You are on page 1of 11

SYSLOG

I. Khi nim:
Syslog-ng l mt cng c thu thp log rt hiu qu v linh hot. Syslog-ng l mt ng dng c kh nng pht trin mt cch mnh m v uyn chuyn mt h thng ghi log, l s la chn s mt hin nay xy dng mt h thng qun l log tp trung .C th ni Syslog-ng l phin bn m rng vt tri n anh l syslogd. Syslog-ng c s dng qun l thng ip v thc hin vic thu thp log tp trung. Cc thit b, cc my ch khc gi l syslog-ng client, tt c u chy syslogng v thu thp cc thng ip log t nhng ng dng khc nhau hoc t cc ngun khc. Cc client gi tt c thng ip log quan trng ti my ch syslog-ng trung tm phn loi v lu tr chng.

II. Mc ch s dng:
Log message bao gm nhng thng tin v cc s kin xy ra trn cc my ch. Gim st cc s kin trn h thng l u rt cn thit tm ra cc nguyn nhn v s c an ninh v h thng my.

III. u Khuyt:
1. u im:

Truyn log tin cy (Reliable log transfer): nhng log nhng server khc nhau c th c thu thp v lu tr tp trung trn cc my log server chuyn dng. Log dng giao thc TCP m bo rng gi tin khng b mt trn ng truyn. Truy xut log an ton bng SSL/TLS (Secure logging using SSL/TLS): Bn ghi log c th bao gm nhng thng tin khng th b truy xut bi ngi khc do syslog-ng c li th s dng giao thc TLS (Transport Layer Security) m ha cc thng tin. TLS cng cho php xc thc ln nhau gia host v server bng cch s dng X.509. Disk-based message buffering: syslog-ng lu li cc thng bo (message) trn a cng nu bn log server chnh hoc kt ni mng gp trc trc. Cc ng dng ca syslog-ng t ng gi cc thng bo c lu tr vo my ch khi kt ni c thit lp theo th t cc thng bo nhn c. a m (the disk buffer) hot ng lin tc do khng c message b mt ngay c khi syslog-ng b restart. Truy cp c s d liu trc tip (Direct database access): Vic lu li nhng log message vo c s d liu cho php vic tm kim, truy vn (query) cc message d dng v tng thch vi cc ng dng phn tch log. Syslog-ng h tr cc c s d liu sau: MSSQL, MySQL, Oracle v PostgreSQL. Mi trng lm vic khng ng nht (Heterogeneous environments): syslog-ng l s la chn l tng thu thp cc bn ghi trong mi trng khng ng nht s dng nhiu h iu hnh khc nhau v nn tng phn cng (hardware platforms) bao gm Linux, BSD, Sun Solaris, HP-UX, AIX v Unix khc.

Lc v phn loi (Filter and classify): Cc ng dng ca syslog-ng c th phn loi cc log message da trn cc thng s khc nhau nh source host (ngun my ch), ng dng v s u tin. Th mc, tp tin v cc bng c s d liu c th c to ra t ng bng cch s dng cc dnh dng macro. Nhng php lc phc tp s dng nhng biu thc thng thng v cc ton t logic hu nh cung cp linh hot m khng gii hn c vic ch chuyn tip cc thng ip log quan trng i vi nhng im n c la chn. H tr IPv4 v IPv6 (IPv4 and IPv6 support): Syslog-ng c th hot ng trn IPv4 v IPv6. N c th nhn v gi thng bo cho c 2 loi mng ny.

1. Khuyt im:
Syslog-ng khng phi l 1 phn mm phn tch cho nn syslog-ng ch c th lc nhng log message ph hp vi 1 s tiu ch nh trc. Syslog-ng khng th gii thch v phn tch ngha ng sau cc log message hoc nhn ra s xut hin cc m hnh t thng ip khc nhau.

I. C ch thu thp log message vi syslog-ng

1. Mt thit b hoc ng dng l syslog-ng client lu log message ti 1 ngun trn client .

V d: 1 my Apache server (syslog-ng client) chy trn linux s lu log message ti th mc /var/log/apache.

192.168.1.1

/var/log/apache

2/ Syslog-ng trn Syslog-ng client (Apache server) c file log ni cha cc log message (/var/log/apache) trn client v x l.

Log mess from /var/log/apache

Log mess from /var/x/y/z

192.168.1.1

Syslog-ng

Source: 192.168.1.1

/var/log/apache

Log path

Filter

Source Destination 192.168.1.1 192.168.55.0

172.10x.y.z 125.x.y.z 165.x.y.z 25.x.y.z

Hnh trn l m t qu trnh lm vic ca syslog-ng client trc khi a log message n syslog-ng server. Ti y, syslog-ng s x l log messages v chuyn chng n syslog-ng server c nh ngha sn trong Log Path. Log path bao gm 1 hoc nhiu ngun (sources) v ch n (destination). Log message t 1 ngun s c gi n mi ch n c

lit k trong Log Path. Trc khi log message c gi i th s phi qua 1 b phn lc Filter ca syslog-ng. Filter kh ging vi tng la (Firewall), n gm nhng b lut dng lc la ra nhng log message ph hp nht gi n syslog-ng server. Li ch ca filter gip vic h thng cc file log trnh gp phi tnh hung nghn v y nhng thng tin rc. Log Path c th tch hp vi Filter.
3/ Log message khi c chuyn n syslog-ng server s c x l v a n ch n trong server (local destinations) c ci t trong log path. Syslog-ng server

Filter

Log path

II. M hnh hot ng:


1. M hnh client:

Trong m hnh ny, syslog-ng thu thp log messages t syslog-ng client v chuyn log message ra mng network n syslog-ng server hoc ti 1 relay.

Client cng c th log cc message ni b. M hnh ny khng yu cu phi c file license (file chng nhn). License file xc nh s lng cc host truy cp n.

2. M hnh relay:

Trong m hnh ny, syslog-ng nhn cc log messages qua mng network t cc syslog-ng clients v chuyn log messages qua mng network n syslog-ng server. Relays cng c th log cc messages ni b my relay hoc chuyn n syslog-ng server trung tm.

My relay khng th lu cc log message t mng network chuyn n vo b nh ni b. Relay ch c th lu log messages vo cng nu b nh m b chim s dng. M hnh ny cng khng cn license file.

1. M hnh Server:

Trong m hnh ny, syslog-ng hot ng nh 1 my thu thp log messages trung tm. Syslog-ng thu thp cc log messages t mng network v lu tr trong my server v chuyn cc log messages n cc ng dng khc. Ty theo phin bn s dng m syslog-ng chy trn ch ny cn n license hay khng (Premium Edition yu cu phi c license file cn Open Source Edition th khng yu cu file ny).

I. Cu trc ca log messages:


C 2 chuyn nh dng ca syslog message: Chun c c m t trong phin bn RFC 3164, cn c gi l BSD-syslog hoc l giao thc legacy-syslog. Chun mi c m t vi phin bn RFC 5424, cn c gi l giao thc IETF-syslog. IETF-syslog messages: Mt syslog message bao gm cc phn sau: HEADER (bao gm PRI). STRUCTURED-DATA MSG

Message c nh dng tng ng nh sau:

V d:

Phn HEADER ca message phi c nh dng ASCCII, phn STRUCTUREDDATA phi c nh dng UTF-8, cn phn MSG th nn nh dng UTF-8

1. Phn PRI ca message:


Phn ny mang gi tr Priority (s u tin) th hin Facility and Severity (c s v mc nghim trng) ca message. Facility th hin thng tin ca h thng gi

message v Severity nh du mc quan trng. Gi tr ca Priority c tnh nh sau: Priority = Facility * 8 + Severity

Bng Gi tr ca facility v severity:

2. HEADER:
Phn ny bao gm cc i tng sau: VERSION: s phin bn ca chun giao thc syslog. ISOTIMESTAMP: thi gian message c x l trong chun ISO 8601 tng thch. nh dng nh sau: yyyy-mm-ddThh:mm:ss+-ZONE V d: 2006-06-13T15:58:00.123+01:00 HOSTNAME: tn ca thit b ban u gi message. APPLICATION: thit b hoc ng dng x l message. PID: tn tin trnh hoc ID ca tin trnh ca ng dng syslog gi message. MESSAGEID: s ID ca message.

3. STRUCTURED-DATA
Phn ny c th bao gm thng tin ca syslog message hoc c trng ca ng dng nh l lng truy cp hay a ch IP.

4.MSG
Phn ny bao gm ni dung ca message.