操作記錄

關於部落格
  • 13495

    累積人氣

  • 0

    今日人氣

    0

    訂閱人氣

Sawmill linux安裝方式

Sawmill linux安裝方式

OS:CentOS 5.3
firewall必須開啟udp 514 port
tcp 8987(sawmill)

1. 先將光碟片中的安裝程式複製到要安裝 Sawmill 的位置
[root@localhost]#cp sawmill7.2.15_x86_linux-es5_tcn.tar.gz /usr/local/

2. 移動到該複製的目錄, 並解壓縮, 解壓縮後產生 sawmill 資料夾
[root@localhost]#cd /usr/local/
[root@localhost local]#tar –zxvf sawmill7.2.15_x86_linux-es5_tcn.tar.gz

3. 進入該解壓縮產生的 sawmill 資料夾
[root@sawmill local]# cd sawmill
[root@sawmill sawmill]# ls
Extras  LICENSE  LogAnalysisInfo  README  sawmill7.2.11

4. 執行 sawmill 並將 sawmill 執行緒丟到背景執行
[root@sawmill sawmill]#./sawmill7.2.11 &
[1] 14443

 (以下為自動產生字串)
 [root@sawmill sawmill]# Sawmill 7.2.11; Copyright (c) 2006 Flowerfire
 Web server running; browse http://192.168.1.30:8987/ to use Sawmill.
 To run on a different IP address, use "sawmill -sh ip-addr -ws t「

5. Sawmill 執行成功,並進行Syslog-ng安裝

6.關閉syslog
[root@sawmill syslog-ng]# /etc/init.d/syslog stop
[root@sawmill syslog-ng]# chkconfig --level 2345 syslog off

7.安裝 eventlog-0.2.5-6
[root@sawmill syslog-ng]# wget ftp://ftp.pbone.net/mirror/centos.karan.org/el5/extras/testing/i386/RPMS/eventlog-0.2.5-6.el5.kb.i386.rpm
[root@sawmill syslog-ng]# rpm -ivh eventlog-0.2.5-6.el5.kb.i386.rpm

8.安裝 syslog-ng-2.1.3-2
[root@sawmill syslog-ng]# wget ftp://ftp.pbone.net/mirror/ftp.silfreed.net/repo/rhel/5/i386/silfreednet/RPMS/syslog-ng-2.1.3-2.el5.i386.rpm
[root@sawmill syslog-ng]# rpm -ivh syslog-ng-2.1.3-2.el5.i386.rpm

9.設定 syslog-ng, 修改 syslog-ng.conf, 並增加以下行數
[root@sawmill syslog-ng]# vi /etc/syslog-ng/syslog-ng.conf

  source s_remote {udp(ip(0.0.0.0) port(514));};

  destination d_remote {file("/var/log/$HOST/$FACILITY/$YEAR-$MONTH-$DAY-$HOUR.log" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));};

  log {source(s_remote);destination(d_remote);};

10.開啟syslog-ng
   chkconfig --level 2345 syslog-ng on
   /etc/init.d/syslog-ng start


11.輸入 http://IP:8987/  即可連上Sawmill。

12.進行報表設定(sawmill偵測TP的log格式:Unix syslog
                                        Tipping Point IPS Log Format

13.排程動作
[root@sawmill syslog-ng]# crontab -e

每59分時執行tpsh.sh
# Hourly NAT Log Archive
59 * * * * /var/log/163.22.12.130/tpsh.sh > /dev/null 2>&1
# System Clock Synchorization
10 2 * * * /usr/sbin/ntpdate time.stdtime.gov.tw > /dev/null 2>&1


14.建立shell script
/var/log/163.22.12.130/tpsh.sh
增加執行權限chmod +x tpsh.sh

#!/bin/bash

timestamp=`date '+%Y-%m-%d-%H'`
sleep 60
cd /var/log/163.22.12.130/auth
sleep 120
gzip $timestamp.log


將log檔導到使用者sawmill資料夾下
路徑/home/sawmill

修改/etc/syslog-ng/syslog-ng.conf

source s_remote {udp(ip(0.0.0.0) port(514));};
filter f_tplog {host (TP.ncnu.edu.tw);};
destination d_tplog {file("/home/jiayu/$HOST/$FACILITY/$YEAR-$MONTH-$DAY-$HOUR.log" owner(sawmill) group(sawmill) perm(0755) dir_perm(0755) create_dirs(yes));};
log {source(s_remote); filter(f_tplog); destination(d_tplog);};


相簿設定
標籤設定
相簿狀態