rsyslog 移植与配置方案介绍

rsyslog介绍

rsyslog 是一个 syslogd 的多线程增强版。它提供高性能、极好的安全功能和模块化设计。虽然它基于常规的 syslogd，但 rsyslog 已经演变成了一个强大的工具，可用于：

• 接收来自各种来源的输入
• 转换它们
• 将结果输出到不同的目的地

rsyslog移植

移植版本

-rw-rw-r-- 1 bala bala 558K Oct 28 13:11 zlib-1.2.8.tar.gz
-rw-rw-r-- 1 bala bala 280K Oct 20 07:03 liblogging-1.0.5.tar.gz
-rw-rw-r-- 1 bala bala 311K Oct 19 13:57 libuuid-1.0.3.tar.gz
-rw-rw-r-- 1 bala bala 329K Oct 19 11:45 libestr-0.1.10.tar.gz
-rw-rw-r-- 1 bala bala 2.2M Oct 19 11:28 rsyslog-8.22.0.tar.gz
-rw-rw-r-- 1 bala bala 1.3M Oct 28 21:44 libfastjson-0.99.4.zip

libestr-0.1.10.tar.gz
libfastjson-0.99.4
libuuid-1.0.3.tar.gz

./configure
CC=XXX-gcc
--build=$(./config.guess)
--host=x86_64-pc-linux && make && sudo make install

zlib-1.2.8.tar.gz

CC=XXX-gcc
./configure && make && sudo make install

liblogging-1.0.5.tar.gz

autoreconf -v --install
./configure
CC=XXX-gcc
--build=$(./config.guess)
--disable-journal --disable-man-pages
--host=x86_64-pc-linux && make && sudo make install

编译时，如遇到类似如下malloc或realloc错误，在config.h.in中注释掉如下定义：
#undef malloc
#undef realloc：

./.libs/liblogging-stdlog.so: undefined reference to `rpl_malloc'
collect2: error: ld returned 1 exit status
make[2]: *** [stdlogctl] Error 1

rsyslog-8.22.0.tar.gz

./configure
CC=XXX-gcc
--build=$(./config.guess)
LIBS=-lm
--disable-libgcrypt
--enable-imfile --enable-imptcp --enable-omstdout
--host=x86_64-pc-linux
&& make && sudo make install

rsyslog client端配置

client端需要注意处理日志传输的可靠性，如果处理不当，可能你会遇到如下日志丢失的场景：

1. 在tcp建链前把rsyslog拉起来，在tcp建链前的日志都会丢掉。
2. tcp建链后，中间发生断链后又恢复（比如ifconfig eth0 down/up），这期间的日志也会丢掉。

所以采取的可靠性保证措施如下：

1. 配置使能官网推荐的本地数据缓存机制；
2. 在确认建链后重新启动rsyslog服务；

alex@cb:~$ cat rcS 
(省略)
# slave rsyslog
chmod +x /etc/run_rsyslog
./etc/run_rsyslog &
(省略)

alex@cb:~$ cat run_rsyslog 
#!/bin/sh

rsyslogd -f /etc/rsyslog.slave.conf -i /etc/rsyslogd.pid
while true
do
        # send a msg to check whether tcp connection is established.
        logger "running rsyslogd..."
        netstat -t 2>&1 | grep -e ":514[ ]*ESTABLISHED"
        if [ "$?" = "1" ]; then
                sleep 3
                continue
        fi
        kill -9 $(cat /etc/rsyslogd.pid)
        sleep 1
        rsyslogd -f /etc/rsyslog.slave.conf -i /etc/rsyslogd.pid
        logger "rsyslogd TCP connection ESTABLISHED."
        exit 0
done

alex@cb:~$ cat rsyslog.slave.conf 
module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog")   # provides kernel logging support (previously done by rklogd)
#module(load"immark")  # provides --MARK-- message capability
module(load="imfile")

input(type="imfile"
                File="/dev/util"
                Severity="info"
                Facility="local0"       
                Tag="util")

input(type="imfile"
                File="/dev/usrdrvexc0"
                Severity="info"
                Facility="local1"               
                Tag="usrdrvexc0")
          
input(type="imfile"
                File="/dev/usrdrvexc1"
                Severity="info"
                Facility="local2"
                Tag="usrdrvexc1")   

input(type="imfile"
                File="/var/eip_svc_*.log"
                Severity="info"
                Facility="local3"
                Tag="subcard")
        
$template myFormat,"%TIMESTAMP:::date-rfc3164% %msg%
"
$ActionFileDefaultTemplate myFormat

$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName fwdRule1 
$ActionQueueMaxFileSize 1m   
$ActionQueueSaveOnShutdown on 
$ActionQueueType LinkedList   
$ActionResumeRetryCount -1    
*.*  @@168.0.31.1:514 

rsyslog server端配置

alex@cb:~$ cat rcS 
(省略)
# log rotation
mkdir -p /var/spool/cron/crontabs
crond -l 20 -L /var/log/crond.log
chmod +x /usr/sbin/log_rotation
echo "* * * * * /usr/sbin/log_rotation" > /var/spool/cron/crontabs/root

# rsyslog
rsyslogd -f /etc/rsyslog.master.conf -i /etc/rsyslogd.pid
(省略)


alex@cb:~$ cat rsyslog.master.conf 

module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

$template myFormat,"%TIMESTAMP:::date-rfc3164% %msg%
"
$ActionFileDefaultTemplate myFormat

$template KlogFile,"/sysdisk0/run_log/util/dmesg-%FROMHOST%.log"
$template UserlogFile,"/sysdisk0/run_log/util/userlog-%FROMHOST%.log"
$template UtilFile,"/sysdisk0/run_log/util/util-%FROMHOST%.log"
$template Usrdrvexc0File,"/sysdisk0/run_log/util/usrdrvexc0-%FROMHOST%.log" 
$template Usrdrvexc1File,"/sysdisk0/run_log/util/usrdrvexc1-%FROMHOST%.log"
$template SubcardFile,"/sysdisk0/run_log/util/subcard-%FROMHOST%.log"

kern.* ?KlogFile
local0.* ?UtilFile
local1.* ?Usrdrvexc0File
local2.* ?Usrdrvexc1File
local3.* ?SubcardFile
*.info;kern.none;local0.none;local1.none;local2.none;local3.none ?UserlogFile

日志回卷配置

官网提供的一种简单的日志回卷方案，

# start log rotation via outchannel
# outchannel definition
$outchannel log_rotation,/var/log/log_rotation.log, 52428800,/home/me/./log_rotation_script
#  activate the channel and log everything to it
*.* :omfile:$log_rotation
# end log rotation via outchannel

这个方案可以对有固定文件名的日志文件进行回卷，单其缺点就是不支持动态模板命名文件。

对于动态模板命名文件，一种可用的日志回卷方案是基于crond实现方案，示例如下。

alex@cb:~$ cat log_rotation 
#!/bin/sh

large_logs=`find /sysdisk0/run_log/util/ -type f -size +1024k  -regex "/sysdisk0/run_log/util/(subcard|usrdrvexc0|usrdrvexc1|userlog|util)-.*.log"`

for file in $large_logs;
do
    mv -f $file $file.1;
done;

--EOF--