rsyslog 收集系统日志

<pre name="code" class="html">nginx 服务器配置:
jrhwpt01:/root# cat /etc/rsyslog.conf 
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
module(load="imfile" PollingInterval="5")
$ModLoad imtcp
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none;local5.none                /var/log/messages
*.info;mail.none;authpriv.none;cron.none;local5.none                @@15.26.10.82:514


rsyslog 服务器配置

:FROMHOST-IP, isequal, "10.26.44.206" /var/log/10.26.44.206.log
:FROMHOST-IP, isequal, "11.40.169.210" /var/log/11.40.169.210.log


b.$template Remote,"/data/log/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"  定义模板，接受日志文件路径，区分了不同主机的日志

c.:fromhost-ip, !isequal, "127.0.0.1" ?Remote 过滤server 本机的日志

最简单的办法；
$template myFormat,"%timestamp% %fromhost-ip%%msg%
"
$template Remote,"/var/log/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" -?Remote;myFormat

1.rsyslog 服务器配置：
[root@opm log]# grep -v "^#" /etc/rsyslog.conf | grep -v "^$"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad immark  # provides --MARK-- message capability
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$AllowedSender tcp, 192.168.30.0/24
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /data/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log


a.$AllowedSender tcp, 192.168.30.0/24 允许 30.0网段内的主机以tcp协议来传输

b.$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"  定义模板，接受日志文件路径，区分了不同主机的日志

c.:fromhost-ip, !isequal, "127.0.0.1" ?Remote 过滤server 本机的日志。

$template myFormat,"%timestamp% %fromhost-ip%%msg%
"


:syslogtag,isequal,"uat-frontend01-access"  -?uat-frontend01-access;tocFormat
$template Remote,"/var/log/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" -?Remote;myFormat