]# cp contrib/fedora-packaging/syslog-ng.logrotate \
 /etc/logrotate.d/syslog-ng

Remember that you may want to customize your syslog-ng.conf file.

9. Change the permissions on your new /etc/inid.d/syslog-ng file.

[[email protected] syslog-ng-2.0.0]# chmod 755 /etc/init.d/syslog-ng


10. You need to be careful. The init.d script may refer to a syslog-ng binary file that's in an incorrect location. Find its true location and edit the script.

[[email protected] syslog-ng-2.0.0]# updatedb
[[email protected] syslog-ng-2.0.0]# locate syslog-ng | grep bin
/usr/local/sbin/syslog-ng
[[email protected] syslog-ng-2.0.0]# vi /etc/init.d/syslog-ng
...
#exec="/sbin/syslog-ng"
exec="/usr/local/sbin/syslog-ng"
...
:wq
[[email protected] syslog-ng-2.0.0]#

11. Next create the /etc/syslog-ng directory for the configuration files and the /var/log/syslog-ng directory for the log files.

[[email protected] syslog-ng-2.0.0]# chkconfig syslog off
[[email protected] syslog-ng-2.0.0]# chkconfig syslog-ng on
[[email protected] syslog-ng-2.0.0]# service syslog stop
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
[[email protected] syslog-ng-2.0.0]# service syslog-ng start
syslog-ng: unrecognized service
[[email protected] syslog-ng-2.0.0]#


12. The sample syslog-ng.conf file in Figure 5-1 was configured to have all directories owned by the group logs. This user group needs to be created and any users that need access to the directories need to added to this group using the usermod command. In this case the user peter is added to the group and the groups command is used to verify success.

[[email protected] tmp]# groupadd logs
[[email protected] tmp]# usermod -G logs peter
[[email protected] tmp]# groups peter
peter: users logs
[[email protected] tmp]# usermod -G logs peter

13. You can now configure syslog-ng to start on the next reboot with the chkconfig command and then use the service command to start it immediately. Remember to stop the old syslog process beforehand.

[[email protected] tmp]# service syslog stop
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
[[email protected] tmp]# chkconfig syslog off
[[email protected] tmp]# chkconfig syslog-ng on
[[email protected] tmp]# service syslog-ng start
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[[email protected] tmp]#

14. Now, your remote hosts should log begin logging to the /var/log/syslog-ng directory. According to our preliminary configuration file, there should be sub-directories categorized by date inside it. Each of these sub-directories in turn will have directories beneath them named after the IP address and/or hostname of the various remote syslog clients and will contain files categorized by syslog facility. In this example we see that the 2005.07.09 directory as received messages from three hosts, 192.168.1.1, 192.168.1.100 and localhost.

[[email protected] tmp]# ls /var/log/syslog-ng/
2005.07.09
[[email protected] tmp]# ll /var/log/syslog-ng/2005.07.09/
drwxr-x--- 2 root logs 4096 Jul 9 17:01 192-168-1-1.my-web-site.org
drwxr-x--- 2 root logs 4096 Jul 9 16:45 192-168-1-99.my-web-site.org
drwxr-x--- 2 root logs 4096 Jul 9 23:24 LOGGER
[[email protected] tmp]# ls /var/log/syslog-ng/2005.07.09/localhost/
cron.log kern.log local7.log syslog.log
[[email protected] tmp]#

Using syslog-ng your system can now be used as a much more customizable tool to help troubleshoot devices attached to your network. Each day syslog-ng will automatically create new sub-directories to match the current date and at the end of each calendar quarter the files will be moved to a special archive directory containing all the data for the previous three months. This archived data can then be periodically deleted as needed. For very large deployments, or for better searching and correlation capabilities, it is possible to send the output of syslog-ng to a SQL type database. This is beyond the scope of this book, but it is a worthwhile feature to keep in mind.

Configuring syslog-ng Clients

Clients logging to the syslog-ng server don't need to have syslog-ng installed on them, a regular syslog client configuration will suffice.


Simple syslog Security

One of the shortcomings of a syslog server is that it doesn't filter out messages from undesirable sources. It is therefore wise to implement the use of TCP wrappers or a firewall to limit the acceptable sources of messages when your server isn't located on a secure network. This will help to limit the effectiveness of syslog based denial of service attacks aimed at filling up your server's hard disk or taxing other system resources that could eventually cause the server to crash.

Remember that regular syslog servers listen on UDP port 514 and syslog-ng servers rely on port 514 for both UDP and TCP. Please refer to Chapter 14, "Linux Firewalls Using iptables", on Linux firewalls for details on how to configure the Linux iptables firewall application and Appendix I, "Miscellaneous Linux Topics", for further information on configuring TCP wrappers.


其中一个缺点, Syslog服务器并没有把不良的来源的消息过滤掉。因此,当你的的服务器位于一个不安全的网络时,. 使用TCP wrappers软件或防火墙,用来限制可以接受的来源的邮件时,是一个明智的举措。这将有助于限制基于拒绝服务攻击的成效,这种拒绝服务攻击的目的是填塞你的服务器的硬盘或加重其他系统资源负担,它有可能最终导致服务器崩溃。[1]

Conclusion

In the next chapter we cover the installation of Linux applications, and the use of syslog will become increasingly important especially in the troubleshooting of Linux-based firewalls which can be configured to ignore and then log all undesirable packets; the Apache Web server which logs all application programming errors generated by some of the popular scripting languages such as PERL and PHP; and finally, Linux mail whose configuration files are probably the most frequently edited system documents of all and which correspondingly suffer from the most mistakes.

This syslog chapter should make you more confident to learn more about these applications via experimentation because you'll at least know where to look at the first sign of trouble.


在下一章我们介绍如何安装Linux应用程序,并且使用系统日志将变得越来越重要,特别是在基于Linux的防火墙故障排除,它可以配置为忽略,然后记录所有的不良包;


Apache Web服务器—它记录了所有应用程序编程错误所产生的一些流行的脚本语言,如Perl和PHP ;最后介绍Linux的邮件—其配置文件很可能是最常见的编辑系统的所有文件和相应遭受的最错误的。

这个系统日志的章节应使你更有信心,通过实验了解更多关于这些应用,因为您至少知道在麻烦来临时,在哪里找到它。