zoukankan      html  css  js  c++  java
  • Linux下rsyslog日志收集服务环境部署记录【转】

    rsyslog 可以理解为多线程增强版的syslog。 在syslog的基础上扩展了很多其他功能,如数据库支持(MySQL、PostgreSQL、Oracle等)、日志内容筛选、定义日志格式模板等。目前大多数Linux发行版默认也是使用rsyslog进行日志记录。rsyslog提供了三种远程传输协议:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    UDP 传输协议
    基于传统UDP协议进行远程日志传输,也是传统syslog使用的传输协议; 可靠性比较低,但性能损耗最少, 在网络情况比较差, 或者接收服务器压力比较高情况下,
    可能存在丢日志情况。 在对日志完整性要求不是很高,在可靠的局域网环境下可以使用。
     
    TCP 传输协议
    基于传统TCP协议明文传输,需要回传进行确认,可靠性比较高; 但在接收服务器宕机或者两者之间网络出问题的情况下,会出现丢日志情况。 这种协议相比于UDP在
    可靠性方面已经好很多,并且rsyslog原生支持,配置简单, 同时针对可能丢日志情况,可以进行额外配置提高可靠性,因此使用比较广。
     
    RELP 传输协议
    RELP(Reliable Event Logging Protocol)是基于TCP封装的可靠日志消息传输协议; 是为了解决TCP 与 UDP 协议的缺点而在应用层实现的传输协议,也是三者
    之中最可靠的。 需要多安装一个包rsyslog-relp以支持该协议。
     
    对于线上服务器,为了日志安全起见,建议使用还是使用 RELP 协议进行传输。

    rsyslog的简单配置记录(如下将公司防火墙上的日志(UDP)打到IDC的rsyslog日志服务器上)

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    一、rsyslog服务端的部署
    安装rsyslog 程序(rsyslog默认已经在各发行版安装,如果系统中没有的话,可以用yum 进行安装,如下:)
    [root@zabbix ~]# yum install rsyslog -y
     
    配置:
    [root@zabbix ~]# cat /etc/rsyslog.conf
    # rsyslog v5 configuration file
     
    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
     
    #### MODULES ####
     
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imklog   # provides kernel logging support (previously done by rklogd)
    $ModLoad immark  # provides --MARK-- message capability
     
    # Provides UDP syslog reception
    $ModLoad imudp                                          #开启udp的514端口。也可以开启tcp的514端口,这里只接受udp的
    $UDPServerRun 514
     
    # Provides TCP syslog reception
    #$ModLoad imtcp
    #$InputTCPServerRun 514
     
    $WorkDirectory /var/lib/rsyslog
    $AllowedSender udp, 192.168.17.0/8                    #仅仅接收来自192.168.17.0/8网段的主机的udp日志(这个是公司防火墙的ip地址)
    #### GLOBAL DIRECTIVES ####
     
    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    $template Remote,"/data/fw_logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"           #定义模板,接受日志文件路径,区分了不同主机的日志
    :fromhost-ip, !isequal, "127.0.0.1" ?Remote                                                        # 过滤server 本机的日志
    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on
     
    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf
     
     
    #### RULES ####
     
    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.*                                                 /dev/console
     
    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
     
    # The authpriv file has restricted access.
    authpriv.*                                              /var/log/secure
     
    # Log all the mail messages in one place.
    mail.*                                                  -/var/log/maillog
    local4.*                                                /data/fw.log
     
    # Log cron stuff
    cron.*                                                  /var/log/cron
     
    # Everybody gets emergency messages
    *.emerg                                                 *
     
    # Save news errors of level crit and higher in a special file.
    uucp,news.crit                                          /var/log/spooler
     
    # Save boot messages also to boot.log
    local7.*                                                /var/log/boot.log
     
     
    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    #$WorkDirectory /var/lib/rsyslog # where to place spool files
    #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
    #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    #$ActionQueueType LinkedList   # run asynchronously
    #$ActionResumeRetryCount -1    # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    #*.* @@remote-host:514
    # ### end of the forwarding rule ###
     
     
    [root@zabbix ~]# mkdir /data/fw_logs/
     
    [root@zabbix ~]# /etc/init.d/rsyslog restart
     
     
    二、在公司防火墙(192.168.17.41/42)上配置udp日志输出策略(在防火墙添加rsyslog服务端的ip和514端口)
     
    三、过一会儿,在rsyslog日志服务器上设置的日志目录下就能看到防火墙的日志输出了
    [root@zabbix ~]# ll /data/fw_logs/
    total 4.0K
    drwxrwxrwx   4 root root   46 Jul 28 10:40 .
    drwxr-xr-x. 18 root root 4.0K Jul 28 10:38 ..
    drwx------   2 root root   41 Jul 28 10:37 192.168.17.41
    drwx------   2 root root   41 Jul 28 10:40 192.168.17.42
    [root@zabbix ~]# ll /data/fw_logs/192.168.17.41
    total 16K
    drwx------ 2 root root  41 Jul 28 10:37 .
    drwxrwxrwx 4 root root  46 Jul 28 10:40 ..
    -rw------- 1 root root 13K Jul 28 14:02 192.168.17.41_2017-07-28.log
     
     
    ------------------------------------------------------------------------------------
    可以将上面rsyslog服务端的rsyslog.conf里的ip白名单设置为客户机的ip端,比如:
    $AllowedSender tcp, 172.18.0.0/16                  #表示接收172.18.0.0/16网段的客户机的tcp日志输入,前提是打开tcp的514端口
     
    客户机的配置:
    只需要在rsyslog.conf文件里添加下面一行:
    *.*                               @172.18.10.20                     #后面的ip是rsyslog服务端的ip地址
     
    启动rsyslog日志即可!

    ====================再看一例=======================
    以上配置的是将公司防火墙的日志打到rsyslog里。现在有这么一个需求:
    公司IDC的另外两台服务器172.19.10.24和172.19.10.25上部署了gitlab、nexus、jenkins、jira和wiki,上面的权限设置的比较杂,很多人都有登录需求。现在需要将登录到这两台服务器上的用户的所有操作过程记录下来,记录达到rsyslog日志里,相当于做用户操作记录的审计工作。

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    配置如下(结合上面的安装配置)(服务端的ip是172.19.16.21):
    1)rsyslog服务端配置  (相比于上面的配置,这里去掉了AllowedSender的来源ip的白名单限制。即允许接收所有机器的日志;上面的防火墙日志还是能继续收集)
    [root@zabbix ~]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$"
    $ModLoad imudp
    $UDPServerRun 514
    $WorkDirectory /var/lib/rsyslog
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    $template Remote,"/data/fw_logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
    :fromhost-ip, !isequal, "127.0.0.1" ?Remote
    $IncludeConfig /etc/rsyslog.d/*.conf
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    authpriv.*                                              /var/log/secure
    mail.*                                                  -/var/log/maillog
    cron.*                                                  /var/log/cron
    *.emerg                                                 *
    uucp,news.crit                                          /var/log/spooler
    local7.*                                                /var/log/boot.log
    local5.*                                              /var/log/history.log
     
    [root@zabbix ~]# /etc/init.d/rsyslog restart
     
    2)在172.19.10.24上的配置
    [root@gitlab ~]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$"
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    $IncludeConfig /etc/rsyslog.d/*.conf
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    authpriv.*                                              /var/log/secure
    mail.*                                                  -/var/log/maillog
    cron.*                                                  /var/log/cron
    *.emerg                                                 *
    uucp,news.crit                                          /var/log/spooler
    local7.*                                                /var/log/boot.log
    local5.*    @172.19.16.21
     
    [root@gitlab ~]# /etc/init.d/rsyslog restart
     
    [root@gitlab ~]# cat /etc/profile                  #在该文件的底部添加下面内容
    .......
    export HISTTIMEFORMAT
    export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'
     
    3)在另一台172.19.10.25上做类似配置配置
    [root@nexus ~]# cat /etc/rsyslog.conf |grep -v "#"|grep -v "^$"
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    $IncludeConfig /etc/rsyslog.d/*.conf
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    authpriv.*                                              /var/log/secure
    mail.*                                                  -/var/log/maillog
    cron.*                                                  /var/log/cron
    *.emerg                                                 *
    uucp,news.crit                                          /var/log/spooler
    local7.*                                                /var/log/boot.log
    local5.*   @172.19.16.21
     
    [root@nexus ~]# /etc/init.d/rsyslog restart
     
    [root@nexus ~]# cat /etc/profile
    .......
    export HISTTIMEFORMAT
    export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'
     
    4)过一段时间,发现在rsyslog服务端的日志目录/data/fw_logs下面已经有收集到的日志了
    [root@zabbix fw_logs]# pwd
    /data/fw_logs
    [root@zabbix fw_logs]# cd
    [root@zabbix ~]# cd /data/fw_logs/
    [root@zabbix fw_logs]# ll
    total 12K
    drwxrwxrwx   6 root root   84 Aug 16 18:28 .
    drwxr-xr-x. 18 root root 4.0K Aug 16 17:58 ..
    drwx------   2 root root   74 Aug 17 09:50 172.19.10.24
    drwx------   2 root root   74 Aug 17 10:00 172.19.10.25
    drwx------   2 root root 4.0K Aug 17 00:01 192.168.17.41
    drwx------   2 root root 4.0K Aug 17 00:01 192.168.17.42
    [root@zabbix fw_logs]# cd 172.19.10.24/
    [root@zabbix 172.19.10.24]# ll
    total 20K
    drwx------ 2 root root  74 Aug 17 09:50 .
    drwxrwxrwx 6 root root  84 Aug 16 18:28 ..
    -rw------- 1 root root 14K Aug 16 20:45 172.19.10.24_2017-08-16.log
    -rw------- 1 root root 771 Aug 17 10:03 172.19.10.24_2017-08-17.log
    [root@zabbix 172.19.10.24]# cat 172.19.10.24_2017-08-16.log
    Aug 16 18:39:56 gitlab bash[138413]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
    Aug 16 18:39:56 gitlab bash[138418]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
    Aug 16 18:39:56 gitlab bash[138422]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
    Aug 16 18:39:57 gitlab bash[138426]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
    Aug 16 18:40:30 gitlab bash[138610]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/root,command:[2017-08-16 18:40:03]root pts/0 2017-08-16 18:40 (172.16.255.202)exit
    Aug 16 18:40:43 gitlab bash[138652]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:43]root pts/0 2017-08-16 18:40 (172.16.255.202)cd /data/
    Aug 16 18:40:43 gitlab bash[138657]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:43]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
    Aug 16 18:40:47 gitlab bash[138666]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:47]root pts/0 2017-08-16 18:40 (172.16.255.202)mkdir hahahahah
    Aug 16 18:40:48 gitlab bash[138671]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:48]root pts/0 2017-08-16 18:40 (172.16.255.202)cd hahahahah/
    Aug 16 18:40:48 gitlab bash[138677]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:48]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
    Aug 16 18:40:54 gitlab bash[138696]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:54]root pts/0 2017-08-16 18:40 (172.16.255.202)echo "Asdfasdf" >heihei
    Aug 16 18:40:54 gitlab bash[138702]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:54]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
    .......
     
    有上面日志可以看出,在172.19.10.24这台机器上的操作记录都被详细记录下来了。这样,就能清楚地知道登录到这台机器上的用户都做了些什么了.......

    =====================通过rsyslog收集nginx日志到远程服务器上====================
    需求说明:通过rsyslog服务将192.168.10.21服务器上的/data/nginx/logs/www.kevin.com-access.log日志实时同步到192.168.10.52服务器上(路径为/data/rsyslog/nginx)

    1)192.168.10.21为rsyslog客户端,即日志的推送端rsyslog日志是客户机主动将自己的日志推送到远程服务器上。
    操作如下:
    [root@nginx-server ~]# yum install rsyslog -y
    [root@nginx-server ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
    [root@nginx-server ~]# cat /etc/rsyslog.conf
    # rsyslog v5 configuration file

    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

    #### MODULES ####

    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imklog # provides kernel logging support (previously done by rklogd)
    #$ModLoad immark # provides --MARK-- message capability
    $ModLoad imfile                               ##装载imfile模块,这一行手动添加

    # Provides UDP syslog reception
    #$ModLoad imudp
    #$UDPServerRun 514

    # Provides TCP syslog reception
    #$ModLoad imtcp
    #$InputTCPServerRun 514


    #### GLOBAL DIRECTIVES ####

    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on

    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf


    #### RULES ####

    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.* /dev/console

    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages             ##不记录local5的日志

    # The authpriv file has restricted access.
    authpriv.* /var/log/secure

    # Log all the mail messages in one place.
    mail.* -/var/log/maillog


    # Log cron stuff
    cron.* /var/log/cron

    # Everybody gets emergency messages
    *.emerg *

    # Save news errors of level crit and higher in a special file.
    uucp,news.crit /var/log/spooler

    # Save boot messages also to boot.log
    local7.* /var/log/boot.log


    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    #$WorkDirectory /var/lib/rsyslog # where to place spool files
    #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
    #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    #$ActionQueueType LinkedList # run asynchronously
    #$ActionResumeRetryCount -1 # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    #*.* @@remote-host:514
    # ### end of the forwarding rule ###
    user.info /var/log/history

    #在文件底部添加下面几行内容
    $InputFileName /data/nginx/logs/www.kevin.com-access.log        ##读取日志文件(要监控的日志文件)
    $InputFileTag web_access             ##日志写入日志附加标签字符串
    $InputFileSeverity info           ##日志等级
    $InputFileStateFile /etc/rsyslog.d/stat-access         ##记录日志点等信息。(相当于msyql的master.info)文件名变了,
    这个StateFile标志必须变,否则无法传输。
    $InputFileFacility local5         ##设施类别
    $InputFilePollInterval 1          ##检查日志文件间隔(秒)
    $InputFilePersistStateInterval 1       ##回写偏移量数据到文件间隔时间(秒)
    $InputRunFileMonitor                          ##激活读取,可以设置多组日志读取,每组结束时设置本参数。以示生效。
    local5.* @192.168.10.52            ##代表local5设施的所有级别通过udp协议传送到192.168.10.51

    重启rsyslog服务
    [root@nginx-server ~]# /etc/init.d/rsyslog restart
    关闭系统日志记录器: [确定]
    启动系统日志记录器: [确定]

    由于作为日志的推送端,rsyslog日志不需要开启514端口(如上在rsyslog.conf文件里没有打开dup或tcp的514端口)
    [root@nginx-server ~]# lsof -i:514
    [root@nginx-server ~]#

    2)192.168.10.52为rsyslog服务端,即日志的接收端。
    配置如下:
    [root@log-server ~]# yum install rsyslog -y
    [root@log-server ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
    # rsyslog configuration file

    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

    #### MODULES ####

    # The imjournal module bellow is now used as a message source instead of imuxsock.
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imjournal # provides access to the systemd journal
    #$ModLoad imklog # reads kernel messages (the same are read from journald)
    #$ModLoad immark # provides --MARK-- message capability

    # Provides UDP syslog reception
    $ModLoad imudp                   ##载入imudp模块
    $UDPServerRun 514            ##开启udp接收并制定端口号

    # Provides TCP syslog reception
    $ModLoad imtcp                 ##载入imtcp模块。
    $InputTCPServerRun 514             ##开启tcp接收并制定端口号。tcp和udp两个端口模块可以同时使用!

    #### GLOBAL DIRECTIVES ####

    # Where to place auxiliary files
    $WorkDirectory /var/lib/rsyslog

    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

    #定义一个模板用来指定接收的日志消息的格式(默认会在记录的日志前加几个字段)
    $template  SpiceTmpl,"%msg% "                   ##%msg:2:$%为去掉日志开头的空格

    #定义一个模板用来指定接收的日志文件的存放路径%……%之间的是定义日志按照年-月-日命名
    $template  DynaFile,"/data/rsyslog/nginx/%$YEAR%-%$MONTH%-%$DAY%.log"

    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on

    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf

    # Turn off message reception via local log socket;
    # local messages are retrieved through imjournal now.
    $OmitLocalLogging on

    # File to store the position in the journal
    $IMJournalStateFile imjournal.state


    #### RULES ####

    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.* /dev/console

    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none;local5.none                /var/log/messages            ##不记录local5设施的日志

    # The authpriv file has restricted access.
    authpriv.* /var/log/secure

    # Log all the mail messages in one place.
    mail.* -/var/log/maillog


    # Log cron stuff
    cron.* /var/log/cron

    # Everybody gets emergency messages
    *.emerg :omusrmsg:*

    # Save news errors of level crit and higher in a special file.
    uucp,news.crit /var/log/spooler

    # Save boot messages also to boot.log
    local7.* /var/log/boot.log

    #接收客户端local5设施传送来的日志并存放到指定位置(位置可用定义的模板。?代表使用动态的模板)
    local5.*                       ?DynaFile;SpiceTmpl

    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
    #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    #$ActionQueueType LinkedList # run asynchronously
    #$ActionResumeRetryCount -1 # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    #*.* @@remote-host:514
    # ### end of the forwarding rule ###

    编辑/etc/sysconfig/rsyslog中"SYSLOGD_OPTIONS="开启远程日志接收功能
    [root@log-server ~]# cat /etc/sysconfig/rsyslog
    # Options for rsyslogd
    # Syslogd options are deprecated since rsyslog v3.
    # If you want to use them, switch to compatibility mode 2 by "-c 2"
    # See rsyslogd(8) for more details
    SYSLOGD_OPTIONS="-c 5"

    创建日志接收过来后定义的存放目录
    [root@log-server ~]# mkdir -p /data/rsyslog/nginx

    重启rsyslog服务
    [root@log-server ~]# /etc/init.d/rsyslog restart
    Shutting down system logger: [ OK ]
    Starting system logger: [ OK ]
    [root@log-server ~]# lsof -i:514
    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    rsyslogd 24594 root 2u IPv4 38927639 0t0 TCP *:shell (LISTEN)
    rsyslogd 24594 root 3u IPv4 38927635 0t0 UDP *:syslog
    rsyslogd 24594 root 4u IPv6 38927636 0t0 UDP *:syslog
    rsyslogd 24594 root 5u IPv6 38927640 0t0 TCP *:shell (LISTEN)

    查看日志是否接收过来了
    [root@log-server ~]# ll /data/rsyslog/nginx/
    total 550876
    -rw------- 1 root root 483539594 Jun 13 12:58 2018-06-13.log
    [root@log-server ~]# tail -2 /data/rsyslog/nginx/2018-06-13.log
    1.203.163.198 - [27/Apr/2018:00:17:53 +0800] "POST /scf/%7B%7BloginConfig.loginSubmitUrl%7D%7D HTTP/1.1" 302 0 "https://www.kevin.com/scf/login" Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36 - 0.010 0.003 10.0.54.21:9020 302
    1.203.163.198 - [27/Apr/2018:00:17:53 +0800] "POST /scf/%7B%7BloginConfig.loginSubmitUrl%7D%7D HTTP/1.1" 302 0 "https://www.kevin.com/scf/login" Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36 - 0.012 0.003 10.0.54.21:9020 302

    ==========================================================================
    注意:
    a)如果发现日志还没有接收过来,即/data/rsyslog/nginx目录下没有日志产生,就同时重启推送端和接收端的rsyslog服务。确保双方的iptables防火墙和selinux关闭!
    b)也可以自行修改接收的日志文件的存放路径,如改为下面的配置:
    $template DynaFile,"/data/rsyslog/nginx/nginx-access.log"
    则日志收集后存放的文件如下:
    [root@log-server ~]# ll /data/rsyslog/nginx/
    total 571716
    -rw------- 1 root root 483539594 Jun 13 12:58 2018-06-13.log
    -rw------- 1 root root 101893593 Jun 13 13:13 nginx-access.log

    转自

    Linux下rsyslog日志收集服务环境部署记录 - 散尽浮华 - 博客园 https://www.cnblogs.com/kevingrace/p/5570411.html

    参考

    Linux 之 rsyslog 系统日志转发 - 飞走不可 - 博客园 https://www.cnblogs.com/hanyifeng/p/5463338.html

    rsyslog+loganalyzer日志服务器部署记录 - 散尽浮华 - 博客园 https://www.cnblogs.com/kevingrace/p/9252961.html

  • 相关阅读:
    HDU 2844 Coins(多重背包)
    HDU 4540 威威猫系列故事——打地鼠(DP)
    Codeforces Round #236 (Div. 2)
    FZU 2140 Forever 0.5
    HDU 1171 Big Event in HDU(DP)
    HDU 1160 FatMouse's Speed(DP)
    ZOJ 3490 String Successor
    ZOJ 3609 Modular Inverse
    ZOJ 3603 Draw Something Cheat
    ZOJ 3705 Applications
  • 原文地址:https://www.cnblogs.com/paul8339/p/9305842.html
Copyright © 2011-2022 走看看