rsyslog

Linux下使用Rsyslog搭建集中日誌伺服器

Google+ Pinterest LinkedIn Tumblr

(一)Rsyslog簡介

ryslog 是一個快速處理收集系統日誌的程式,提供了高效能、安全功能和模組化設計。rsyslog 是syslog 的升級版,它將多種來源輸入輸出轉換結果到目的地。

rsyslog是一個開源工具,被廣泛用於Linux系統以通過TCP/UDP協議轉發或接收日誌訊息。rsyslog守護程序可以被配置成兩種環境,一種是配置成日誌收集伺服器,rsyslog程序可以從網路中收集其它主機上的日誌資料,這些主機會將日誌配置為傳送到另外的遠端伺服器。rsyslog的另外一個用法,就是可以配置為客戶端,用來過濾和傳送內部日誌訊息到本地資料夾(如/var/log)或一臺可以路由到的遠端rsyslog伺服器上。

logrotate是一個日誌檔案管理工具。用來把舊檔案輪轉、壓縮、刪除,並且建立新的日誌檔案。我們可以根據日誌檔案的大小、天數等來轉儲,便於對日誌檔案管理,一般都是通過cron計劃任務來完成的。

序號IP地址型別備註
1192.168.99.99Server端
2192.168.99.98client端

(二)rsyslog server服務端配置

1,rsyslog預設是安裝的,如果沒有安裝通過

[[email protected] samba]# yum install rsyslog -y

2,修改/etc/rsyslog.conf配置檔案,啟用udp和tcp模組 $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp

$InputTCPServerRun 514

[[email protected] samba]# vim /etc/rsyslog.conf

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imjournal # provides access to the systemd journal

#####開啟udp接收日誌

$ModLoad imudp

$UDPServerRun 514

$template RemoteHost,”/data/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log” 

*.*  ?RemoteHost

& ~

####開啟tcp協議接受日誌

$ModLoad imtcp

$InputTCPServerRun 514

$WorkDirectory /var/lib/rsyslog

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#######啟用/etc/rsyslog.d/*.conf目錄下所有以.conf結尾的配置檔案

$IncludeConfig /etc/rsyslog.d/*.conf   

$OmitLocalLogging on

$IMJournalStateFile imjournal.state

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                :omusrmsg:*

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

local0.*                                                /etc/keepalived/keepalived.log

3,重啟rsyslog服務

[[email protected] 2018-05-23]# systemctl restart rsyslog

[[email protected] 2018-05-23]# systemctl status rsyslog

[[email protected] samba]# netstat -anp|grep 514

tcp        0      0 0.0.0.0:514            0.0.0.0:*              LISTEN      1445/rsyslogd     

tcp6      0      0 :::514                  :::*                    LISTEN      1445/rsyslogd     

udp        0      0 0.0.0.0:514            0.0.0.0:*                          1445/rsyslogd     

udp6      0      0 :::514                  :::*                                1445/rsyslogd 

(三)rsyslog客戶端的配置

1,編輯rsylog客戶端的配置檔案:

[[email protected] log]# grep -v “^$” /etc/rsyslog.conf | grep -v “^#”

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imjournal # provides access to the systemd journal

$WorkDirectory /var/lib/rsyslog

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template myFormat,”%timestamp% %fromhost-ip% %msg%/n”  #######自定義模板的相關資訊

$IncludeConfig /etc/rsyslog.d/*.conf

$OmitLocalLogging on

$IMJournalStateFile imjournal.state

*.*          @192.168.99.99:514                      ########該宣告告訴rsyslog守護程序,將系統上各個裝置的各種日誌的所有訊息路由到遠端rsyslog伺服器(192.168.99.99)的UDP埠514。@@是通過tcp傳輸,一個@是通過udp傳輸。

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                :omusrmsg:*

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

local0.*                                            /etc/keepalived/keepalived.log

2,重啟客戶端rsyslog服務

[[email protected] log]# systemctl restart rsyslog

[[email protected] log]# systemctl status rsyslog

● rsyslog.service – System Logging Service

Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)

Active: active (running) since 四 2018-05-24 16:57:04 CST; 4s ago

Main PID: 44765 (rsyslogd)

CGroup: /system.slice/rsyslog.service

└─44765 /usr/sbin/rsyslogd -n

5月 24 16:57:04 server98 systemd[1]: Starting System Logging Service…

5月 24 16:57:04 server98 systemd[1]: Started System Logging Service.

(四)檢視客戶端和服務端的日誌是否正常生成。

(1)檢視服務端是否在/data/日期/ip.log正常生成。

[[email protected] 2018-05-24]# tail -f /data/2018-05-24/192.168.99.98.log

2018-05-24T17:02:52+08:00 server98 postfix/pickup[41198]: AAC764ACB03: uid=0 from=< [email protected] >

2018-05-24T17:02:52+08:00 server98 postfix/cleanup[45967]: AAC764ACB03: message-id=< [email protected] >

2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AAC764ACB03: from=< [email protected] >, size=851, nrcpt=1 (queue active)

2018-05-24T17:02:52+08:00 server98 postfix/smtp[39596]: AAC764ACB03: to=< [email protected] >, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=address.somewhere type=AAAA: Host not found)

2018-05-24T17:02:52+08:00 server98 postfix/cleanup[45967]: AB6804ACB0B: message-id=<[email protected]>

2018-05-24T17:02:52+08:00 server98 postfix/bounce[45968]: AAC764ACB03: sender non-delivery notification: AB6804ACB0B

2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AB6804ACB0B: from=<>, size=2811, nrcpt=1 (queue active)

2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AAC764ACB03: removed

2018-05-24T17:02:52+08:00 server98 postfix/smtp[39597]: AB6804ACB0B: to=<[email protected]>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=company.xy type=AAAA: Host not found)

2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AB6804ACB0B: removed

2018-05-24T17:14:33+08:00 server98 root: hello world

(2)在客戶端生成日誌,是否日誌同步,都有

[[email protected] ~]# tail -f /var/log/messages

May 24 17:11:40 server98 Keepalived_vrrp[49377]: VRRP_Script(chk_http_port) succeeded

May 24 17:11:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2

May 24 17:11:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2

May 24 17:12:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2

May 24 17:12:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2

May 24 17:13:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2

May 24 17:13:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2

May 24 17:14:33 server98 root: hello world

至此,日誌服務端和客戶端日誌同步完成。

備註:

Linux下使用Rsyslog搭建集中日誌伺服器

1,Facility是syslog的模組: rsyslog通過facility概念來定義日誌訊息���來源,以方便對日誌進行分類。Facility:有0-23種裝置可選,在python的syslog庫中有一部分缺失

0 kernel messages

1 user-level messages

2 mail system

3 system daemons

4 security/authorization messages

5 messages generated internally by syslogd

6 line printer subsystem

7 network news subsystem

8 UUCP subsystem

9 clock daemon

10 security/authorization messages

11 FTP daemon

12 NTP subsystem

13 log audit

14 log alert

15 clock daemon

16-23 local0 – local7

常用的有:

Linux下使用Rsyslog搭建集中日誌伺服器

2,Severity:日誌等級

0 Emergency

1 Alert

2 Critical

3 Error

4 Warning

5 Notice

6 Informational

7 Debug

Linux下使用Rsyslog搭建集中日誌伺服器

重要的配置檔案:

1,rsyslog server服務端的配置:

[[email protected] 2018-05-23]# grep -v “^$” /etc/rsyslog.conf | grep -v “^#”

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imjournal # provides access to the systemd journal

$ModLoad imudp

$UDPServerRun 514

$template RemoteHost,”/data/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log”

*.*  ?RemoteHost

& ~

$ModLoad imtcp

$InputTCPServerRun 514

$WorkDirectory /var/lib/rsyslog

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$IncludeConfig /etc/rsyslog.d/*.conf

$OmitLocalLogging on

$IMJournalStateFile imjournal.state

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                :omusrmsg:*

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

local0.*                                                /etc/keepalived/keepalived.log

2,rsyslog 客戶端的配置

[[email protected] log]# grep -v “^$” /etc/rsyslog.conf | grep -v “^#”

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imjournal # provides access to the systemd journal

$WorkDirectory /var/lib/rsyslog

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template myFormat,”%timestamp% %fromhost-ip% %msg%/n”

$IncludeConfig /etc/rsyslog.d/*.conf

$OmitLocalLogging on

$IMJournalStateFile imjournal.state

*.info;mail.none;authpriv.none;cron.none          @192.168.99.99:514

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                :omusrmsg:*

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

local0.*                                            /etc/keepalived/keepalived.log

本文永久更新連結地址: https://www.linuxidc.com/Linux/2018-06/152665.htm

Write A Comment