Rsyslog配置及使用教程

2019-07-25 12:45栏目:电脑操作

(一)Rsyslog简介

智跑syslog配置及应用教程

1.Rsyslog介绍
牧马人syslog is 罗克et-fast System for Log processing.大切诺基syslog是CentOS6多级默许的日志管理软件。途睿欧syslog基于模块化设计,提供高质量,安全的日志管理系统。CR-Vsyslog是八线程的,帮忙TCP,UDP,TLS,RELP.Ku瓦斯yslog实际上syslog的一个增进版本。

图片 1

2.安装Rsyslog

CentOS下暗中认可已经安装了rsyslog
查阅rsyslog运营状态

$service rsyslog status
rsyslogd (pid  7542) is running...

$ ps -ef|grep rsyslog|grep -v grep
root      1014    1  0  2014 ?        00:15:09 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5

此处-c 5 是在/etc/sysconfig/rsyslog中定义的
$ cat /etc/sysconfig/rsyslog 
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS="-c 5"

3.配置rsyslog

rsyslog的配置文件/etc/rsyslog.conf
# rsyslog v5 configuration file
 
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
 
#### MODULES ####
 
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog  # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
 
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
 
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
 
 
#### GLOBAL DIRECTIVES ####
 
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
 
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
 
 
#### RULES ####
 
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                /dev/console
 
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
 
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
 
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
 
 
# Log cron stuff
cron.*                                                  /var/log/cron
 
# Everybody gets emergency messages
*.emerg                                                *
 
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
 
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
 
 
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g  # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList  # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

 

$ cat /etc/rsyslog.conf|grep -v -E "^#|^$"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog  # provides kernel logging support (previously done by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

安顿格式如下:

日志类型.日志等第              日志管理形式

日志类型 说明
auth pam模块产生的日志
authpriv ssh,sftp等的登录验证信息
cron 定时任务相关日志
kernel

ryslog 是一个火速管理搜集系统日志的次序,提供了高品质、安全效能和模块化设计。rsyslog 是syslog 的进级版,它将各类来源于输入输出调换结果到指标地。

--------------------------------------分割线

CentOS上布署rsyslog客户端用以长途记录日志 

TiguanHEL5.4安顿中心日志服务器之rsyslog Log Analyzer

CentOS 6.3下利用陆风X8syslog LogAnalyzer MySQL陈设日志服务器

选择rsyslog mysql 和logAnalyzer 的日志服务器

CentOS 6.3下行使Tiggosyslog LogAnalyzer MySQL铺排日志服务器

奥德赛HEL5.4布署中心日志服务器之rsyslog loganalyzer 

rsyslog是二个开源工具,被广大用于Linux系统以通过TCP/UDP协议转向或抽取日志新闻。rsyslog守护进度能够被铺排成二种境况,一种是布署成日志搜罗服务器,rsyslog进度能够从互联网中收载别的主机上的日记数据,那个主机遇将日志配置为发送到其余的长途服务器。rsyslog的另外三个用法,正是能够配备为客户端,用来过滤和殡葬内部日志音信到地面文件夹(如/var/log)或一台能够路由到的远程rsyslog服务器上。

--------------------------------------分割线

Evoquesyslog 的详尽介绍:请点这里
Sportagesyslog 的下载地址:请点这里

本文长久更新链接地址:

1.安德拉syslog介绍 悍马H2syslog is 罗克et-fast System for Log processing.福特Explorersyslog是CentOS6层层暗中同意的日志管理软件。ENVISIONsyslog基于模块化设计,提供...

logrotate是三个日记文件管理工科具。用来把旧文件轮转、压缩、删除,并且创办新的日记文件。大家得以依赖日志文件的深浅、天数等来转储,便于对日记文件管理,一般都以由此cron布署职务来成功的。

序号 IP地址 类型 备注
1 192.168.99.99 Server端  
2 192.168.99.98 client端  

 (二)rsyslog server服务端配置
1,rsyslog暗中同意是设置的,若无安装通过
[root@localhost samba]# yum install rsyslog -y

2,修改/etc/rsyslog.conf配置文件,启用udp和tcp模块 $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp
$InputTCPServerRun 514

[root@localhost samba]# vim /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal

 #####开启udp接收日志
$ModLoad imudp
$UDPServerRun 514
$template RemoteHost,"/data/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log" 
*.*  ?RemoteHost
& ~
####敞开tcp协议接受日志
$ModLoad imtcp
$InputTCPServerRun 514

$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#######启用/etc/rsyslog.d/*.conf目录下有所以.conf结尾的布局文件
$IncludeConfig /etc/rsyslog.d/*.conf   

$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local0.*                                                /etc/keepalived/keepalived.log

3,重启rsyslog服务

[root@zabbix 2018-05-23]# systemctl restart rsyslog
[root@zabbix 2018-05-23]# systemctl status rsyslog
[root@localhost samba]# netstat -anp|grep 514
tcp        0      0 0.0.0.0:514            0.0.0.0:*              LISTEN      1445/rsyslogd     
tcp6      0      0 :::514                  :::*                    LISTEN      1445/rsyslogd     
udp        0      0 0.0.0.0:514            0.0.0.0:*                          1445/rsyslogd     
udp6      0      0 :::514                  :::*                                1445/rsyslogd 

(三)rsyslog客户端的配备
1,编辑rsylog客户端的布置文件:

[root@server98 log]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %msg%n"  #######自定义模板的相关音信
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.*          @192.168.99.99:514                      ########该注明告诉rsyslog守护进程,将系统上相继设备的各样日志的持有音讯路由到远程rsyslog服务器(192.168.99.99)的UDP端口514。@@是通过tcp传输,叁个@是经过udp传输。
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local0.*                                            /etc/keepalived/keepalived.log

2,重启客户端rsyslog服务

[root@server98 log]# systemctl restart rsyslog
[root@server98 log]# systemctl status rsyslog
● rsyslog.service - System Logging Service
  Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
  Active: active (running) since 四 2018-05-24 16:57:04 CST; 4s ago
 Main PID: 44765 (rsyslogd)
  CGroup: /system.slice/rsyslog.service
          └─44765 /usr/sbin/rsyslogd -n

5月 24 16:57:04 server98 systemd[1]: Starting System Logging Service...
5月 24 16:57:04 server98 systemd[1]: Started System Logging Service.

(四)查看客户端和服务端的日志是或不是正规生成。
(1)查看服务端是还是不是在/data/日期/ip.log符合规律生成。

[root@zabbix 2018-05-24]# tail -f /data/2018-05-24/192.168.99.98.log
2018-05-24T17:02:52 08:00 server98 postfix/pickup[41198]: AAC764ACB03: uid=0 from=<smokealert@company.xy>
2018-05-24T17:02:52 08:00 server98 postfix/cleanup[45967]: AAC764ACB03: message-id=<20180524090252.AAC764ACB03@server98.localdomain>
2018-05-24T17:02:52 08:00 server98 postfix/qmgr[2356]: AAC764ACB03: from=<smokealert@company.xy>, size=851, nrcpt=1 (queue active)
2018-05-24T17:02:52 08:00 server98 postfix/smtp[39596]: AAC764ACB03: to=<alertee@address.somewhere>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=address.somewhere type=AAAA: Host not found)
2018-05-24T17:02:52 08:00 server98 postfix/cleanup[45967]: AB6804ACB0B: message-id=<20180524090252.AB6804ACB0B@server98.localdomain>
2018-05-24T17:02:52 08:00 server98 postfix/bounce[45968]: AAC764ACB03: sender non-delivery notification: AB6804ACB0B
2018-05-24T17:02:52 08:00 server98 postfix/qmgr[2356]: AB6804ACB0B: from=<>, size=2811, nrcpt=1 (queue active)
2018-05-24T17:02:52 08:00 server98 postfix/qmgr[2356]: AAC764ACB03: removed
2018-05-24T17:02:52 08:00 server98 postfix/smtp[39597]: AB6804ACB0B: to=<smokealert@company.xy>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=company.xy type=AAAA: Host not found)
2018-05-24T17:02:52 08:00 server98 postfix/qmgr[2356]: AB6804ACB0B: removed
2018-05-24T17:14:33 08:00 server98 root: hello world

(2)在客户端生成日志,是不是日志同步,都有
[root@server98 ~]# tail -f /var/log/messages
May 24 17:11:40 server98 Keepalived_vrrp[49377]: VRRP_Script(chk_http_port) succeeded
May 24 17:11:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2
May 24 17:11:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2
May 24 17:12:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2
May 24 17:12:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2
May 24 17:13:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2
May 24 17:13:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2
May 24 17:14:33 server98 root: hello world

迄今甘休,日志服务端和客户端日志同步完毕。

备注:

图片 2

1,Facility是syslog的模块: rsyslog通过facility概念来定义日志消息的来源于,以方便对日记举行归类。Facility:有0-23种配备可选,在python的syslog库中有局地缺失
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16-23     local0 - local7

常用的有:

图片 3

2,Severity:日志品级
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug

图片 4

重大的配置文件:

1,rsyslog server服务端的安插:

[root@zabbix 2018-05-23]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$template RemoteHost,"/data/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"
*.*  ?RemoteHost
& ~
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local0.*                                                /etc/keepalived/keepalived.log

2,rsyslog 客户端的布局

[root@server98 log]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %msg%n"
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none          @192.168.99.99:514
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local0.*                                            /etc/keepalived/keepalived.log

正文永远更新链接地址

图片 5

版权声明:本文由威尼斯人app发布于电脑操作,转载请注明出处:Rsyslog配置及使用教程