预期目标:

syslog日志转发到forwarder节点,syslog-ng将日志分类写入不同文件进行缓存,forwarder节点监控缓存日志文件,并且定时两天清理缓存日志。

实验环境:

splunk-enterprise(192.168.43.113)

splunk-forwarder/syslog-ng(192.168.43.78)

syslog源(192.168.43.56)

配置步骤:

splunk-forwarder节点

安装syslog-ng服务

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh epel-release-latest-7.noarch.rpm
cd /etc/yum.repos.d/
wget https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng324/repo/epel-7/czanik-syslog-ng324-epel-7.repo
yum install syslog-ng
systemctl enable syslog-ng
systemctl start syslog-ng

停止rsyslog服务

systemctl stop rsyslog
systemctl disable rsyslog

配置syslog-ng接收日志

vim syslog-ng.conf

#开启udp514端口
source s_net { syslog(transport(udp) port(514)); };
#匹配含有Network/Network关键字的日志,如需合并多个匹配语句,则filter 过滤器名称{match("匹配表达式1",value("MESSAGE")) or match("匹配表达式2",value("MESSAGE"));}
filter a{match("(Network|network)",value("MESSAGE"));};
#匹配不在过滤规则之外的所有syslog日志
filter b{not(filter(a));};
#定义日志文件路径
destination a_log { file("/var/log/syslog-ng/test_network.log" create_dirs(yes)); };
destination b_log { file("/var/log/syslog-ng/test_all.log" create_dirs(yes)); };
#将各类过滤器所匹配的日志放入文件
log { source(s_net);filter(a);  destination(a_log); };
log { source(s_net);filter(b);  destination(b_log); };

重启服务

systemctl restart syslog-ng

syslog源节点

配置客户端【Linux】发送日志

vim /etc/rsyslog.conf

*.* @192.168.43.78:514

systemctl restart rsyslog

syslog-ng节点

查看syslog-ng缓存详情

配置splunk-forwarder监听文件

vim /opt/splunkforwarder/etc/apps/search/local

[monitor:///var/log/syslog-ng/*]
disabled = false
index = syslog
sourcetype = syslog

配置splunk-forwarder转发文件

vim outputs.conf

[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.43.113:9997
[tcpout-server://192.168.43.113:9997]

/opt/splunkforwarder/bin/splunk restart

splunk-enterprise查看效果

splunk-enterprise查看效果

编写清空syslog缓存脚本

#/bin/sh
#将文件清空
function null(){
  echo "" > $1
}
#将日志缓存文件暂时备份到/tmp/syslog-ng,下次执行此脚本再进行删除
function backup(){
 if [ ! -d "/tmp/syslog-ng/" ];then
  mkdir /tmp/syslog-ng/
 fi
 rm -f /tmp/syslog-ng/*
 cp /var/log/syslog-ng/*  /tmp/syslog-ng/
}
#主函数
function travFolder(){
  backup
  if [ $? -eq 0  ];then
    flist=`ls $1`
    cd $1
    #echo $flist
    for f in $flist
    do
      if test -d $f
      then
        #echo "dir:$f"
        travFolder $f
      else
        #echo "file:$f"
        null  $f
      fi
    done
    cd ../
   fi
}

dir=/var/log/syslog-ng
travFolder $dir

设置定时任务(此处采用每两天零点清空一次,遇到特殊情况,如灾备演练通知会导致断网,请提前删除此定时任务或加大定时任务时间)

crontab -e

0 0 */2 * *  /bin/sh /app/splunl/bin/clean_syslog_cache.sh