Tags

, ,


syslog-ng is an open source syslog server that can be installed on many *nix servers. In my example, I installed it on a 64bit CentOS 6.3 server with minimal package.

1) Download and extract the source code.

wget http://www.balabit.com/downloads/files?path=/syslog-ng/open-source-edition/3.4.0alpha3/source/eventlog_0.2.12.tar.gz

wget http://www.balabit.com/downloads/files?path=/syslog-ng/open-source-edition/3.4.0alpha3/source/syslog-ng_3.4.0alpha3.tar.gz

tar xvzf eventlog-0.2.12.tar.gz

tar xvzf syslog-ng-3.4.0alpha3.tar.gz

2) Install dependencies.

yum -y install kernel-headers* glibc-headers-* glibc-devel-* gcc-* zlib-* zlib-devel-* libffi-* libffi-devel-* e2fsprogs-devel-* keyutils-libs-devel-* libselinux-devel-* libsepol-devel-* libselinux-devel-* krb5-devel-* openssl-devel-* pcre-devel xz

wget ftp://ftp.gtk.org/pub/glib/2.32/glib-2.32.1.tar.xz
tar xvJf glib-2.32.1.tar.xz
cd glib-2.32.1
./configure
make
make install

3) Install eventlog.

cd eventlog-0.2.12
./configure
make
make install

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH

4) Install syslog-ng.

cd syslog-ng-3.4.0alpha3
./configure
make
make install

5) Create the syslog-ng configuration file.

cd /usr/local/etc

mv syslog-ng.conf syslog-ng.conf.bak

mkdir /var/log/syslog-ng

vi syslog-ng.conf

@version:3.4
@include “scl.conf”

####################################
##Source
source remote {
udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(514));
};

####################################
##Destination
destination host01 {
file(“/var/log/syslog-ng/host-01.log”);
};

destination host02 {
file(“/var/log/syslog-ng/host-02.log”);
};

destination host03 {
file(“/var/log/syslog-ng/host-03.log”);
};

####################################
##Filter
filter host01 {
host(“host-01_server_name“);
};

filter host02 {
host(“host-02_server_name“);
};

filter vmh03 {
host(“host-03_server_name“);
};

####################################
##Log
log {
source(remote);
filter(host01);
destination(host01);
};

log {
source(remote);
filter(host02);
destination(host02);
};

log {
source(remote);
filter(host03);
destination(host03);
};

6) Check the /var/log/syslog-ng folder. The remote host’s syslog files should be stored there now.

7) The open source edition syslog-ng does not come with a web UI, so you have to install it separately. I used a simple tool named logstash.

wget http://semicomplete.com/files/logstash/logstash-1.1.1-monolithic.jar

8) Create the logstash configuration file (logstash-syslog.conf) in the same folder as where the jar file is.

input {
file {
type => “linux-syslog”
path => [ “/var/log/syslog-ng/*.log” ]
}
}

output {
stdout { }
elasticsearch { embedded => true }
}

9) Run logstash.

java -jar logstash-1.1.1-monolithic.jar agent -f logstash-syslog.conf — web –backend elasticsearch:///?local

10) Go to http://<server_IP>:9292, and use the Lucene’s string query language to search.

image