zoukankan      html  css  js  c++  java
  • centos7/redhat7 搭建rsyslog日志服务器

    测试环境

    server:10.0.0.100
    client:10.0.0.10

    server:

    1.安装rsyslog
    yum -y install rsyslog
    2.配置rsyslog
    [root@master log]# grep -vE '^$|^#' /etc/rsyslog.conf
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imjournal # provides access to the systemd journal
    $ModLoad imudp
    $UDPServerRun 514
    #允许客户端通过udp:514 端口连接 $ModLoad imtcp $InputTCPServerRun 514
    #允许客户端通过tcp:514
    端口连接
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat ##这里是服务端添加的配置 begin
    # 使用RemoteLogs模板接受客户端的日志,保存到本地的/var/log/remote目录下,下面第一层子目录是通过年月日的命令格式,然后是每台客户端的ip命令的log
    $template RemoteLogs,
    "/var/log/remote/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%.log"
    # 所有服务所有级别的日志都记录 *.* ?RemoteLogs
    #服务端本机的日志不记录 :fromhost-ip, !isequal, "127.0.0.1" ?Remote
    #指示rsyslog在将消息写入文件后停止处理消息。如果不包含"&~",则消息将被写入本地文件 & ~

    ##这里是服务端添加的配置 end
    $ActionFileEnableSync on $IncludeConfig
    /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log *.err /var/log/errors $template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" :programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl authpriv.info /var/log/authpriv_info *.info /var/log/info auth.none /var/log/auth_none

    如果希望自定义客户端日志的保存格式,请参考本文最底部的链接

    3.重启rsyslog
    systemctl restart rsyslog
    systemctl status rsyslog
    查看状态rsyslog服务是否正常
    ● rsyslog.service - System Logging Service
       Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
       Active: active (running) since Tue 2021-11-23 10:16:38 CST; 35min ago
         Docs: man:rsyslogd(8)
               http://www.rsyslog.com/doc/
     Main PID: 9834 (rsyslogd)
        Tasks: 10
       CGroup: /system.slice/rsyslog.service
               └─9834 /usr/sbin/rsyslogd -n


    [root@master log]# netstat -anput|grep syslog
    tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      9834/rsyslogd
    tcp6       0      0 :::514                  :::*                    LISTEN      9834/rsyslogd
    udp        0      0 0.0.0.0:514             0.0.0.0:*                           9834/rsyslogd
    udp6       0      0 :::514                  :::*                                9834/rsyslogd
    此时说明配置正常,处于监听状

    client

    1.安装rsyslog
    2.配置rsyslog
    authpriv.*                                              @10.0.0.100:514
    #一个@表示通过udp:514 通信
    authpriv.*                                              @@10.0.0.100:514
    #两个@表示通过tcp:514 通信
    根据你自己要保存的日志修改,我只是测试,就保存了登录系统相关的日志
    3.重启rsyslog

    验证:

    在服务端查看 /var/log/remote 目录下面是否有客户端的日志产生

    [root@master /]# ls /var/log/remote
    2021-11-23
    [root@master /]# ls /var/log/remote/2021-11-23/
    10.0.0.10.log  127.0.0.1.log
    [root@master /]# cat /var/log/remote/2021-11-23/10.0.0.10.log
    Nov 23 10:18:12 apache_0 sshd[1349]: pam_unix(sshd:session): session closed for user root
    Nov 23 10:18:12 apache_0 sshd[1353]: pam_unix(sshd:session): session closed for user root
    Nov 23 10:18:14 apache_0 sshd[1404]: Accepted password for root from 10.0.0.1 port 53252 ssh2
    Nov 23 10:18:14 apache_0 sshd[1404]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Nov 23 10:18:14 apache_0 sshd[1408]: Accepted password for root from 10.0.0.1 port 53253 ssh2
    Nov 23 10:18:15 apache_0 sshd[1408]: pam_unix(sshd:session): session opened for user root by (uid=0)
    [root@master /]#

    此时说明搭建完毕,验证成功

    本文转自:

    https://www.cnblogs.com/haimeng/p/10823699.html 

    https://www.tecmint.com/install-rsyslog-centralized-logging-in-centos-ubuntu/ (服务端客户端实现通信)

    http://c.biancheng.net/linux_tutorial/15/ (解释了什么是rsyslog服务)

    https://www.freebuf.com/articles/es/246659.html (自定义模板的示例)

    https://www.rsyslog.com/how-to-bind-a-template/ (官网)

  • 相关阅读:
    visualSVNYou don't have permission to access on this server
    怎样截取Http请求
    ASP.NET @page 指令详解
    我的XMLHelperC# XML操作基类(修改,删除,新增,创建)
    最新Visual Studio 2010 下载及学习资料
    redis主从哨兵和集群的区别
    uniapp nvue 支持iconfont
    Error (Error Code: 1175) during executing update command on table using MySQL
    org.apache.jasper.JasperException: Unable to compile class for JSP
    java.sql.SQLException: Access denied for user 'root'@'10.10.10.10' (using password: YES)
  • 原文地址:https://www.cnblogs.com/augusite/p/15592280.html
Copyright © 2011-2022 走看看