测试环境
server:10.0.0.100 client:10.0.0.10
server:
1.安装rsyslog
yum -y install rsyslog
2.配置rsyslog
[root@master log]# grep -vE '^$|^#' /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $ModLoad imudp $UDPServerRun 514
#允许客户端通过udp:514 端口连接 $ModLoad imtcp $InputTCPServerRun 514
#允许客户端通过tcp:514 端口连接
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat ##这里是服务端添加的配置 begin
# 使用RemoteLogs模板接受客户端的日志,保存到本地的/var/log/remote目录下,下面第一层子目录是通过年月日的命令格式,然后是每台客户端的ip命令的log
$template RemoteLogs,"/var/log/remote/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%.log"
# 所有服务所有级别的日志都记录 *.* ?RemoteLogs
#服务端本机的日志不记录 :fromhost-ip, !isequal, "127.0.0.1" ?Remote
#指示rsyslog在将消息写入文件后停止处理消息。如果不包含"&~",则消息将被写入本地文件 & ~
##这里是服务端添加的配置 end
$ActionFileEnableSync on $IncludeConfig /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log *.err /var/log/errors $template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" :programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl authpriv.info /var/log/authpriv_info *.info /var/log/info auth.none /var/log/auth_none
如果希望自定义客户端日志的保存格式,请参考本文最底部的链接
3.重启rsyslog
systemctl restart rsyslog
systemctl status rsyslog
查看状态rsyslog服务是否正常
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-11-23 10:16:38 CST; 35min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 9834 (rsyslogd)
Tasks: 10
CGroup: /system.slice/rsyslog.service
└─9834 /usr/sbin/rsyslogd -n
[root@master log]# netstat -anput|grep syslog
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 9834/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 9834/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 9834/rsyslogd
udp6 0 0 :::514 :::* 9834/rsyslogd
此时说明配置正常,处于监听状
client
1.安装rsyslog
2.配置rsyslog
authpriv.* @10.0.0.100:514 #一个@表示通过udp:514 通信 authpriv.* @@10.0.0.100:514 #两个@表示通过tcp:514 通信 根据你自己要保存的日志修改,我只是测试,就保存了登录系统相关的日志
3.重启rsyslog
验证:
在服务端查看 /var/log/remote 目录下面是否有客户端的日志产生
[root@master /]# ls /var/log/remote 2021-11-23 [root@master /]# ls /var/log/remote/2021-11-23/ 10.0.0.10.log 127.0.0.1.log [root@master /]# cat /var/log/remote/2021-11-23/10.0.0.10.log Nov 23 10:18:12 apache_0 sshd[1349]: pam_unix(sshd:session): session closed for user root Nov 23 10:18:12 apache_0 sshd[1353]: pam_unix(sshd:session): session closed for user root Nov 23 10:18:14 apache_0 sshd[1404]: Accepted password for root from 10.0.0.1 port 53252 ssh2 Nov 23 10:18:14 apache_0 sshd[1404]: pam_unix(sshd:session): session opened for user root by (uid=0) Nov 23 10:18:14 apache_0 sshd[1408]: Accepted password for root from 10.0.0.1 port 53253 ssh2 Nov 23 10:18:15 apache_0 sshd[1408]: pam_unix(sshd:session): session opened for user root by (uid=0) [root@master /]#
此时说明搭建完毕,验证成功
本文转自:
https://www.cnblogs.com/haimeng/p/10823699.html
https://www.tecmint.com/install-rsyslog-centralized-logging-in-centos-ubuntu/ (服务端客户端实现通信)
http://c.biancheng.net/linux_tutorial/15/ (解释了什么是rsyslog服务)
https://www.freebuf.com/articles/es/246659.html (自定义模板的示例)
https://www.rsyslog.com/how-to-bind-a-template/ (官网)