最近有很长一段时间没有搞博客了。转篇自己看过的技术文章。
转自http://www.sun.com/bigadmin/hubs/multilingual/simp_chinese/content/syslog_ng.jsp
目录:
UNIX 系统管理员对于 syslog
守护进程都是非常熟悉的,但是该守护进程收集的信息通常都处于未处理状态,除非报告有问题发生。在任何具有多台计算机的站点上,没有人会花时间每天甚至每个月去记录和检查多个日志文件。而编写可以使这些计算机之间的数据相关起来的自动脚本又十分困难,因为这些脚本必须分别去访问每一台计算机。为减轻自动和手动数据处理的负担,许多站点采用了中心日志服务器,用于收集网络中所有计算机(最好运行 NTP 以使时间/日期相关起来更容易)的数据,其中包括 UNIX 服务器、Windows 和 Mac 台式机,甚至包括路由器和交换机这样的联网设备。对于大多数通常的 UNIX syslog
守护进程来说,集中式日志记录是十分琐碎的,而 syslogd
与早期版本相比几乎没有更改,因而具有一些缺点。
标准 UNIX syslog
守护进程通过 UDP 以明文形式传输消息,这意味着任何人都可以发现潜在的敏感数据。facility
.level
模型也具有较大限制,大多数操作系统附带的缺省 /etc/syslog.conf
文件疏于记录管理员可能感兴趣的许多消息。解析日志以便可以供人们阅读或者用于自动数据挖掘十分重要。例如,UNIX syslog
守护进程不会轻易允许按主机拆分日志文件或者按正则表达式匹配日志消息。因此,大多数集中式日志服务器(这些服务器使用通常的 syslog
守护进程)最后都会产生巨大的日志文件,这些文件仅在 syslogd
进程关闭它们之后才得到处理。
因此,集中日志记录的大多数站点也都是最后将通常的 syslog
守护进程替换为更安全更灵活的守护进程(如 Metalog
、msyslog
)或类似的守护进程。一个非常流行的 syslog
替代项是名为 syslog-ng 的开源程序。组织可以在每个 UNIX 主机或者就在 syslog
服务器上运行 syslog-ng
。如果仅在日志主机上运行 syslog-ng
,则客户机照常通过 UDP 端口 514 发送数据,但可以在服务器上更好地组织和处理日志。
在每个 UNIX 主机上运行 syslog-ng
的优点是,能够使用 IPSec 或实用程序 Stunnel 对日志记录通道进行加密,以便偶然出现的嗅探器 (sniffer) 无法读取数据。与 Stunnel
组合在一起作为传输机制时,组织可以安全地将来自所有必需 UNIX 主机的日志消息集中在一起以供进一步处理。对于 syslog-ng
,Stunnel
的工作方式如下:接受本地端口上的日志连接,将它们包装在 SSL 会话中,然后将其重定向到远程日志主机上的安全端口。然后远程日志主机上的 stunnel
进程对 SSL 会话进行解密,并将信息再传回到标准端口上的 syslog
服务器。传到日志服务器上之后,将利用 syslog-ng
的灵活性进行日志文件的组织和解析。
下面我将介绍在运行 Solaris 8 操作系统(SPARC 平台版)的计算机上安装及配置 syslog-ng
和 Stunnel
的过程,但是该过程通常还适用于 SPARC 和 x86 平台上 Solaris 操作系统的早期版本和较新版本。下面讨论的每台参考计算机都安装有 OpenSSL、tcp wrapper、Solaris 8 /dev/urandom 修补程序、GNU 开发环境(gcc 等)和若干其他免费软件包。充当日志服务器的计算机也进行了全面强化,因为它将存储来自网络中所有计算机的敏感信息和与安全性相关的信息。这些参考计算机都驻留在子网 192.168.1
上,日志服务器的 IP 地址为 192.168.1.10
。
安装 Stunnel
实现安全日志服务器的第一步是在服务器和每个客户机上安装 Stunnel
。Stunnel
还可以用于通常的 syslog
守护进程(而不是将 syslog
替换为 syslog-ng
),但那样就没有了我们所寻求的灵活性。在下面的说明中,我将配置和生成 stunnel
以便随其自身的用户和组运行,并将 chroot 目录设置到其自身的目录下 。要执行此操作,应首先创建 stunnel
组和用户(随机选取的 UID 和 GID):
/usr/sbin/groupadd -g 122 stunnel /usr/sbin/useradd -c stunnel -d /nonexistent -m -g 122 -u 122 stunnel
现在,请提取 Stunnel
源代码,将其解压缩并进行配置。在这些特定的主机上,OpenSSL 证书保存在 /usr/local/etc/openssl/certs
中,我希望将 doc 目录连同本地安装的其他 doc 安装一起保存在 /usr/local
中。我还将 localstatedir
设置为 /var/run/stunnel
,因为在重新引导后它无需继续存在,我希望它位于 chroot 目录中。
wget http://www.stunnel.org/download/stunnel/src/stunnel-4.05.tar.gz tar zxf stunnel-4.05.tar.gz cd stunnel-4.05 ./configure --localstatedir=/var/run/stunnel / --with-pem-dir=/usr/local/etc/openssl/certs --datadir=/usr/local make make install
通过 Stunnel 为 syslog-ng 创建证书文件
在 Stunnel
安装过程中会创建您可能会选择使用的自签名证书。由于我运行自己的专用证书颁发机构并仅对 syslog-ng
运行 Stunnel
,因此我将生成并签署自己的 syslog-ng
专用证书。有关设置自己的 CA 和签名证书的详细信息,请查看 SSL certificates HOWTO(SSL 证书指导)。
假定已设置为您自己的 CA,或者向公认的 CA 发出证书请求,请为服务器创建 pem 文件:
openssl req -new -days 3650 -nodes -config stunnel.cnf -out serverreq.pem / -keyout syslog-ng-server.pem
此外,为每个客户机创建相应的 pem 文件:
openssl req -new -days 3650 -nodes -config stunnel.cnf -out clientreq.pem / -keyout syslog-ng-client.pem
用本地 CA 签名每个 pem 文件,或者让公共 CA 对它们进行签名。我使用 apache
mod_ssl
分发附带的 sign.sh
脚本:
sign.sh /tmp/serverreq.pem sign.sh /tmp/client1req.pem sign.sh /tmp/client2req.pem sign.sh /tmp/client3req.pem
生成的 crt 文件包括每个相应 pem 文件的证书。服务器需要服务器 pem 文件 syslog-ng-server.pem
,其中包含服务器的私钥和证书(从 /tmp/serverreq.pem.crt
文件复制):
-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDSAJ0kULvKxIhFtz1ctXlDWY0CcTpIscEAXy90nAuwwvshji39 abZH5Z9PfTOoT/zO6ZyQ0lOJ2LzYcS/JQmR+4wLggf5yi8K3BrBIwaAHbfAya8C9 5g9oINTkjM5Y3zdkMhvPwmivMV+lBa07Qk0SZg8xYblUiafisQplGzjWvwIDAQAB AoGAEqYzTlJNGwixAV/wdxc2maCOQTVE88e1WA8b68Mf1qa6HpS9yM9mfKQLrcd0 mvHfhZCBcur6uDcjLiV/FORsgB7/3wRF0a08ZJdwlMSn9844jeRlSDbEE1wqAcyj pnHwcxnErzA0REDuD+EmH0xsh23/Rn/mv7gBpm5Am/UK86ECQQDs5RmiJzQOprsT ArcTQq3VTmHLtfu7HAQ7+You7XDL+iOVOsbJZWgBKc0oTcNNBpJzkHPrvaOBbFpg dQZKE3BLAkEA4vBLWsojb0tosXiZuFxzMBrcMhzanzzXerOt0v6BbeZKMTXMaJX+ /4wyVc6lanZc/793S4aHY0/VvCDMLp7y3QJBAKPnX3Tx6vK4KXddyY1p9RxAvylT IHi1Sbif49DpAkIfL79wi1mM8AjeAzR/mUER6wJKT+orq5VAgsd6MH/QM0ECQHvw YDclTlTqCjNiehGF7CLJiJiVyZBN2iDZIIWrGWS78KkPiKNVx/4owxS51v1dx0yl dLF6t1Y1s7Ua9GhBxsECQD3+/khj/lzYUC9KaDIHItO7LHkO1IcxZUZJ0YNaukUB v1Vh9B3IK5m2bSsOYtOYxbpjoHL8pZG1Bf1lLH32dqw= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICZDCCAc0CAQIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X DTA0MDcxOTEzNTExNVoXDTA1MDcxOTEzNTExNVowgYMxCzAJBgNVBAYTAlVTMRYw FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjElMCMGA1UEAxMcbG9naG9zdC5v ZmZpcdaub2NlYW53YXZlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA 0gCdJFC7ysSIRbc9XLV5Q1mNAnE6SLHBAF8vdJwLsML7IY4t/Wm2R+WfT30zqE/8 zumckNJTidi82HEvyUJkfuMC4IH+covCtwawSMGgB23wMmvAveYPaCDU5IzOWN83 ZDIbz8JorzFfpQWtO0JNEmYPMWG5VImn4rEKZRs41r8CAwEAATANBgkqhkiG9w0B AQQFAAOBgQAvaaoVvP267QbxBOeBDBeP3CCpOskT5YJUHWQE2QmH5wR/5iwQqvrU Fo8V2JbaaauN9sa5CQutthUK1D3Ub+nHuHgGPFfdkL0Ll+5+LVf1swKXy8H1Q8CA Aiq0dK0EJQ+taQTw+KD7MBOzIJk0OF76uwdNxgaATQEVjxi6M0MG5g== -----END CERTIFICATE-----
它还需要客户机 pem 文件 syslog-ng-client.pem
,其中仅包含来自签名 CA 和每个客户机(此示例假定有三个 syslog-ng
客户机)的证书(来自 crt 文件):
-----BEGIN CERTIFICATE----- MIIDJzCCApCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEW MBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMGA1UE ChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2ZS5j b20wHhcNMDIwNjIzMjIyODIxWhcNMTIwNjIwMjIyODIxWjBxMQswCQYDVQQGEwJV UzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMG A1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2 ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSqIDhWZDLO2ptG9ebx FUycmXoMNPCLWmsFgRBQKG5vgOQruX8jpXqHOFCxjhO4ZsSUWwd8eO4J/4A9kTao VFzi4P63A8xyN92Gbh4BfvmFecDhLaoZ+5zMNclNOlom2Rda75Fj8iYhtSIrbOcq Mc8KkRriG3+Hl6ptW0XibqznAgMBAAGjgc4wgcswHQYDVR0OBBYEFDlBMdhKkmEm pQkan14xNA3a646MMIGbBgNVHSMEgZMwgZCAFDlBMdhKkmEmpQkan14xNA3a646M oXWkczBxMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4G A1UEBxMHQmV2ZXJseTEVMBMGA1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcN AQkBFhJyb290QG9jZWFud2F2ZS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG 9w0BAQQFAAOBgQB8Xzn/UioFZV2Osyt0oz8/3Eu1GmQx4Cpaw4o7GBKg52IQA0Sv qfvUmeuFZ6sSDYEI6bC/u6MkyvRwV7pOtqzUoGbvtGDhnFIxdiyiEOfZosdvadBx ilXHU/tYDXffxFBcBoeoFHkYyX1vAY4uFsPBEywF3NBUGuoP5Ed5+AS+rQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICZTCCAc4CAQMwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X 0510MDcxOTEzNTc0M1oXDTA1MDcxOTEzNTc0M1owgYQxCzAJBgNVBAYTAlVTMRYw FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjEmMCQGA1UEAxMdcmVhbHNvb24u b2ZmaWNlLm9jZWFud2F2ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB AKKXR7OTQYKDWHvh0jCYSM2Y6gx+Lh2iE1hEVR4xE5UnGNv+/LzgGIYalmD86Vok KkwdI+5cVp0JhF3gIUgL2+OoerE68AEQwv+tpzx4Px4Ze1pRjw9f6UW+17C3PICG P4SpC6avMljj8lnv9Rmb300/Yz8ZzyAIzt8CjNu7lTCFAgMBAAEwDQYJKoZIhvcN AQEEBQADgYEAleB5Xk0BnHu3g6ron5qcjBtDgnOnvzsX3v+KVaFGZiufdWtILCMn 58HrXCV2zoUlUcbnrqHgov47qvZBlh2HR7fT7MQYXFTKOFDXwCdSDfXHTUmmQHzq cctX025yo45obGgI9LWDjip0/PW0k3r4IuVRtfOz+gHf1ZyEVjIuXkE= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICZDCCAc0CAQQwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X DTA0MDcxOTE0MTUwNloXDTA1MDcxOTE0MTUwNlowgYMxCzAJBgNVBAYTAlVTMRYw FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjElMCMGA1UEAxMcbGl6YXJkby5v ZmZpY2Uub2NlYW53YXZlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA ogtXoF+49I/CoSP+CUZ4jX+pLMsIXvta/MqqKlTuvEgauRSw385Aict7rGIR6B3u BUEBFN4Q+WzuYVJfbBMsUq/A6bilMpq/vbBrPAB9s/BkC5FAx2tMuMpgWn6ZXs/W iRiEWULAHa4k7rgmonXk47r0bBuSVrozdgKd4u2iB6sCAwEAATANBgkqhkiG9w0B AQQFAAOBgQBCCMhUdlfRk5owxpUIgtNLQ6/wfPgyUtIm7M4Mg0tHLD2ILCiaJLie x+Di5+09nciadYxn7fZhFdvnSpsthDX0/P6/H/iLTZnyK3k0PegzYx8Mwo4mnS/X Bt1cOuciRrd1tPHZ+st2Zqz/UO1jhbtEx7RNjtpxypChFQ2SB63wuA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICYzCCAcwCAQUwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X DTA0MDcxOTE0MTUyMFoXDTA1MDcxOTE0MTUyMFowgYIxCzAJBgNVBAYTAlVTMRYw FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjEkMCIGA1UEAxMbc2Vrcml0Lm9m ZmljZS5vY2VhbndhdmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG +OMOU6o3rCSyXMRRzwPKO/Yi9SjcT/5uwJh4x4a/iPlVNhbcG15PLpwmIiEvaKQe PTwJNEWAMnDBWyT6bmdN9xa0X1pzCDiLGMKJ2PFzoL6b9VwQSx9zp9fTPinh+mVw 484Hf8nQOSs+HKVAltCvJWcFq04aqbauE817Og369wIDAQABMA0GCSqGSIb3DQEB BAUAA4GBAJ6feAOv8bvGdk01QyupdIJVvp8IBv5ZJD1VLofoj/C4JYLsHWTV0IZI rhw37hI9y9wAiiZVrbEM88N0FgFfHN2hoymvRmvg0Y7l7OuMQWz2vSMJYIyeI2Wb uMWGN+klM77OxRXWseUOWaPp0RqW3MGqMV7+SU8sN9gVdEZdLxnj -----END CERTIFICATE-----
每个客户机都需要一个 pem 文件 syslog-ng-client.pem
,其中包含其自身的证书和私钥:
-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCil0ezk0GCg1h74dIwmEjNmOoMfi4dohNYRFUeMROVJxjb/vy8 4BiGGpZg/OlaJCpMHSPuXFadCYRd4CFIC9vjqHqxOvABEML/rac8eD8eGXtaUY8P X+lFvtewtzyAhj+EqQumrzJY4/JZ7/UZm99NP2M/Gc8gCM7fAozbu5UwhQIDAQAB AoGAGhMErqm44cNKl2NZn+1sD3ysXCCIKLxrOcaLl/Hq4AqLFAzKX0fY5viwkRE+ IvSVy+sIbhtk0H5MOfnNnI46TwCvgelMbb8FtRDpZrwA7AgH9+scnjfpuibVZdoW 9fR2HoOOevffDU9ZfFlthsOKJp+xb7PRFcsxlV3ihla9aKkCQQDNt3gcE9goGyBj kWkgB1Ydmov155xC1ozGpeyEVm3fGtD+sfgIxYuaV1xFhQKZMR2QeEnX3v5mqP31 zf5dnj47AkEAylVB95ZGvG91H4uUXrSW53djD2a5GtVjXNoDWLs7Hp7sbUkbRexa 5cSZ7EFqbyXHYx1xKMgYwqgIhbV1CU2gPwJAZBnMtkzpt8pLXmfZcZ5gRxN223eS T+u6oMcIafTsjc2suOK8wPfvUHEGE0X/169QpYYC2KpHvIiq2zsbdU6VFQJAYibZ yXFs/xxShOsBHrAcREz2ERKT2SCLAw//b5vkIgaWSq2cPV9a+PtWb/WL3D9Hah1u N4pZ+JPrDnHoRIsToQJBAJ4IG4AAgIPkmIVbROXXpt/2YBbP1WQI1suKzWy6r4V4 E0fiwYh1REik4+WRCRBabzjFA7GIDiD2QQGzTa8m0nQ= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICZTCCAc4CAQMwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X 0510MDcxOTEzNTc0M1oXDTA1MDcxOTEzNTc0M1owgYQxCzAJBgNVBAYTAlVTMRYw FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjEmMCQGA1UEAxMdcmVhbHNvb24u b2ZmaWNlLm9jZWFud2F2ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB AKKXR7OTQYKDWHvh0jCYSM2Y6gx+Lh2iE1hEVR4xE5UnGNv+/LzgGIYalmD86Vok KkwdI+5cVp0JhF3gIUgL2+OoerE68AEQwv+tpzx4Px4Ze1pRjw9f6UW+17C3PICG P4SpC6avMljj8lnv9Rmb300/Yz8ZzyAIzt8CjNu7lTCFAgMBAAEwDQYJKoZIhvcN AQEEBQADgYEAleB5Xk0BnHu3g6ron5qcjBtDgnOnvzsX3v+KVaFGZiufdWtILCMn 58HrXCV2zoUlUcbnrqHgov47qvZBlh2HR7fT7MQYXFTKOFDXwCdSDfXHTUmmQHzq cctX025yo45obGgI9LWDjip0/PW0k3r4IuVRtfOz+gHf1ZyEVjIuXkE= -----END CERTIFICATE-----
每个客户机还需要 pem 文件 syslog-ng-server.pem
,其中仅包含来自服务器和签名 CA 的证书:
-----BEGIN CERTIFICATE----- MIIDJzCCApCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEW MBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMGA1UE ChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2ZS5j b20wHhcNMDIwNjIzMjIyODIxWhcNMTIwNjIwMjIyODIxWjBxMQswCQYDVQQGEwJV UzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMG A1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2 ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSqIDhWZDLO2ptG9ebx FUycmXoMNPCLWmsFgRBQKG5vgOQruX8jpXqHOFCxjhO4ZsSUWwd8eO4J/4A9kTao VFzi4P63A8xyN92Gbh4BfvmFecDhLaoZ+5zMNclNOlom2Rda75Fj8iYhtSIrbOcq Mc8KkRriG3+Hl6ptW0XibqznAgMBAAGjgc4wgcswHQYDVR0OBBYEFDlBMdhKkmEm pQkan14xNA3a646MMIGbBgNVHSMEgZMwgZCAFDlBMdhKkmEmpQkan14xNA3a646M oXWkczBxMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4G A1UEBxMHQmV2ZXJseTEVMBMGA1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcN AQkBFhJyb290QG9jZWFud2F2ZS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG 9w0BAQQFAAOBgQB8Xzn/UioFZV2Osyt0oz8/3Eu1GmQx4Cpaw4o7GBKg52IQA0Sv qfvUmeuFZ6sSDYEI6bC/u6MkyvRwV7pOtqzUoGbvtGDhnFIxdiyiEOfZosdvadBx ilXHU/tYDXffxFBcBoeoFHkYyX1vAY4uFsPBEywF3NBUGuoP5Ed5+AS+rQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICZDCCAc0CAQIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X DTA0MDcxOTEzNTExNVoXDTA1MDcxOTEzNTExNVowgYMxCzAJBgNVBAYTAlVTMRYw FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjElMCMGA1UEAxMcbG9naG9zdC5v ZmZpcdaub2NlYW53YXZlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA 0gCdJFC7ysSIRbc9XLV5Q1mNAnE6SLHBAF8vdJwLsML7IY4t/Wm2R+WfT30zqE/8 zumckNJTidi82HEvyUJkfuMC4IH+covCtwawSMGgB23wMmvAveYPaCDU5IzOWN83 ZDIbz8JorzFfpQWtO0JNEmYPMWG5VImn4rEKZRs41r8CAwEAATANBgkqhkiG9w0B AQQFAAOBgQAvaaoVvP267QbxBOeBDBeP3CCpOskT5YJUHWQE2QmH5wR/5iwQqvrU Fo8V2JbaaauN9sa5CQutthUK1D3Ub+nHuHgGPFfdkL0Ll+5+LVf1swKXy8H1Q8CA Aiq0dK0EJQ+taQTw+KD7MBOzIJk0OF76uwdNxgaATQEVjxi6M0MG5g== -----END CERTIFICATE-----
在每台计算机上,确保只有超级用户可以读取证书文件(由于安全原因):
chmod 400 /usr/local/etc/openssl/certs/syslog-ng-* chown root:other /usr/local/etc/openssl/certs/syslog-ng-*
配置 Stunnel 以用于 syslog-ng
在服务器上,创建 syslog-ng
专用的 Stunnel
配置文件 /usr/local/etc/stunnel/stunnel.conf
,该文件包含如下信息。此示例文件指定本地证书/密钥和服务器证书、stunnel
用户和组以及 chroot
目录。verify
的值为 3 可确保 stunnel
使用本地安装的证书验证对等方。缺省情况下,Stunnel
使验证处于关闭状态,所以此时打开验证十分重要。配置文件的最后一部分指定 SSL 包装会话的端口号和在其中接受和重定向连接的 IP:port。端口 514 是标准的 syslog
端口,5140 是随机选取的未用端口。有关其他信息和配置选项,请务必阅读 stunnel
手册页。
cert = /usr/local/etc/openssl/certs/syslog-ng-server.pem CAfile = /usr/local/etc/openssl/certs/syslog-ng-client.pem chroot = /var/run/stunnel pid = /run/stunnel.pid setuid = stunnel setgid = stunnel verify = 3 [5140] accept = 192.168.1.10:5140 connect = 127.0.0.1:514
在每个客户机上,syslog-ng
专用的 /usr/local/etc/stunnel/stunnel.conf
文件中的指令与服务器的 stunnel.conf
文件中的指令类似。只是交换了 cert
和 CAfile
的值以及 accept
和 connect
的值,并添加了 client
指令:
client = yes cert = /usr/local/etc/openssl/certs/syslog-ng-client.pem CAfile = /usr/local/etc/openssl/certs/syslog-ng-server.pem chroot = /var/run/stunnel pid = /run/stunnel.pid setuid = stunnel setgid = stunnel verify = 3 [5140] accept = 127.0.0.1:514 connect = 192.168.1.10:5140
现在已配置 Stunnel
,可以安装和配置 syslog-ng
了。如果希望在此时测试 Stunnel
,请将它配置为使用其他 TCP 端口或服务(如 IMAP
或 telnet
),如 stunnel 示例页所述。
安装 syslog-ng
syslog-ng
的稳定版本首先要求安装(或至少生成)库 libol。请下载、解压缩并安装该库,如下所示:
wget http://www.balabit.com/downloads/libol/0.3/libol-0.3.14.tar.gz tar zxf libol-0.3.14.tar.gz cd libol-0.3.14 ./configure make make install
现在,请检索 syslog-ng
的源代码,并对其进行解压缩、配置和安装。在配置时,我还添加了对 tcp wrapper
的支持,因为我已安装并有效地将其用于其他守护进程:
wget http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.5.tar.gz tar zxf syslog-ng-1.6.5.tar.gz cd ../syslog-ng-1.6.5 ./configure --enable-tcp-wrapper make make install
请务必打开所有包过滤器和/或 tcp wrapper
中的相应端口。如果日志主机也在接受未加密的 syslog
消息,则服务器需要接受来自 TCP 端口 5140 上和 UDP 端口 514 上客户机的连接。要支持 tcp wrapper
的扩展语法,请将以下内容添加到服务器上的 /etc/hosts.deny
:
syslog-ng : LOCAL 127.0.0.1 192.168.1. : ALLOW
此外,在客户机上将以下内容添加到 /etc/hosts.deny
:
syslog-ng : LOCAL 127.0.0.1 : ALLOW
现在可以创建 stunnel
/syslog-ng
启动脚本 /etc/init.d/syslog-ng
,该脚本将在引导时运行于每台计算机上。以下脚本基于 Solaris 8 操作系统的 syslog
启动脚本,此外它还执行 savecore,并启动 stunnel
和 syslog-ng
:
#!/sbin/sh # case "$1" in 'start') if [ -f /usr/local/etc/syslog-ng/syslog-ng.conf -a -x / /usr/local/sbin/syslog-ng ]; then # # Before syslogd starts, save any messages from previous # crash dumps so that messages appear in chronological order. # /usr/bin/savecore -m if [ -r /etc/dumpadm.conf ]; then . /etc/dumpadm.conf [ "x$DUMPADM_DEVICE" != xswap ] && / /usr/bin/savecore -m -f $DUMPADM_DEVICE fi # # Start stunnel so logs are sent encrypted # if [ -f /usr/local/etc/stunnel/stunnel.conf / -a -x /usr/local/sbin/stunnel ]; then echo "Starting stunnel" mkdir -p /var/run/stunnel/run chown stunnel:stunnel /var/run/stunnel/run /usr/local/sbin/stunnel echo "Starting syslog-ng" /usr/local/sbin/syslog-ng fi fi ;; 'stop') if [ -f /var/run/syslog-ng.pid ]; then syspid=`/usr/bin/cat /var/run/syslog-ng.pid` [ "$syspid" -gt 0 ] && kill -15 $syspid && / echo "Killed syslog-ng" fi if [ -f /var/run/stunnel/run/stunnel.pid ]; then syspid=`/usr/bin/cat /var/run/stunnel/run/stunnel.pid` [ "$syspid" -gt 0 ] && kill -15 $syspid && / echo "Killed stunnel" fi ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac
删除本机 Solaris syslog
启动和关闭脚本的链接,并将其替换为指向新 syslog-ng
脚本的链接:
rm /etc/rc*.d/???syslog ln -s /etc/init.d/syslog-ng /etc/rc0.d/K40syslog-ng ln -s /etc/init.d/syslog-ng /etc/rc1.d/K40syslog-ng ln -s /etc/init.d/syslog-ng /etc/rc2.d/S74syslog-ng ln -s /etc/init.d/syslog-ng /etc/rcS.d/K40syslog-ng
配置 syslog-ng
syslog-ng
的灵活性取决于其配置文件。配置指令 source
、filter
、destination
和 log
对于日志处理十分重要。Source
指令表示本地日志消息和远程日志消息的来源。Filter
指令允许基于设备、级别/优先级、程序名称、主机名称或正则表达式匹配来分离日志消息。destination
可以是文件、管道、流和数据报、UDP 或 TCP 连接、ttys 或程序。log
指令是 source
、filter
和 destination
指令的集合,这些指令定义如何处理匹配的日志消息。在 syslog-ng 参考手册中可找到所有可用指令的讨论,在 syslog-ng 常见问题解答中列出了各种示例。
以下示例显示了在每个本地主机的 /var/log
以及在中心日志服务器的 /var/log/clients/$YEAR/$MONTH/$HOST
中存储的日志文件。日志主机上的以下 /usr/local/etc/syslog-ng/syslog-ng.conf
支持来自本地主机、stunnel
加密主机和标准 UDP 主机(如无法使用 stunnel
的路由器和交换机)的消息。过滤器基于设备和级别、程序名称匹配以及这些项的某些组合。
# Options options { use_fqdn(yes); sync(0); keep_hostname(yes); chain_hostnames(no); create_dirs(yes); }; # Sources of syslog messages (both local and remote messages on the server) source s_local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); }; source s_stunnel { tcp(ip("127.0.0.1") port(514) max-connections(1)); }; source s_udp { udp(); }; # Level Filters filter f_emerg { level (emerg); }; filter f_alert { level (alert .. emerg); }; filter f_crit { level (crit .. emerg); }; filter f_err { level (err .. emerg); }; filter f_warning { level (warning .. emerg); }; filter f_notice { level (notice .. emerg); }; filter f_info { level (info .. emerg); }; filter f_debug { level (debug .. emerg); }; # Facility Filters filter f_kern { facility (kern); }; filter f_user { facility (user); }; filter f_mail { facility (mail); }; filter f_daemon { facility (daemon); }; filter f_auth { facility (auth); }; filter f_syslog { facility (syslog); }; filter f_lpr { facility (lpr); }; filter f_news { facility (news); }; filter f_uucp { facility (uucp); }; filter f_cron { facility (cron); }; filter f_local0 { facility (local0); }; filter f_local1 { facility (local1); }; filter f_local2 { facility (local2); }; filter f_local3 { facility (local3); }; filter f_local4 { facility (local4); }; filter f_local5 { facility (local5); }; filter f_local6 { facility (local6); }; filter f_local7 { facility (local7); }; # Custom Filters filter f_user_none { not facility (user); }; filter f_kern_debug { filter (f_kern) and filter (f_debug); }; filter f_daemon_notice { filter (f_daemon) and filter (f_notice); }; filter f_mail_crit { filter (f_mail) and filter (f_crit); }; filter f_mesg { filter (f_kern_debug) or filter (f_daemon_notice) or filter (f_mail_crit); }; filter f_authinfo { filter (f_auth) or program (sudo); }; # Destinations: local files, the console, and the client files destination l_authlog { file ("/var/log/authlog"); }; destination l_messages { file ("/var/log/messages"); }; destination l_maillog { file ("/var/log/maillog"); }; destination l_ipflog { file ("/var/log/ipflog"); }; destination l_imaplog { file ("/var/log/imaplog"); }; destination l_syslog { file ("/var/log/syslog"); }; destination l_console { file ("/dev/console"); }; destination r_authlog { file ("/var/log/clients/$YEAR/$MONTH/$HOST/authlog"); }; destination r_messages { file ("/var/log/clients/$YEAR/$MONTH/$HOST/messages"); }; destination r_maillog { file ("/var/log/clients/$YEAR/$MONTH/$HOST/maillog"); }; destination r_ipflog { file ("/var/log/clients/$YEAR/$MONTH/$HOST/ipflog"); }; destination r_imaplog { file ("/var/log/clients/$YEAR/$MONTH/$HOST/imaplog"); }; destination r_console { file ("/var/log/clients/$YEAR/$MONTH/$HOST/consolelog"); }; destination r_syslog { file ("/var/log/clients/$YEAR/$MONTH/$HOST/syslog"); }; destination r_fallback { file ("/var/log/clients/$YEAR/$MONTH/$HOST/$FACILITY-$LEVEL"); }; # Log statements # Local sources log { source (s_local); filter (f_authinfo) destination (l_authlog); }; log { source (s_local); filter (f_mail); destination (l_maillog); }; log { source (s_local); filter (f_local0); destination (l_ipflog); }; log { source (s_local); filter (f_local1); destination (l_imaplog); }; log { source (s_local); filter (f_syslog); destination (l_syslog); }; log { source (s_local); filter (f_emerg); filter (f_user_none); destination (l_console); }; log { source (s_local); filter (f_mesg); filter (f_user_none); destination (l_messages); }; # All sources, since we want to archive local and remote logs log { source (s_local); source (s_stunnel); filter (f_authinfo); destination (r_authlog); }; log { source (s_local); source (s_stunnel); filter (f_mail); destination (r_maillog); }; log { source (s_local); source (s_stunnel); filter (f_local0); destination (r_ipflog); }; log { source (s_local); source (s_stunnel); filter (f_local1); destination (r_imaplog); }; log { source (s_local); source (s_stunnel); filter (f_syslog); destination (r_syslog); }; log { source (s_local); source (s_stunnel); filter (f_emerg); filter (f_user_none); destination (l_console); }; log { source (s_local); source (s_stunnel); filter (f_mesg); filter (f_user_none); destination (l_messages); };
在此示例客户机 syslog-ng.conf
中,过滤器仍然是相同的,但是配置的其他部分大多已更改为反映客户机状态或者被删除:
# Options options { sync(0); use_fqdn(yes); }; # Sources of syslog messages (only local on clients) source s_local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); }; # Destinations: local files, the console, and the remote syslog server destination l_authlog { file ("/var/log/authlog"); }; destination l_messages { file ("/var/log/messages"); }; destination l_maillog { file ("/var/log/maillog"); }; destination l_ipflog { file ("/var/log/ipflog"); }; destination l_imaplog { file ("/var/log/imaplog"); }; destination l_console { file ("/dev/console"); }; destination l_syslog { file ("/var/log/syslog"); }; destination stunnel { tcp ("127.0.0.1", port(514)); }; # Level Filters filter f_emerg { level (emerg); }; filter f_alert { level (alert .. emerg); }; filter f_crit { level (crit .. emerg); }; filter f_err { level (err .. emerg); }; filter f_warning { level (warning .. emerg); }; filter f_notice { level (notice .. emerg); }; filter f_info { level (info .. emerg); }; filter f_debug { level (debug .. emerg); }; # Facility Filters filter f_kern { facility (kern); }; filter f_user { facility (user); }; filter f_mail { facility (mail); }; filter f_daemon { facility (daemon); }; filter f_auth { facility (auth); }; filter f_syslog { facility (syslog); }; filter f_lpr { facility (lpr); }; filter f_news { facility (news); }; filter f_uucp { facility (uucp); }; filter f_cron { facility (cron); }; filter f_local0 { facility (local0); }; filter f_local1 { facility (local1); }; filter f_local2 { facility (local2); }; filter f_local3 { facility (local3); }; filter f_local4 { facility (local4); }; filter f_local5 { facility (local5); }; filter f_local6 { facility (local6); }; filter f_local7 { facility (local7); }; # Custom Filters filter f_user_none { not facility (user); }; filter f_kern_debug { filter (f_kern) and filter (f_debug); }; filter f_daemon_notice { filter (f_daemon) and filter (f_notice); }; filter f_mail_crit { filter (f_mail) and filter (f_crit); }; filter f_mesg { filter (f_kern_debug) or filter (f_daemon_notice) or filter (f_mail_crit); }; filter f_authinfo { filter (f_auth) or program (sudo); }; # Log statements # Log things locally log { source (s_local); filter (f_authinfo); destination (l_authlog); }; log { source (s_local); filter (f_mail); destination (l_maillog); }; log { source (s_local); filter (f_local0); destination (l_ipflog); }; log { source (s_local); filter (f_local1); destination (l_imaplog); }; log { source (s_local); filter (f_syslog); destination (l_syslog); }; log { source (s_local); filter (f_emerg); filter (f_user_none); destination (l_console); }; log { source (s_local); filter (f_mesg); filter (f_user_none); destination (l_messages); }; # Log everything remotely via stunnel log { source (s_local); destination (stunnel); };
syslog-ng
的更高级用法包括根据日志消息的重要性将其直接发送到数据挖掘软件、数据库、电子邮件或打印机。另一个有用的提示是,将高优先级日志消息发送到一个可以由实时日志分析器(如 swatch、logsurfer、Log Tool 或 Logwatch)监视的文件。自动数据挖掘和监视的可能性很大,原因是可以按各种方式组织和处理日志条目。
资源
- 位于参考系统上的软件包:
Stunnel
资源:syslog-ng
资源:- syslog-ng 主页
- 最新的
libol
源代码 - 最新的 syslog-ng 源代码
syslog-ng
参考手册syslog-ng
常见问题解答syslog-ng
的支持软件包- syslog-ng 邮件归档
- syslog-ng-announce 邮件归档
- 实时日志解析工具: