syslog搭建日志服务器

1、安装过程1、运行KiwiSyslog安装包里的Kiwi_Syslog_Server_921.Eval.setup.exe,弹出安装界面，点击“I_/agree-工Serrer9*2.1工工Mtaller-idxisolarwindsLicenseAgreementPleasereviewthekensetermsbeforestallingKMiSyslogServer9.ZJ.PressPageLX)wntoseetherestoftheayernent.SOLARWINDSENDUSERLICENSEAGREEMENTIMPORTAMT-READCAREFULLYBEFOREUSINGTH

2、ISSOFTWARE：THISISALEGALAGREEMENT?BETWEENYOU(EITHERWINDMDUALORASINGLEEhJTIPf)ANDSOLARWINDSWORLDWIDE.LLCCOVERINGYOURUSEOF川nhl,FKLUddirt“kd小KK.LFLmCL*dtUKk'iTIK.kILFAJ)HL>«*IFyouacceptthetermsoftheagreement,click.IAgreetocontinue.Yaumustacceptthea5resmenttoinetdlKiiSyslogServer.2.1.SQorWiRd

3、£jInCnIAgree|Cancel,两者的区别是，前者可以在关闭软2、选择安装模式为"InstallKiwiSyslogServerasaservice件主界面后仍然能记录日志，后者只能瞬时记录日志3、选择安装的用户，本地系统账户还是一个管理员的账户4、勾选"InstallKiwiSyslogWebAccess"（可以不勾选），因为他提示了此功能只限注册用户使用、5、选择安装的组件6、选择安装的路径7、若第四步中没有勾选安装KiwiSyslogWebAccess,则会提示安装成功，若勾选了，则会提示安装KiwiSyslogWebAccess必备组件的

4、向导，安装过程会自动下载并安装这些组件、KiwiSysloVebA,ccesStupPrerequisitesBrowse.Thesflprogramsareneededforthe占口pllcat帖口torun.dickonthecheckboxnewttoapF的白qu图随toselectitForin受吕I&rtaskipit.NameVersionActionMlkiViridovysInstaller3.1Required:3.1orhigher.Found:3.1.4000.9959.SkipEMicroscFt.METFrame,Required;any.Found：no

5、thing.DorJoadVi5LwlC+20005P1.,Retiuired:any-Found；nothing.DownloadQA5P.NETAJAX1.0R.equired:1.0orhigher.Found:nothing.Ccwnfciad03QLServerCompact3T.Required:any.Found：nothing.Jowntoad0LADwCassiniWtbSRequireds2,1.0.3arhigher.Foind:nothing.Installd_J上1DownloadFolder；|c：lProgramFil-cilarWin也悯刷弓丫才叫而eb耻匚士对

6、5ebj大PresstheNextbuttontadov/nloadtheprerequites.<上一步但“下一步®>取消|8、之后就会弹出KiwiSyslogWebAccess的安装向导过程，也比较简单so arwmds The Setup Wizard wil install Ki/vi Sysfog Web Access on your computer. Click "Next" to con:inue or "Cancel" to exit the 5etup Wizard.<pack If - Next >

7、 i CancelsolairwindsWelcometotheKiwiSyslogWebAccessSetupWizardyiKiviSyslog噌bAccessSetupConfigureShortcutsCreateapplicationshortcutsCreateshortcutsforKiwi5yslogWebAccessinthefollowinglocations:厂Desktop9StartMenuProgramsfolderiQuickLaunchtoolbarSolarWinds,Inc.<BackINext>CancelKiviSjrslogYebAcces

8、sSetupsolarwindsSelectInstallationFolderThisistheFolderwhereKiwiSyslogWebAccess而11beinstalled.Toinstallinthisfolder,cick11Next11,Toinstalltoadifferentfolder,enteritbeloworclick"Browse".InstallationFolder:amFilesSolarWindsKiwiSyslogWebAccess)Browse.SolarWinds?Inc.<BackI：Next>i|CanedCo

9、mpletingtheKiwiSyslogServer9.2.1 SetupWizardKiwiSyslogServer鼻乙1幅5beeninstdlljonyourcomputer.dickFiniflitothifMsrd，MiIIIIIK!1IMiIIIHBillIIMaillMlIIIIHM“RunEi判iSyslaqServer9.2.1：i""smriHiaiminrKriBiirTtuwe-siBirrwuiBr=s1muiinliWisitthe占凸&WiFi也website<良adcEjriishCaned9、在KiwiSyslog的安装包里

10、还有个工具SolarWinds_LogForwarder_1115_Eval_Setup.exe,安装也比较简单，这里不详细介绍配置过程KiwiSyslogServer的各种详细配置主要在file-setup里面。我们主要介绍2个方面的配置1、log文件的存放路径，点击Rules-Actions-Log to file ,这里我们就可以设置存放的位置以及存放的格式2、配置计戈任务，点击Rules-Shedules-AddnewscheduleSchedule字段添加日志计划频率（按小时算、每6个小时记录一次，一天记录4次）Schedule|SourceDe?tinatmnArchiveOpti

11、onvArchiveNotificions|Schedulestart<口血叵Dmc2口1口富"Timejim：口5.厂UTCN»v«rSchedulefrequence）I1ilIOnceMinuteHourDajJWeekMonthYearRunat;|00:00g厂UTCrevery斗如Source字段（设置临时存储日志的路径）ScheduleSourceDestination|ArchiveOptions|ArchiveNotiFications|Sourcelocation|口田。-3川Fil2*5ydogdTLcg£%.|Destina

12、tion字段（设置最终日志存储目录）ScheduleSourceDestination|ArchiveOptions|ArchiveNotificationsDestinatianlocaftion|r：VPtogramFile$：Sslogd'iDatedLogs实例测试Windows环境（亲测）把这两个文件拷贝到c:windowssystem32目录下。打开Windows命令提示符（开始>运行输入CMDC:>evtsysih00-i表示安装成系统服务-h指定10g服务器的IP地址如果要卸载evtsys,则：netstopevtsysevtsys-

13、u启动该服务：C:>netstartevtsys打开windows组策略编辑器（开始->运行输入gpedit.msc）在windows设置>安全设置>本地策略>审核策略中，打开你需要记录的windows日志。evtsys会实时的判断是否有新的windows日志产生，然后把新产生的日志转换成syslogd可识别的格式，通过UDP3072端口发送给syslogd服务器。Kiwi.SyslogServicelajLatger(3：0DaytxiaJ.Fersion2)30 口ays left in evaluationE】leEditVj.ewHHelpDateTime

14、PriorityHoi(nameMessage一rj-au-zuitr二2bDaemon.Nolice192/168.3107Dec301O:5G:25PC-2D1D041DEPKVSecurilv：612二PC-201D04TDBPVXAdministrator:法七两舞箭理曜存麟：盥扮更客？第四蜩位霹畦-91百第，骋口招濯硅薄理决秣-双率浣蹲戴-亩懵崛建零惹-绛桁理曜存酸+弊荤柳TN欲量炮星-鳍经费鼓/楝-密懵坦雷诲鼻虢存鼓浜？夔儿堪罂？AdminiN田岛籍蜡像：12-30-201010:55:50Daemon.Nolice7Dec的10:55:45PC-20100

15、410BPKV5eivice_Cantiol_Manager：7035:PC-201004100PKVXAdministrtor:Eventloglo£野叫整盘必担塑蛔曼鞍80哥涓凄岩12-30-201010:55:50Daemon.Nolice192.16B.30.47Dec3010:55:45PC-20100410BPKVServiceControlManager:703S:EventlogtoSyslog鬃超嫩短劭籍fte徵梢慢总藏E机的12-30-Z01010:55:45Daemon.NoHce19ZJ68.3047Dec301O:95:44PC-201口041口BPKVFl

16、ags:LogLevel=D.lncludeDr)ly=FdkE.1230-201010:55:45Daemon.Nntic#192.168.3047Dec3010:55:44PC-2010041OBPKVEventlogtoSyslogServiceStarted:Veision4.4|Display00(Defaull)',在setup里设置 UDP里但是我们发现了个问题，日志的内容竟然变成了乱码。我们需要做出一个修改的字符格式为UTF-8netscreen防火墙日志配置实例1用户登陆web界面2 选择Configuration->ReportSettings->Syslog3 点击'EnableSyslogmessages'4 输入日志服务器的地址和端口（udp端口514）crassH omtabTr«r>dsS CrBcrninq PdIiciMP Enn bl 5yal aq nis&oqeisBourc- Irnturfof旧| rtlurngt 1syslog serversNd. Embl 日IP / Hn.tniaim 神PrtRCurilv Ffl(H|5H|L0AL。寸s. r|14