Más contenido relacionado La actualidad más candente (20) Similar a Centralized Logging with syslog (20) Más de amiable_indian (20) Centralized Logging with syslog4. One more thing...
• FIFO Buffers
• First In First Out
• Rolling View of Logs
• Type of Named Pipe 11. First off...Global!
/etc/syslog-ng/syslog-ng.conf
options {
chain_hostnames(0);
time_reopen(10);
time_reap(360);
log_fifo_size(2048);
create_dirs(yes);
group(admin);
perm(0640);
dir_perm(0755);
use_dns(no);
stats_freq(0);
};
• Disable Hostname Chaining
• Time to wait before re-establishing a dead connection
• Time to wait before an idle file is closed
• FIFO Buffer size
• Create Directories
• Permissions
• Disable DNS
• Disable Statistic Logging 12. Next, The Source
/etc/syslog-ng/syslog-ng.conf
source s_all {
internal();
unix-stream(quot;/dev/logquot;);
file(quot;/proc/kmsgquot; log_prefix(quot;kernel: quot;));
udp();
}; 14. Windows Filter
/etc/syslog-ng/syslog-ng.conf
filter f_windows {
program(MSWinEventLog);
}; 15. Cisco Filter
/etc/syslog-ng/syslog-ng.conf
filter f_cisco_pix {
host(IP.OF.PIX.DEVICE);
}; 16. General Filter
/etc/syslog-ng/syslog-ng.conf
filter f_not_others {
not host(IP.OF.PIX.DEVICE)
and not program(MSWinEventLog);
}; 18. Windows FIFO
/etc/syslog-ng/syslog-ng.conf
destination d_windows {
pipe(“/var/log/buffers/windows”);
}; 19. Cisco FIFO
/etc/syslog-ng/syslog-ng.conf
destination d_cisco {
pipe(“/var/log/buffers/cisco”);
}; 20. General FIFO
/etc/syslog-ng/syslog-ng.conf
destination d_gen_fifo {
pipe(“/var/log/buffers/syslog”);
}; 21. ...And the Archive
/etc/syslog-ng/syslog-ng.conf
destination d_all {
file(“/var/log/arch/$MONTH$DAY$YEAR”);
}; 22. Tying it all Together!
• Now we tell syslog to handle the configs. ;) 23. Windows Log
/etc/syslog-ng/syslog-ng.conf
log {
source(s_all);
filter(f_windows);
destination(d_windows);
}; 24. Cisco Log
/etc/syslog-ng/syslog-ng.conf
log {
source(s_all);
filter(f_cisco_pix);
destination(d_cisco);
}; 25. General FIFO
/etc/syslog-ng/syslog-ng.conf
log {
source(s_all);
filter(f_not_others);
destination(d_gen_fifo);
}; 26. Archive Log
/etc/syslog-ng/syslog-ng.conf
log {
source(s_all);
destination(d_all);
}; 28. Run me :)
$ sudo mkdir /var/log/arch
$ sudo mkdir /var/log/buffers
$ sudo mkfifo /var/log/buffers/windows
$ sudo mkfifo /var/log/buffers/cisco
$ sudo mkfifo /var/log/buffers/syslog 30. Is it working?
• Check your Logfiles (/var/log/arch/*)
• Check your FIFO Buffers
• cat /var/log/buffers/windows
• cat /var/log/buffers/cisco
• cat /var/log/buffers/syslog 33. splunk>
• No, I don’t work for them...I just really like
their product. 34. Installing splunk>
• Download The latest version (3.0b3 as of
writing)
• Extract the tarball
• Run the application
• Make it startup with a system boot 35. Installing splunk>
$ wget 'http://www.splunk.com/index.php/
download_track?file=/3.0b3/linux/
splunk-3.0b3-20872-Linux-
i686.tgz&ac=&wget=true&name=wget'
$ sudo mkdir /opt;cd /opt
$ sudo tar xzvf ~/splunk-3.0b3-20872-Linux-
i686.tgz
$ sudo /opt/splunk/bin 45. Other Devices
• Various systems can be configured
• Cisco, Juniper, Lotus Domino, Apache, IIS,
etc. are just a few examples. 46. Recap
• What is Syslog
• What is FIFO
• Installing and Configuring Syslog-NG
• Installing and Configuring Splunk
• Agents