Rsyslog简介
rsyslog是一个开源工具,被广泛用于Linux系统以通过TCP/UDP协议转发或接收日志消息。rsyslog守护进程可以被配置成两种环境,一种是配置成日志收集服务器,rsyslog进程可以从网络中收集其它主机上的日志数据,这些主机会将日志配置为发送到另外的远程服务器。rsyslog的另外一个用法,就是可以配置为客户端,用来过滤和发送内部日志消息到本地文件夹(如/var/log)或一台可以路由到的远程rsyslog服务器上。
安装Rsyslog守护进程
yum install rsyslog
Server端配置
[root@opm log]# grep -v "^#" /etc/rsyslog.conf | grep -v "^$"$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$ModLoad immark # provides --MARK-- message capability$ModLoad imudp$UDPServerRun 514$ModLoad imtcp$InputTCPServerRun 514$WorkDirectory /var/lib/rsyslog$AllowedSender tcp, 192.168.30.0/24$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log":fromhost-ip, !isequal, "127.0.0.1" ?Remote$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none /data/log/messagesauthpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.log
a.template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%MONTH%-%InputTCPServerRun 514 开启tcp,tcp和udp 可以共存的
Client端配置
[root@test1 ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$WorkDirectory /var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.55authpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.log$template myFormat,"%timestamp% %fromhost-ip%%msg%
"$ActionFileDefaultTemplate myFormat
验证,在服务器上进到 /data/log 目录下,进行查看。
收集系统其它服务日志.
[root@node1 ~]# egrep -v '^#|^$' /etc/rsyslog.conf$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$ModLoad immark # provides --MARK-- message capability$WorkDirectory /var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.67authpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.logmodule(load="imfile" PollingInterval="5")$InputFileName /var/log/nova/nova-compute.log$InputFileTag nova-info:$InputFileStateFile state-nova-info$InputRunFileMonitor
yum install rsyslog
[root@opm log]# grep -v "^#" /etc/rsyslog.conf | grep -v "^$"$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$ModLoad immark # provides --MARK-- message capability$ModLoad imudp$UDPServerRun 514$ModLoad imtcp$InputTCPServerRun 514$WorkDirectory /var/lib/rsyslog$AllowedSender tcp, 192.168.30.0/24$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log":fromhost-ip, !isequal, "127.0.0.1" ?Remote$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none /data/log/messagesauthpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.log
a.template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%MONTH%-%InputTCPServerRun 514 开启tcp,tcp和udp 可以共存的
Client端配置
[root@test1 ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$WorkDirectory /var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.55authpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.log$template myFormat,"%timestamp% %fromhost-ip%%msg%
"$ActionFileDefaultTemplate myFormat
验证,在服务器上进到 /data/log 目录下,进行查看。
收集系统其它服务日志.
[root@node1 ~]# egrep -v '^#|^$' /etc/rsyslog.conf$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$ModLoad immark # provides --MARK-- message capability$WorkDirectory /var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.67authpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.logmodule(load="imfile" PollingInterval="5")$InputFileName /var/log/nova/nova-compute.log$InputFileTag nova-info:$InputFileStateFile state-nova-info$InputRunFileMonitor
[root@test1 ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$WorkDirectory /var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.55authpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.log$template myFormat,"%timestamp% %fromhost-ip%%msg% "$ActionFileDefaultTemplate myFormat
验证,在服务器上进到 /data/log 目录下,进行查看。
[root@node1 ~]# egrep -v '^#|^$' /etc/rsyslog.conf$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$ModLoad immark # provides --MARK-- message capability$WorkDirectory /var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.67authpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.logmodule(load="imfile" PollingInterval="5")$InputFileName /var/log/nova/nova-compute.log$InputFileTag nova-info:$InputFileStateFile state-nova-info$InputRunFileMonitor
其实只添加了后5行的内容,对每项简单解释下
module(load="imfile" PollingInterval="5") 加载imfile 模块,并5秒刷新一次
InputFileTag nova-info: 定义文件标签 ,注意最后是冒号:
InputRunFileMonitor 激活读取,可以设置多组日志读取,每组结束时设置本参数