zoukankan      html  css  js  c++  java
  • centos7/redhat7 搭建rsyslog日志服务器

    测试环境

    server:10.0.0.100
    client:10.0.0.10

    server:

    1.安装rsyslog
    yum -y install rsyslog
    2.配置rsyslog
    [root@master log]# grep -vE '^$|^#' /etc/rsyslog.conf
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imjournal # provides access to the systemd journal
    $ModLoad imudp
    $UDPServerRun 514
    #允许客户端通过udp:514 端口连接 $ModLoad imtcp $InputTCPServerRun 514
    #允许客户端通过tcp:514
    端口连接
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat ##这里是服务端添加的配置 begin
    # 使用RemoteLogs模板接受客户端的日志,保存到本地的/var/log/remote目录下,下面第一层子目录是通过年月日的命令格式,然后是每台客户端的ip命令的log
    $template RemoteLogs,
    "/var/log/remote/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%.log"
    # 所有服务所有级别的日志都记录 *.* ?RemoteLogs
    #服务端本机的日志不记录 :fromhost-ip, !isequal, "127.0.0.1" ?Remote
    #指示rsyslog在将消息写入文件后停止处理消息。如果不包含"&~",则消息将被写入本地文件 & ~

    ##这里是服务端添加的配置 end
    $ActionFileEnableSync on $IncludeConfig
    /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log *.err /var/log/errors $template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" :programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl authpriv.info /var/log/authpriv_info *.info /var/log/info auth.none /var/log/auth_none

    如果希望自定义客户端日志的保存格式,请参考本文最底部的链接

    3.重启rsyslog
    systemctl restart rsyslog
    systemctl status rsyslog
    查看状态rsyslog服务是否正常
    ● rsyslog.service - System Logging Service
       Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
       Active: active (running) since Tue 2021-11-23 10:16:38 CST; 35min ago
         Docs: man:rsyslogd(8)
               http://www.rsyslog.com/doc/
     Main PID: 9834 (rsyslogd)
        Tasks: 10
       CGroup: /system.slice/rsyslog.service
               └─9834 /usr/sbin/rsyslogd -n


    [root@master log]# netstat -anput|grep syslog
    tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      9834/rsyslogd
    tcp6       0      0 :::514                  :::*                    LISTEN      9834/rsyslogd
    udp        0      0 0.0.0.0:514             0.0.0.0:*                           9834/rsyslogd
    udp6       0      0 :::514                  :::*                                9834/rsyslogd
    此时说明配置正常,处于监听状

    client

    1.安装rsyslog
    2.配置rsyslog
    authpriv.*                                              @10.0.0.100:514
    #一个@表示通过udp:514 通信
    authpriv.*                                              @@10.0.0.100:514
    #两个@表示通过tcp:514 通信
    根据你自己要保存的日志修改,我只是测试,就保存了登录系统相关的日志
    3.重启rsyslog

    验证:

    在服务端查看 /var/log/remote 目录下面是否有客户端的日志产生

    [root@master /]# ls /var/log/remote
    2021-11-23
    [root@master /]# ls /var/log/remote/2021-11-23/
    10.0.0.10.log  127.0.0.1.log
    [root@master /]# cat /var/log/remote/2021-11-23/10.0.0.10.log
    Nov 23 10:18:12 apache_0 sshd[1349]: pam_unix(sshd:session): session closed for user root
    Nov 23 10:18:12 apache_0 sshd[1353]: pam_unix(sshd:session): session closed for user root
    Nov 23 10:18:14 apache_0 sshd[1404]: Accepted password for root from 10.0.0.1 port 53252 ssh2
    Nov 23 10:18:14 apache_0 sshd[1404]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Nov 23 10:18:14 apache_0 sshd[1408]: Accepted password for root from 10.0.0.1 port 53253 ssh2
    Nov 23 10:18:15 apache_0 sshd[1408]: pam_unix(sshd:session): session opened for user root by (uid=0)
    [root@master /]#

    此时说明搭建完毕,验证成功

    本文转自:

    https://www.cnblogs.com/haimeng/p/10823699.html 

    https://www.tecmint.com/install-rsyslog-centralized-logging-in-centos-ubuntu/ (服务端客户端实现通信)

    http://c.biancheng.net/linux_tutorial/15/ (解释了什么是rsyslog服务)

    https://www.freebuf.com/articles/es/246659.html (自定义模板的示例)

    https://www.rsyslog.com/how-to-bind-a-template/ (官网)

  • 相关阅读:
    .net注册iis
    hdu 1081To The Max
    hdu 1312Red and Black
    hdu 1016Prime Ring Problem
    hdu 1159Common Subsequence
    hdu 1372Knight Moves
    hdu 1686Oulipo
    hdu 1241Oil Deposits
    hdu 1171Big Event in HDU
    hdu 4006The kth great number
  • 原文地址:https://www.cnblogs.com/augusite/p/15592280.html
Copyright © 2011-2022 走看看