• Linux下rsyslog日志收集服务环境部署记录【转】


    rsyslog 可以理解为多线程增强版的syslog。 在syslog的基础上扩展了很多其他功能,如数据库支持(MySQL、PostgreSQL、Oracle等)、日志内容筛选、定义日志格式模板等。目前大多数Linux发行版默认也是使用rsyslog进行日志记录。rsyslog提供了三种远程传输协议:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    UDP 传输协议
    基于传统UDP协议进行远程日志传输,也是传统syslog使用的传输协议; 可靠性比较低,但性能损耗最少, 在网络情况比较差, 或者接收服务器压力比较高情况下,
    可能存在丢日志情况。 在对日志完整性要求不是很高,在可靠的局域网环境下可以使用。
     
    TCP 传输协议
    基于传统TCP协议明文传输,需要回传进行确认,可靠性比较高; 但在接收服务器宕机或者两者之间网络出问题的情况下,会出现丢日志情况。 这种协议相比于UDP在
    可靠性方面已经好很多,并且rsyslog原生支持,配置简单, 同时针对可能丢日志情况,可以进行额外配置提高可靠性,因此使用比较广。
     
    RELP 传输协议
    RELP(Reliable Event Logging Protocol)是基于TCP封装的可靠日志消息传输协议; 是为了解决TCP 与 UDP 协议的缺点而在应用层实现的传输协议,也是三者
    之中最可靠的。 需要多安装一个包rsyslog-relp以支持该协议。
     
    对于线上服务器,为了日志安全起见,建议使用还是使用 RELP 协议进行传输。

    rsyslog的简单配置记录(如下将公司防火墙上的日志(UDP)打到IDC的rsyslog日志服务器上)

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    一、rsyslog服务端的部署
    安装rsyslog 程序(rsyslog默认已经在各发行版安装,如果系统中没有的话,可以用yum 进行安装,如下:)
    [root@zabbix ~]# yum install rsyslog -y
     
    配置:
    [root@zabbix ~]# cat /etc/rsyslog.conf
    # rsyslog v5 configuration file
     
    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
     
    #### MODULES ####
     
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imklog   # provides kernel logging support (previously done by rklogd)
    $ModLoad immark  # provides --MARK-- message capability
     
    # Provides UDP syslog reception
    $ModLoad imudp                                          #开启udp的514端口。也可以开启tcp的514端口,这里只接受udp的
    $UDPServerRun 514
     
    # Provides TCP syslog reception
    #$ModLoad imtcp
    #$InputTCPServerRun 514
     
    $WorkDirectory /var/lib/rsyslog
    $AllowedSender udp, 192.168.17.0/8                    #仅仅接收来自192.168.17.0/8网段的主机的udp日志(这个是公司防火墙的ip地址)
    #### GLOBAL DIRECTIVES ####
     
    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    $template Remote,"/data/fw_logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"           #定义模板,接受日志文件路径,区分了不同主机的日志
    :fromhost-ip, !isequal, "127.0.0.1" ?Remote                                                        # 过滤server 本机的日志
    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on
     
    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf
     
     
    #### RULES ####
     
    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.*                                                 /dev/console
     
    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
     
    # The authpriv file has restricted access.
    authpriv.*                                              /var/log/secure
     
    # Log all the mail messages in one place.
    mail.*                                                  -/var/log/maillog
    local4.*                                                /data/fw.log
     
    # Log cron stuff
    cron.*                                                  /var/log/cron
     
    # Everybody gets emergency messages
    *.emerg                                                 *
     
    # Save news errors of level crit and higher in a special file.
    uucp,news.crit                                          /var/log/spooler
     
    # Save boot messages also to boot.log
    local7.*                                                /var/log/boot.log
     
     
    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    #$WorkDirectory /var/lib/rsyslog # where to place spool files
    #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
    #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    #$ActionQueueType LinkedList   # run asynchronously
    #$ActionResumeRetryCount -1    # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    #*.* @@remote-host:514
    # ### end of the forwarding rule ###
     
     
    [root@zabbix ~]# mkdir /data/fw_logs/
     
    [root@zabbix ~]# /etc/init.d/rsyslog restart
     
     
    二、在公司防火墙(192.168.17.41/42)上配置udp日志输出策略(在防火墙添加rsyslog服务端的ip和514端口)
     
    三、过一会儿,在rsyslog日志服务器上设置的日志目录下就能看到防火墙的日志输出了
    [root@zabbix ~]# ll /data/fw_logs/
    total 4.0K
    drwxrwxrwx   4 root root   46 Jul 28 10:40 .
    drwxr-xr-x. 18 root root 4.0K Jul 28 10:38 ..
    drwx------   2 root root   41 Jul 28 10:37 192.168.17.41
    drwx------   2 root root   41 Jul 28 10:40 192.168.17.42
    [root@zabbix ~]# ll /data/fw_logs/192.168.17.41
    total 16K
    drwx------ 2 root root  41 Jul 28 10:37 .
    drwxrwxrwx 4 root root  46 Jul 28 10:40 ..
    -rw------- 1 root root 13K Jul 28 14:02 192.168.17.41_2017-07-28.log
     
     
    ------------------------------------------------------------------------------------
    可以将上面rsyslog服务端的rsyslog.conf里的ip白名单设置为客户机的ip端,比如:
    $AllowedSender tcp, 172.18.0.0/16                  #表示接收172.18.0.0/16网段的客户机的tcp日志输入,前提是打开tcp的514端口
     
    客户机的配置:
    只需要在rsyslog.conf文件里添加下面一行:
    *.*                               @172.18.10.20                     #后面的ip是rsyslog服务端的ip地址
     
    启动rsyslog日志即可!

    ====================再看一例=======================
    以上配置的是将公司防火墙的日志打到rsyslog里。现在有这么一个需求:
    公司IDC的另外两台服务器172.19.10.24和172.19.10.25上部署了gitlab、nexus、jenkins、jira和wiki,上面的权限设置的比较杂,很多人都有登录需求。现在需要将登录到这两台服务器上的用户的所有操作过程记录下来,记录达到rsyslog日志里,相当于做用户操作记录的审计工作。

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    配置如下(结合上面的安装配置)(服务端的ip是172.19.16.21):
    1)rsyslog服务端配置  (相比于上面的配置,这里去掉了AllowedSender的来源ip的白名单限制。即允许接收所有机器的日志;上面的防火墙日志还是能继续收集)
    [root@zabbix ~]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$"
    $ModLoad imudp
    $UDPServerRun 514
    $WorkDirectory /var/lib/rsyslog
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    $template Remote,"/data/fw_logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
    :fromhost-ip, !isequal, "127.0.0.1" ?Remote
    $IncludeConfig /etc/rsyslog.d/*.conf
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    authpriv.*                                              /var/log/secure
    mail.*                                                  -/var/log/maillog
    cron.*                                                  /var/log/cron
    *.emerg                                                 *
    uucp,news.crit                                          /var/log/spooler
    local7.*                                                /var/log/boot.log
    local5.*                                              /var/log/history.log
     
    [root@zabbix ~]# /etc/init.d/rsyslog restart
     
    2)在172.19.10.24上的配置
    [root@gitlab ~]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$"
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    $IncludeConfig /etc/rsyslog.d/*.conf
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    authpriv.*                                              /var/log/secure
    mail.*                                                  -/var/log/maillog
    cron.*                                                  /var/log/cron
    *.emerg                                                 *
    uucp,news.crit                                          /var/log/spooler
    local7.*                                                /var/log/boot.log
    local5.*    @172.19.16.21
     
    [root@gitlab ~]# /etc/init.d/rsyslog restart
     
    [root@gitlab ~]# cat /etc/profile                  #在该文件的底部添加下面内容
    .......
    export HISTTIMEFORMAT
    export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'
     
    3)在另一台172.19.10.25上做类似配置配置
    [root@nexus ~]# cat /etc/rsyslog.conf |grep -v "#"|grep -v "^$"
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    $IncludeConfig /etc/rsyslog.d/*.conf
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    authpriv.*                                              /var/log/secure
    mail.*                                                  -/var/log/maillog
    cron.*                                                  /var/log/cron
    *.emerg                                                 *
    uucp,news.crit                                          /var/log/spooler
    local7.*                                                /var/log/boot.log
    local5.*   @172.19.16.21
     
    [root@nexus ~]# /etc/init.d/rsyslog restart
     
    [root@nexus ~]# cat /etc/profile
    .......
    export HISTTIMEFORMAT
    export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'
     
    4)过一段时间,发现在rsyslog服务端的日志目录/data/fw_logs下面已经有收集到的日志了
    [root@zabbix fw_logs]# pwd
    /data/fw_logs
    [root@zabbix fw_logs]# cd
    [root@zabbix ~]# cd /data/fw_logs/
    [root@zabbix fw_logs]# ll
    total 12K
    drwxrwxrwx   6 root root   84 Aug 16 18:28 .
    drwxr-xr-x. 18 root root 4.0K Aug 16 17:58 ..
    drwx------   2 root root   74 Aug 17 09:50 172.19.10.24
    drwx------   2 root root   74 Aug 17 10:00 172.19.10.25
    drwx------   2 root root 4.0K Aug 17 00:01 192.168.17.41
    drwx------   2 root root 4.0K Aug 17 00:01 192.168.17.42
    [root@zabbix fw_logs]# cd 172.19.10.24/
    [root@zabbix 172.19.10.24]# ll
    total 20K
    drwx------ 2 root root  74 Aug 17 09:50 .
    drwxrwxrwx 6 root root  84 Aug 16 18:28 ..
    -rw------- 1 root root 14K Aug 16 20:45 172.19.10.24_2017-08-16.log
    -rw------- 1 root root 771 Aug 17 10:03 172.19.10.24_2017-08-17.log
    [root@zabbix 172.19.10.24]# cat 172.19.10.24_2017-08-16.log
    Aug 16 18:39:56 gitlab bash[138413]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
    Aug 16 18:39:56 gitlab bash[138418]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
    Aug 16 18:39:56 gitlab bash[138422]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
    Aug 16 18:39:57 gitlab bash[138426]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
    Aug 16 18:40:30 gitlab bash[138610]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/root,command:[2017-08-16 18:40:03]root pts/0 2017-08-16 18:40 (172.16.255.202)exit
    Aug 16 18:40:43 gitlab bash[138652]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:43]root pts/0 2017-08-16 18:40 (172.16.255.202)cd /data/
    Aug 16 18:40:43 gitlab bash[138657]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:43]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
    Aug 16 18:40:47 gitlab bash[138666]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:47]root pts/0 2017-08-16 18:40 (172.16.255.202)mkdir hahahahah
    Aug 16 18:40:48 gitlab bash[138671]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:48]root pts/0 2017-08-16 18:40 (172.16.255.202)cd hahahahah/
    Aug 16 18:40:48 gitlab bash[138677]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:48]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
    Aug 16 18:40:54 gitlab bash[138696]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:54]root pts/0 2017-08-16 18:40 (172.16.255.202)echo "Asdfasdf" >heihei
    Aug 16 18:40:54 gitlab bash[138702]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:54]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
    .......
     
    有上面日志可以看出,在172.19.10.24这台机器上的操作记录都被详细记录下来了。这样,就能清楚地知道登录到这台机器上的用户都做了些什么了.......

    =====================通过rsyslog收集nginx日志到远程服务器上====================
    需求说明:通过rsyslog服务将192.168.10.21服务器上的/data/nginx/logs/www.kevin.com-access.log日志实时同步到192.168.10.52服务器上(路径为/data/rsyslog/nginx)

    1)192.168.10.21为rsyslog客户端,即日志的推送端rsyslog日志是客户机主动将自己的日志推送到远程服务器上。
    操作如下:
    [root@nginx-server ~]# yum install rsyslog -y
    [root@nginx-server ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
    [root@nginx-server ~]# cat /etc/rsyslog.conf
    # rsyslog v5 configuration file

    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

    #### MODULES ####

    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imklog # provides kernel logging support (previously done by rklogd)
    #$ModLoad immark # provides --MARK-- message capability
    $ModLoad imfile                               ##装载imfile模块,这一行手动添加

    # Provides UDP syslog reception
    #$ModLoad imudp
    #$UDPServerRun 514

    # Provides TCP syslog reception
    #$ModLoad imtcp
    #$InputTCPServerRun 514


    #### GLOBAL DIRECTIVES ####

    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on

    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf


    #### RULES ####

    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.* /dev/console

    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages             ##不记录local5的日志

    # The authpriv file has restricted access.
    authpriv.* /var/log/secure

    # Log all the mail messages in one place.
    mail.* -/var/log/maillog


    # Log cron stuff
    cron.* /var/log/cron

    # Everybody gets emergency messages
    *.emerg *

    # Save news errors of level crit and higher in a special file.
    uucp,news.crit /var/log/spooler

    # Save boot messages also to boot.log
    local7.* /var/log/boot.log


    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    #$WorkDirectory /var/lib/rsyslog # where to place spool files
    #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
    #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    #$ActionQueueType LinkedList # run asynchronously
    #$ActionResumeRetryCount -1 # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    #*.* @@remote-host:514
    # ### end of the forwarding rule ###
    user.info /var/log/history

    #在文件底部添加下面几行内容
    $InputFileName /data/nginx/logs/www.kevin.com-access.log        ##读取日志文件(要监控的日志文件)
    $InputFileTag web_access             ##日志写入日志附加标签字符串
    $InputFileSeverity info           ##日志等级
    $InputFileStateFile /etc/rsyslog.d/stat-access         ##记录日志点等信息。(相当于msyql的master.info)文件名变了,
    这个StateFile标志必须变,否则无法传输。
    $InputFileFacility local5         ##设施类别
    $InputFilePollInterval 1          ##检查日志文件间隔(秒)
    $InputFilePersistStateInterval 1       ##回写偏移量数据到文件间隔时间(秒)
    $InputRunFileMonitor                          ##激活读取,可以设置多组日志读取,每组结束时设置本参数。以示生效。
    local5.* @192.168.10.52            ##代表local5设施的所有级别通过udp协议传送到192.168.10.51

    重启rsyslog服务
    [root@nginx-server ~]# /etc/init.d/rsyslog restart
    关闭系统日志记录器: [确定]
    启动系统日志记录器: [确定]

    由于作为日志的推送端,rsyslog日志不需要开启514端口(如上在rsyslog.conf文件里没有打开dup或tcp的514端口)
    [root@nginx-server ~]# lsof -i:514
    [root@nginx-server ~]#

    2)192.168.10.52为rsyslog服务端,即日志的接收端。
    配置如下:
    [root@log-server ~]# yum install rsyslog -y
    [root@log-server ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
    # rsyslog configuration file

    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

    #### MODULES ####

    # The imjournal module bellow is now used as a message source instead of imuxsock.
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imjournal # provides access to the systemd journal
    #$ModLoad imklog # reads kernel messages (the same are read from journald)
    #$ModLoad immark # provides --MARK-- message capability

    # Provides UDP syslog reception
    $ModLoad imudp                   ##载入imudp模块
    $UDPServerRun 514            ##开启udp接收并制定端口号

    # Provides TCP syslog reception
    $ModLoad imtcp                 ##载入imtcp模块。
    $InputTCPServerRun 514             ##开启tcp接收并制定端口号。tcp和udp两个端口模块可以同时使用!

    #### GLOBAL DIRECTIVES ####

    # Where to place auxiliary files
    $WorkDirectory /var/lib/rsyslog

    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

    #定义一个模板用来指定接收的日志消息的格式(默认会在记录的日志前加几个字段)
    $template  SpiceTmpl,"%msg% "                   ##%msg:2:$%为去掉日志开头的空格

    #定义一个模板用来指定接收的日志文件的存放路径%……%之间的是定义日志按照年-月-日命名
    $template  DynaFile,"/data/rsyslog/nginx/%$YEAR%-%$MONTH%-%$DAY%.log"

    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on

    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf

    # Turn off message reception via local log socket;
    # local messages are retrieved through imjournal now.
    $OmitLocalLogging on

    # File to store the position in the journal
    $IMJournalStateFile imjournal.state


    #### RULES ####

    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.* /dev/console

    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none;local5.none                /var/log/messages            ##不记录local5设施的日志

    # The authpriv file has restricted access.
    authpriv.* /var/log/secure

    # Log all the mail messages in one place.
    mail.* -/var/log/maillog


    # Log cron stuff
    cron.* /var/log/cron

    # Everybody gets emergency messages
    *.emerg :omusrmsg:*

    # Save news errors of level crit and higher in a special file.
    uucp,news.crit /var/log/spooler

    # Save boot messages also to boot.log
    local7.* /var/log/boot.log

    #接收客户端local5设施传送来的日志并存放到指定位置(位置可用定义的模板。?代表使用动态的模板)
    local5.*                       ?DynaFile;SpiceTmpl

    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
    #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    #$ActionQueueType LinkedList # run asynchronously
    #$ActionResumeRetryCount -1 # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    #*.* @@remote-host:514
    # ### end of the forwarding rule ###

    编辑/etc/sysconfig/rsyslog中"SYSLOGD_OPTIONS="开启远程日志接收功能
    [root@log-server ~]# cat /etc/sysconfig/rsyslog
    # Options for rsyslogd
    # Syslogd options are deprecated since rsyslog v3.
    # If you want to use them, switch to compatibility mode 2 by "-c 2"
    # See rsyslogd(8) for more details
    SYSLOGD_OPTIONS="-c 5"

    创建日志接收过来后定义的存放目录
    [root@log-server ~]# mkdir -p /data/rsyslog/nginx

    重启rsyslog服务
    [root@log-server ~]# /etc/init.d/rsyslog restart
    Shutting down system logger: [ OK ]
    Starting system logger: [ OK ]
    [root@log-server ~]# lsof -i:514
    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    rsyslogd 24594 root 2u IPv4 38927639 0t0 TCP *:shell (LISTEN)
    rsyslogd 24594 root 3u IPv4 38927635 0t0 UDP *:syslog
    rsyslogd 24594 root 4u IPv6 38927636 0t0 UDP *:syslog
    rsyslogd 24594 root 5u IPv6 38927640 0t0 TCP *:shell (LISTEN)

    查看日志是否接收过来了
    [root@log-server ~]# ll /data/rsyslog/nginx/
    total 550876
    -rw------- 1 root root 483539594 Jun 13 12:58 2018-06-13.log
    [root@log-server ~]# tail -2 /data/rsyslog/nginx/2018-06-13.log
    1.203.163.198 - [27/Apr/2018:00:17:53 +0800] "POST /scf/%7B%7BloginConfig.loginSubmitUrl%7D%7D HTTP/1.1" 302 0 "https://www.kevin.com/scf/login" Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36 - 0.010 0.003 10.0.54.21:9020 302
    1.203.163.198 - [27/Apr/2018:00:17:53 +0800] "POST /scf/%7B%7BloginConfig.loginSubmitUrl%7D%7D HTTP/1.1" 302 0 "https://www.kevin.com/scf/login" Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36 - 0.012 0.003 10.0.54.21:9020 302

    ==========================================================================
    注意:
    a)如果发现日志还没有接收过来,即/data/rsyslog/nginx目录下没有日志产生,就同时重启推送端和接收端的rsyslog服务。确保双方的iptables防火墙和selinux关闭!
    b)也可以自行修改接收的日志文件的存放路径,如改为下面的配置:
    $template DynaFile,"/data/rsyslog/nginx/nginx-access.log"
    则日志收集后存放的文件如下:
    [root@log-server ~]# ll /data/rsyslog/nginx/
    total 571716
    -rw------- 1 root root 483539594 Jun 13 12:58 2018-06-13.log
    -rw------- 1 root root 101893593 Jun 13 13:13 nginx-access.log

    转自

    Linux下rsyslog日志收集服务环境部署记录 - 散尽浮华 - 博客园 https://www.cnblogs.com/kevingrace/p/5570411.html

    参考

    Linux 之 rsyslog 系统日志转发 - 飞走不可 - 博客园 https://www.cnblogs.com/hanyifeng/p/5463338.html

    rsyslog+loganalyzer日志服务器部署记录 - 散尽浮华 - 博客园 https://www.cnblogs.com/kevingrace/p/9252961.html

  • 相关阅读:
    Python基础教程【读书笔记】
    Python基础教程【读书笔记】
    Python基础教程【读书笔记】
    Python基础教程【读书笔记】
    JS实现焦点图轮播效果
    JQuery+CSS3实现Ajax加载时loading效果
    JQuery实现锚点平滑滚动
    CSS3之嵌入Web字体
    HTML5本地存储
    impress.js初体验——前端装X利器
  • 原文地址:https://www.cnblogs.com/paul8339/p/9305842.html
Copyright © 2020-2023  润新知