原文摘自:http://blog.sina.com.cn/u/4707c9270100075v
log对于一个系统的重要性是显而易见的,然而不幸的是我发现我的系统并没有很好地记录应该记录的东西,至少昨天半夜它自动重启了,我却找不到为什么。
安装的时候安装的syslog-ng,查了一下它的配置文件,似乎记录的东西很少,对于系统安全来说是很不够的,于是自己man了很多东西,修改了一下设置,过程如下:
1、man其实没什么用,大概我基础不好,里面说的东西我看不懂。
2、syslog-ng的配置文件在/etc/syslog-ng/syslog-ng.conf,里面似乎只记录了messeges,没有其他东西,不确信的话可以自己打开看看。
3、安全起见,先将文件备份。
4、查看syslog-ng的配置说明,参考这个例子:/usr/share/doc/syslog-ng-1.6.9/syslog-ng.conf.sample.gz,然后修改/etc/syslog-ng/syslog-ng.conf,按格式按自己的需要修改。我的修改后的文件如下:
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.5 2005/05/12 05:46:10 mr_bones_ Exp $#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
chain_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination user { file("/var/log/user.log"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
log { source(src); destination(authlog); };
log { source(src); destination(syslog); };
log { source(src); destination(user); };
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
要注意的是sample文件里面有filter的内容,如果你不知道这个是干什么的,man一下syslog-ng。需要的话照sample里面的样子,先添加filter段,再在log段里面添加相应内容。如果你不需要,就象我这样,把需要log的内容直接cp进来,把filter段去掉。
修改:今天查了一下,似乎有几个log里面的内容是差不多的,syslog和auth记录了重复的东西,想必是filter没定义的缘故,于是修改如下(增加了filter段):
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.5 2005/05/12 05:46:10 mr_bones_ Exp $#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
chain_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination user { file("/var/log/user.log"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_user { facility(user); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_user); destination(user); };
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
设置iptables log 如下所示:
vi /etc/syslog-ng/syslog-ng.conf
destination kern { file("/var/log/iptables.log"); };
filter f_kern { facility(kern); };
log { source(src); filter(f_kern); destination(kern); };
保存退出
shell下面运行:
/etc/init.d/syslog-ng reload
iptables -A INPUT -p icmp -j LOG --log-level debug --log-prefix "This is a test!"
查看:
tail -f /var/log/iptables.log
输出类似如下:
Jun 8 19:42:02 localhost szkingrose test---------IN=eth0 OUT= MAC=00:15:58:10:6f:70:00:18:39:84:7a:bc:08:00 SRC=59.151.18.182 DST=192.168.1.251 LEN=84 TOS=0x00 PREC=0x00 TTL=51 ID=20409 PROTO=ICMP TYPE=0 CODE=0 ID=2371 SEQ=5
Jun 8 19:42:02 localhost szkingrose test---------IN=eth0 OUT= MAC=00:15:58:10:6f:70:00:1b:fc:1a:09:c7:08:00 SRC=192.168.1.122 DST=192.168.1.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=59970 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=19727
Jun 8 19:42:03 localhost szkingrose test---------IN=eth0 OUT= MAC=00:15:58:10:6f:70:00:1b:fc:1a:09:c7:08:00 SRC=192.168.1.122 DST=192.168.1.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=59973 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=19983
Jun 8 19:42:04 localhost szkingrose test---------IN=eth0 OUT= MAC=00:15:58:10:6f:70:00:1b:fc:1a:09:c7:08:00 SRC=192.168.1.122 DST=192.168.1.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=59976 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=20239
你可以使用这个链接引用该篇文章 http://publishblog.blogchina.com/blog/tb.b?diaryID=6316635