syslog实例详解rsyslog

http://blog.csdn.net/chenhao112358/article/details/40892239
http://www.cnblogs.com/blueswu/p/3564763.html
http://blog.clanzx.net/2013/12/31/rsyslog.html
http://www.xiaomastack.com/2014/11/06/logger-rsyslog/
http://www.cnblogs.com/tobeseeker/archive/2013/03/10/2953250.html
http://www.open-open.com/lib/view/open1440982522565.html
https://linux.cn/article-4835-1.html#3_4334

服务器初始配制：其他实验基于添加

[root@server1 ~]# vi /etc/rsyslog.conf               

# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
$UDPServerRun 514           //去掉#

# Provides TCP syslog reception
#$ModLoad imtcp
$InputTCPServerRun 10514   //去掉#


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

实例1：

服务器:
/etc/rsyslog.conf文件最后添加
*.*                                    /var/log/all.log

service rsyslog restart


客户端：
/etc/rsyslog.conf文件最后添加
*.*                                                    @@10.24.220.232:10514   //通过tcp传


service rsyslog restart
------------------------------------------------------------------------------------------
客户端测试试程序：k.c
#include <syslog.h>
int main(void){
 int log_test;
 openlog("log_test", LOG_PID|LOG_CONS, LOG_USER);
 syslog(LOG_INFO, "PID information, pid=%d
", getpid());
 syslog(LOG_ALERT, "debug message
");
 closelog();
 return 0;
}
root@slave1 ~]# ./k  

服务器查看log:
cat /var/log/all.log

Jun 12 20:44:05 slave1 log_test[12612]: PID information, pid=12612
Jun 12 20:44:05 slave1 log_test[12612]: debug message

实例2：

服务器:
/etc/rsyslog.conf文件最后添加
*.*                                    /var/log/all.log

service rsyslog restart


客户端：
/etc/rsyslog.conf文件最后添加
*.*                                                    @10.24.220.232:10514   //通过udp


service rsyslog restart

------------------------------------------------
客户端：
[root@slave1 ~]# logger "hello world"

服务器查看log:
cat /var/log/all.log

Jun 12 20:50:51 slave1 root: hello world

实例3

服务器：
/etc/rsyslog.conf文件最后添加
local5.*        /var/log/all.log            #过滤local5级别的日志，放入/var/log/all.log


客户端只加入：

local5.*                    @10.1.5.241:514                     #通过udp传

客户端测试：
[root@slave1 ~]# logger -p local5.info  "hello world" 

服务端显示：
root@server1 log]# cat /var/log/all.log
Jun 12 21:06:21 slave1 root: hello world

实例4:
服务端：

/etc/rsyslog.conf文件最后添加

$template logfile,"/var/log/logfile_%$year%%$month%%$day%.log"       //生成新的日志文件

  :msg,contains,"muyushan" ?logfile                                    //表示对消息中含有muyushan 发送到,logfile定义的文件中

  客户端：

  /etc/rsyslog.conf文件最后添加

  :msg,contains,"muyushan"                @@192.168.1.26:10514         //只对消息中含有muyushan发送到192.168.1.26：10514主机

   

注意： :msg,contains,"muyushan"
logger -t muyushan "muyushan"    :rsyslog 只对   "muyushan"  过滤，发送到192.168.1.26:10514 
logger -t muyushan "test"  是不发送到 192.168.1.26:10514

EG：
   2016-06-13T00:48:16.643880-07:00 localhost muyushan: muyushan     中的红色过滤
   

客户端测试：logger "muyushan"

服务器查看:
[root@localhost log]# cat logfile_20160613.log
2016-06-13T01:11:21-07:00 localhost root: muyushan