通过syslog-ng转发日志 [英] Forwarding log via syslog-ng
问题描述
我正在尝试使用syslog-ng将日志转发到中央syslog服务器.但这不起作用.
I'm trying to forward my logs using syslog-ng to my central syslog server. But it is not working.
这是我在syslog-ng.conf中添加的行
This is the lines I added in syslog-ng.conf
source s_access { file("/var/log/httpd/access_log" follow_freq(10) flags(no-parse)); };
destination logserver { udp("xxxxxx.amazonaws.com" port(514)); };
log { source(s_access); destination(logserver); };
但是当我重新启动时,出现以下错误.
but when I restart, I'm getting the following error.
[root@ip-10-244-143-226 ~]# /etc/init.d/syslog-ng restart
Stopping syslog-ng: [ OK ]
Starting syslog-ng: syntax error at 79
Parse error reading configuration file, exiting. (line 79)
[FAILED]
第79行是定义源s_access的行.
79th line is the line in which source s_access is defined.
可能是什么问题?
有人请帮助我:( 下一行是问题所在. 源s_access {file("/var/log/httpd/access_log" follow_freq(10)标志(无解析,validate-utf8)); };
somebody please help me with this :( The following line is the problem. source s_access { file("/var/log/httpd/access_log" follow_freq(10) flags(no-parse, validate-utf8)); };
但是我不明白哪里出了问题.
But I'm not getting where what is wrong.
我有apache,tomcat和一些自定义应用程序,我需要将这些日志发送到远程中央syslog服务器.
I have apache,tomcat and some custom applications and I need to send these logs to a remote central syslog server.
推荐答案
如果您尝试将Apache事件记录到syslog-ng中,则会丢失一些内容. 此处的LogZilla 中有一篇博客文章,解释了执行此操作的步骤.您应该能够使其适应您的需求.但是为了完整起见,如果博客页面被删除,我将在此处重新发布:
If you are trying to log Apache events to syslog-ng, you are missing a few things. There's a blog post from LogZilla here that explains the steps to do it. You should be able to adapt it for your needs. But for the sake of completeness, I will repost here in case that blog page ever gets removed:
此方法不仅限于Apache,而是适用于任何通用日志格式"日志.以通用日志格式"存储的文件中的每一行都具有以下语法:
This method is not limited to Apache, but will work for any Common Log Format log. Each line in a file stored in the Common Log Format has the following syntax:
host ident authuser date request status bytes
第一步是将新的源添加到syslog-ng配置中.在/etc/syslog-ng/conf.d目录中,我们将创建一个文件并将其命名为apache.conf.
The first step is to add a new source to your syslog-ng configuration. In the /etc/syslog-ng/conf.d directory, we'll create a file and name it apache.conf.
cd /etc/syslog-ng/conf.d
vi apache.conf
在编辑器中打开文件后,我们将首先添加源文件.
Once the file is open in the editor, we'll first add the source.
source s_apache {
file("/var/log/apache2/access.log");
file("/var/log/apache2/error.log");
};
如果已在Web服务器上启用了ssl-access.log,则还可以添加它.在同一文件中,我们需要添加一个目的地.
You can also add the ssl-access.log if you have enabled that on your web server. In the same file, we'll need to add a destination.
log { source(s_apache);
destination(d_tls);
};
在此示例中,目标是在上一教程中创建的TLS隧道.保存文件并退出,然后重新启动syslog-ng.
In this example, the destination is a TLS tunnel created in a previous tutorial. Save the file and quit, then restart syslog-ng.
service syslog-ng restart
您现在应该在Logzilla服务器上收到apache事件,但是看起来有些不对劲.那是因为它们还没有被格式化.为此,我们需要编辑apache配置.此步骤仅适用于Apache.对于其他Common Log Format源,每个源都有其自己的格式化解决方案.
You should now be receiving apache events on your Logzilla server, but they'll look a little off. That's because they haven't been formatted yet. To do that, we'll need to edit the apache configuration. This step will only work for Apache. For other Common Log Format sources, each will have it's own solution for formatting.
cd /etc/apache2
vi apache2.conf
在该文件中,您会找到这样的一行:
In that file, you'll find a line like this:
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %v" combined
它需要添加一些内容(它将忽略预设日期).
It will need a bit added to it (it will ignore the pre-set date).
LogFormat "Jan 12 12:12:12 %v apache[666]: %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %v" combined
保存文件并重新启动Apache,您的日志应如下所示:
Save the file and restart Apache, and your logs should look like this:
0 www user notice apache None 97.76.75.78 - - [07/Nov/2013:15:14:41 -0500] "GET /highslide/highslide.css HTTP/1.1" 304 209
"http://www.yourserver.com/" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; EIE10;ENUSMSN)"
www.yourserver.com
这篇关于通过syslog-ng转发日志的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
