1. 서버 설치

 - 기존에 있는 syslog 나 rsyslog 삭제 후 진행

1) syslog-ng 설치
  - 아래와 같이 해당되는 패키지를 설치 각3개

eventlog-0.2.12-1.el5.i386.rpm
libnet-1.1.5-1.el5.i386.rpm
syslog-ng-2.1.4-9.el5.i386.rpm
---------------------------------------
syslog-ng-2.1.4-9.el5.x86_64.rpm
eventlog-0.2.12-1.el5.x86_64.rpm
libnet-1.1.5-1.el5.x86_64.rpm



2) 클라이언트 서버(로그전송할 서버)
# vi /etc/syslog-ng/syslog-ng.conf



# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20000925 gb@sysfive.com
#
#       - totally do away with klogd
#       - add message "kernel:" as is done with klogd.
#
# Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 22 Aug 2002
#       - use the log_prefix option as per Balazs Scheidler's email
#

options { sync (0);
          time_reopen (10);
          log_fifo_size (1000);
          long_hostnames (off);
          use_dns (yes);
          #use_dns (no);
          use_fqdn (no);
          create_dirs (yes);
          keep_hostname (no);
          #keep_hostname (yes);
        };

source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" perm(0644)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
#destination d_http_access { file("/var/log/http/access_log"); };
#destination d_http_error { file("/var/log/http/error_log"); };
destination d_mlal { usertty("*"); };
destination d_xinetd { file("/var/log/xinetd.log"); };
destination d_logsrv { udp("192.168.0.93" port(514)); };    // 추가

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and not (facility(mail) or facility(authpriv) or facility(cron) or match("httpd\\: "));
 };
filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter40     { facility(mail) and not match("spam[c-d]\\["); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7) and not match("httpd\\[.+ \\[error\\] ");};
filter f_filter8     { facility(cron); };
filter f_filter9     { facility(local2); };
#filter f_http_access     { match("httpd\\: "); };
#filter f_http_error     { facility(local7) and match("httpd\\[.+ \\[error\\] "); };

log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter1); destination(d_logsrv); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter2); destination(d_logsrv); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter3); destination(d_logsrv); };
log { source(s_sys); filter(f_filter40); destination(d_mail); };
log { source(s_sys); filter(f_filter4); destination(d_logsrv); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(s_sys); filter(f_filter8); destination(d_logsrv); };
log { source(s_sys); filter(f_filter9); destination(d_logsrv); };


# /etc/init.d/syslog-ng restart


2) 로그 서버(로그전송받을 서버)

#mkdir /var/log/HOSTS   // 로그쌓일 디렉토리생성


# vi /etc/syslog-ng/syslog-ng.conf

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20000925 gb@sysfive.com
#
# Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 10 Aug 2002
#       - for Red Hat 7.3
#       - totally do away with klogd
#       - add message "kernel:" as is done with klogd.
#
# Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 22 Aug 2002
#       - use the log_prefix option as per Balazs Scheidler's email
#

options { sync (0);
          time_reopen (10);
          log_fifo_size (1000);
          long_hostnames (off);
          use_dns (no);
          use_fqdn (no);
          create_dirs (yes);
          #keep_hostname (no);
          keep_hostname (yes);
        };

source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" perm(0644)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
estination d_cron { file("/var/log/cron"); };
destination d_mlal { usertty("*"); };
destination d_xinetd { file("/var/log/xinetd.log"); };

filter f_filter1     { facility(kern); };
filter f_filter2     { level(info) and not (facility(mail) or facility(authpriv) or facility(cron) or match("httpd\\: "));
 };
filter f_filter3     { facility(authpriv); };
filter f_filter4     { facility(mail); };
filter f_filter40     { facility(mail) and not match("spam[c-d]\\["); };
filter f_filter5     { level(emerg); };
filter f_filter6     { facility(uucp) or
                     (facility(news) and level(crit)); };
filter f_filter7     { facility(local7) and not match("httpd\\[.+ \\[error\\] ");};
filter f_filter8     { facility(cron); };
filter f_filter9     { facility(local2); };

log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter40); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };


## add config

source s_aplusit {
        udp(ip(0.0.0.0) port(514));
};

destination d_filter1 { file ("/var/log/HOSTS/$HOST/$YEAR.$MONTH/kern/kern-$DAY"); };
destination d_filter2 { file ("/var/log/HOSTS/$HOST/$YEAR.$MONTH/message/message-$DAY"); };
destination d_filter3 { file ("/var/log/HOSTS/$HOST/$YEAR.$MONTH/auth/auth-$DAY"); };
destination d_filter4 { file ("/var/log/HOSTS/$HOST/$YEAR.$MONTH/mail/mail-$DAY"); };
destination d_filter5 { file ("/var/log/HOSTS/$HOST/$YEAR.$MONTH/tty/tty-$DAY"); };
destination d_filter6 { file ("/var/log/HOSTS/$HOST/$YEAR.$MONTH/spool/spool-$DAY"); };
destination d_filter7 { file ("/var/log/HOSTS/$HOST/$YEAR.$MONTH/boot/boot-$DAY"); };
destination d_filter8 { file ("/var/log/HOSTS/$HOST/$YEAR.$MONTH/cron/cron-$DAY"); };
destination d_filter9 { file ("/var/log/HOSTS/$HOST/$YEAR.$MONTH/filter9/filter9-$DAY"); };
log { source (s_aplusit); filter(f_filter1); destination (d_filter1);};
log { source (s_aplusit); filter(f_filter2); destination (d_filter2);};
log { source (s_aplusit); filter(f_filter3); destination (d_filter3);};
log { source (s_aplusit); filter(f_filter4); destination (d_filter4);};
log { source (s_aplusit); filter(f_filter5); destination (d_filter5);};
log { source (s_aplusit); filter(f_filter6); destination (d_filter6);};
log { source (s_aplusit); filter(f_filter7); destination (d_filter7);};
log { source (s_aplusit); filter(f_filter8); destination (d_filter8);};
log { source (s_aplusit); filter(f_filter9); destination (d_filter9);};


# /etc/init.d/syslog-ng restart