一、安装 YUM
1、mount /dev/cdrom /mnt
2.vim /usr/lib/python2.4/site-packages/yum/yumRepo.py +411
remote='/mnt/Server' + '/' + relative
3. vim /etc/yum.repos.d/rhel-debuginfo.repo
[rhel-debuginfo]
name=red hat
baseurl=file:///mnt/Server
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
4.yum list available
5.yum install install-rpm
二、安装gcc
#yum -y install gcc
#yum -y install openssl*
#rpm -qa|grep openssl
CODE:
openssl097a-0.9.7a-9.el5_2.1
openssl-0.9.8b-10.el5_2.1
openssl-devel-0.9.8b-10.el5_2.1
openssl-perl-0.9.8b-10.el5_2.1
安装glib:
#wget http://ftp.gnome.org/pub/gnome/sources/glib/2.12/glib-2.12.3.tar.gz
#tar zxvf glib-2.12.3.tar.gz
#cd glib-2.12.3
#./configure --prefix=/usr && make && make install
三、安装syslog-ng
[root@server2 ~]# cd /usr/local/src/tarbag/
[root@server2 tarbag]# wget http://www.balabit.com/downloads/files/eventlog/0.2/eventlog_0.2.9.tar.gz
[root@server2 tarbag]# tar -zxvf eventlog_0.2.9.tar.gz -C ../software/
[root@server2 tarbag]# cd ../software/eventlog-0.2.9/
[root@server2 eventlog-0.2.9]# ./configure
[root@server2 eventlog-0.2.9]# ls /usr/local/eventlog/
include
[root@server2 syslog-ng-3.0.5]# cd -
/usr/local/src/tarbag
[root@server2 tarbag]# wget http://www.balabit.com/downloads/files/libol/0.3/libol-0.3.9.tar.gz
[root@server2 tarbag]# tar -zxvf libol-0.3.9.tar.gz -C ../software/
[root@server2 tarbag]# cd ../software/libol-0.3.9/
[root@server2 libol-0.3.9]# ./configure --prefix=/usr/local/libol && make && make install
[root@server2 libol-0.3.9]# ls /usr/local/libol/
bin
[root@server2 tarbag]# wget http://www.balabit.com/downloads/files/syslog-ng/sources/3.0.5/source/syslog-ng_3.0.5.tar.gz
[root@server2 tarbag]# tar -zxvf syslog-ng_3.0.5.tar.gz -C ../software/
[root@server2 tarbag]# cd ../software/syslog-ng-3.0.5/
[root@server2 syslog-ng-3.0.5]#
[root@server2 syslog-ng-3.0.5]# ./configure --prefix=/usr/local/syslog-ng --with-libol=/usr/local/libol && make && make install
configure: error: Cannot find eventlog version >= 0.2: is pkg-config in path? (若出现这个错误,基本上是由于前面的PKG_CONFIG_PATH变量没指定好)
[root@server2 syslog-ng-3.0.5]# ls /usr/local/syslog-ng/
bin
[root@server2 syslog-ng-3.0.5]# mkdir /usr/local/syslog-ng/etc
[root@server2 syslog-ng-3.0.5]# mkdir /usr/local/syslog-ng/var
[root@server2 syslog-ng-3.0.5]# cp contrib/syslog-ng.conf.RedHat
[root@server2 syslog-ng-3.0.5]# cp contrib/init.d.RedHat-7.3 /etc/init.d/syslog-ng
[root@server2 syslog-ng-3.0.5]# cd /usr/local/syslog-ng/etc/
[root@server2 etc]# mv syslog-ng.conf.RedHat syslog-ng.conf
[root@server2 etc]# cat syslog-ng.conf
@version:3.0
options {
long_hostnames(off);
log_msg_size(8192);
flush_lines(1);
log_fifo_size(20480);
time_reopen(10);
use_dns(yes);
dns_cache(yes);
use_fqdn(yes);
keep_hostname(yes);
chain_hostnames(no);
perm(0644);
stats_freq(43200);
};
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };
source s_local {
};
filter f_messages { level(info..emerg); };
filter f_secure { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
filter f_spooler { level(crit..emerg) and facility(uucp, news); };
filter f_local7 { facility(local7); };
destination d_messages { file("/var/log/messages"); };
destination d_secure { file("/var/log/secure"); };
destination d_maillog { file("/var/log/maillog"); };
destination d_cron { file("/var/log/cron"); };
destination d_console { usertty("root"); };
destination d_spooler { file("/var/log/spooler"); };
destination d_bootlog { file("/var/log/dmesg"); };
log { source(s_local); filter(f_emerg); destination(d_console); };
log { source(s_local); filter(f_secure); destination(d_secure); flags(final); };
log { source(s_local); filter(f_mail); destination(d_maillog); flags(final); };
log { source(s_local); filter(f_cron); destination(d_cron); flags(final); };
log { source(s_local); filter(f_spooler); destination(d_spooler); };
log { source(s_local); filter(f_local7); destination(d_bootlog); };
log { source(s_local); filter(f_messages); destination(d_messages); };
# Remote logging
source s_remote {
};
//定义客户端日志在服务器上保存的格式,位置和权限等
destination r_console {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_secure {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_cron {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_spooler {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_bootlog {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
destination r_messages {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));};
log { source(s_remote); filter(f_emerg); destination(r_console); };
log { source(s_remote); filter(f_secure); destination(r_secure); flags(final); };
log { source(s_remote); filter(f_cron); destination(r_cron); flags(final); };
log { source(s_remote); filter(f_spooler); destination(r_spooler); };
log { source(s_remote); filter(f_local7); destination(r_bootlog); };
log { source(s_remote); filter(f_messages); destination(r_messages); };
[root@server2 etc]# chmod +x /etc/init.d/syslog-ng
[root@server2 etc]# chkconfig --add syslog-ng
[root@server2 etc]# vim /etc/init.d/syslog-ng
SYSLOGNG_PATH=":/usr/local/sbin:/usr/local/syslog-ng/sbin"
if [ -f /etc/sysconfig/syslog-ng ] ; then
else
fi
[root@server2 etc]# service syslog-ng start
Starting syslog-ng: /usr/local/syslog-ng/sbin/syslog-ng: error while loading shared libraries: libevtlog.so.0: cannot open shared object file: No such file or directory
Starting Kernel Logger: 出现此错误是因为共享库链接没做好
[root@server2 etc]# ln -s /usr/local/eventlog/lib/* /lib/
出现下面的问题是因为主配置文件中缺少:@version:3.0这行
Starting syslog-ng: Configuration file has no version number, assuming syslog-ng 2.1 format. Please add @version: maj.min to the beginning of the file;
客户端配置:
[root@client ~]# tail -1 /etc/syslog.conf
*.*
[root@client ~]# logger -i just one test
[root@client ~]# tail -1 /var/log/messages
Jan 27 22:12:02 client root[2861]: just one test
[root@server2 ~]# cat /var/log/syslog-ng/20100128/192.168.10.70/messages
Jan 28 04:24:32 192.168.90.10 root[2861]: just one test
[root@server2 ~]# cat /var/log/syslog-ng/20100128/192.168.10.70/secure
Jan 28 04:01:04 192.168.90.10 sshd[2832]: Accepted publickey for root from 192.168.90.1 port 48834 ssh2
Jan 28 04:01:04 192.168.90.10 sshd[2832]: pam_unix(sshd:session): session opened for user root by (uid=0)
安装MYSQL apache phpmyadmin php vsftp
yum -y install vsftpd
yum -y install mysql-*
yum -y install apache-*
yum -y install php-*
chkconfig --level 23456 mysql on
chkconfig --level 23456 apache on
chkconfig --level 23456 vsftpd on
前面配置好了syslog-ng,下面简要的概述下如何将系统日志存入mysql
1:将mysql的头文件和库文件链接到/usr/local下
[root@server2 ~]# ln -s /usr/lib/mysql /usr/local/lib/mysql
[root@server2 ~]# ln -s /usr/include/mysql/ /usr/local/include
[root@server2 ~]# cd /usr/local/src/software/sqlsyslogd
[root@server2 ~]# cd /usr/local/src/software/sqlsyslogd
2:下载sqlsyslogd源码包,由于是整个目录下载,所以会下载index.html打头的索引文件
[root@server2 software]# wget -d -r -np http://www.frasunek.com/sources/security/sqlsyslogd/
[root@server2 software]# cd www.frasunek.com/sources/security/sqlsyslogd/
[root@server2 sqlsyslogd]# rm -rf index.html*
[root@server2 sqlsyslogd]# cd contrib/
[root@server2 contrib]# rm -rf index.html*
[root@server2 contrib]# cd
[root@server2 ~]# mv /usr/local/src/software/www.frasunek.com/sources/security/sqlsyslogd/ /usr/
local/src/software/
3:make,复制sqlsyslogd二进制程序到/usr/local/sbin目录下
[root@server2 ~]# cd /usr/local/src/software/sqlsyslogd/
[root@server2 sqlsyslogd]# make
cc -O6 -Wall -pipe -I/usr/local/include -DCONF=\"/usr/local/etc/sqlsyslogd.conf\" -L/usr/local/lib/mysql -lmysqlclient sqlsyslogd.c
[root@server2 sqlsyslogd]# cp sqlsyslogd /usr/local/sbin/
4:执行下sqlsyslogd程序,出现下面的命令选项则说明安装成功
[root@server2 sqlsyslogd]# sqlsyslogd
usage: sqlsyslogd [-h hostname] <-u username> [-p] <-t table> [database]
5:修改/etc/ld.so.conf文件,并使其生效,这个文件维护着编译的动态链接库位置
[root@server2 sqlsyslogd]# cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/lib/mysql
[root@server2 sqlsyslogd]# ldconfig
修改 sqlsyslogd.sql
文件:
# vi sqlsyslogd.sql
create database sqlsyslogd;
use sqlsyslogd;
);
use mysql;
create user sqlsyslogd@localhost identified by ‘foo’;
flush privileges;
# mysql –u root –p < sqlsyslogd.sql
# vi /usr/local/etc/sqlsyslogd.conf
foo
修改 syslog-ng.conf 文件,添加下面几行:
destination mysql {
program(“/usr/local/sbin/sqlsyslogd –u sqlsyslogd –t logs sqlsyslogd –p”);
log {
source(all);
};
重启 syslog-ng: # pkill –SIGHUP syslog-ng
验证:现在你应该可以通过 MySQL 客户端软件查看日志了。
root@server2 sqlsyslogd]# tail -1 /var/log/syslog-ng/20100226/192.168.90.1/messages
Feb 26 14:25:47 192.168.90.1 root[6058]: just for fun
4.安装 logcheck 和 newlogcheck:
http://sourceforge.net/project/showfiles.php?group_id=100960
下载 logcheck,
http://www.campin.net/download/newlogcheck.tgz
下载 newlogcheck.tgz
# mkdir –p /usr/local/logcheck/bin /usr/local/logcheck/etc /usr/local/logcheck/tmp
#tar zvxf logcheck-1.1.2.tar.gz
# cd logcheck-1.1.2
修改 Makefile 文件,将其中:
CODE:
INSTALLDIR = /usr/local/etc
INSTALLDIR_BIN = /usr/local/bin
INSTALLDIR_SH = /usr/local/etc
TMPDIR = /usr/local/etc/tmp改为:
CODE:
INSTALLDIR = /usr/local/logcheck/etc
INSTALLDIR_BIN = /usr/local/logcheck/bin
INSTALLDIR_SH = /usr/local/logcheck/etc
TMPDIR = /usr/local/logcheck/etc/tmp
# make linux
修改/usr/local/logcheck/logcheck.sh文件:
CODE:
LOGTAIL=/usr/local/bin/logtail
TMPDIR=/usr/local/etc/tmp
HACKING_FILE=/usr/local/etc/logcheck.hacking
VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
IGNORE_FILE=/usr/local/etc/logcheck.ignore改为:
CODE:
LOGTAIL=/usr/local/logcheck/bin/logtail
TMPDIR=/usr/local/logcheck/etc/tmp
HACKING_FILE=/usr/local/logcheck/etc/logcheck.hacking
VIOLATIONS_FILE=/usr/local/logcheck/etc/logcheck.violations
VIOLATIONS_IGNORE_FILE=/usr/local/logcheck/etc/logcheck.violations.ignore
IGNORE_FILE=/usr/local/logcheck/etc/logcheck.ignore
#tar zvxf newlogcheck.tgz
# cd newlogcheck
#cp *\.* /usr/local/logcheck/etc/
配置:根据logcheck各个文件的位置修改 /usr/local/logcheck/etc/目录下的 newlogcheck.sh 和 sort_logs.pl
#vi /usr/local/logcheck/etc/newlogcheck.sh
CODE:
SYSADMIN=root,***@***.com
LOGTAIL=/usr/local/logcheck/bin/logtail
BASEDIR=/usr/local/logcheck
# vi /usr/local/logcheck/etc/sort_logs.pl
CODE:
my $LOGCHECK_DIR = "/usr/local/logcheck";
# mkdir /usr/local/logcheck/tmp/hosts
测试:
# /usr/local/logcheck/etc/newlogcheck.sh
如果安装正常,你应该收到一封e-mail, 现在你可以添加一个crontab 来自动化logcheck日志
# crontab –e
…………
0 0 * * * /usr/local/logcheck/etc/newlogcheck.sh
从
http://download.splunk.com/relea ... 1113-Linux-i686.tgz下载splunk
wget http://download.splunk.com/releases/3.4.9/linux/splunk-3.4.9-57762-Linux-i686.tgz
tar -zxvf splunk-3.4.9-57762-Linux-i686.tgz
cd ..
mv splunk /usr/local
cd /usr/local/splunk/bin
./splunk enable boot-start
/etc/init.d/splunk start
