搭建Rsyslog集中日志服务器
1、Rsyslog
ryslog 是一个快速处理收集系统日志的程序,提供了高性能、安全功能和模块化设计。rsyslog 是syslog 的升级版,它将多种来源输入输出转换结果到目的地。
rsyslog是一个开源工具,被广泛用于Linux系统以通过TCP/UDP协议转发或接收日志消息。rsyslog守护进程可以被配置成两种环境,一种是配置成日志收集服务器,rsyslog进程可以从网络中收集其它主机上的日志数据,这些主机会将日志配置为发送到另外的远程服务器。rsyslog的另外一个用法,就是可以配置为客户端,用来过滤和发送内部日志消息到本地文件夹(如/var/log)或一台可以路由到的远程rsyslog服务器上。
logrotate是一个日志文件管理工具。用来把旧文件轮转、压缩、删除,并且创建新的日志文件。我们可以根据日志文件的大小、天数等来转储,便于对日志文件管理,一般都是通过cron计划任务来完成的。
案列安装
- 172.16.5.154 Server端
- 172.16.5.150 Clinet端
2、rsyslog server服务端配置
安装
yum -y install rsyslog修改配置文件 /etc/rsyslog.conf 启用udp和tcp模块
查看
cat /etc/rsyslog.conf内容如下
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#####开启udp接收日志
$ModLoad imudp
$UDPServerRun 514
$template RemoteHost,"/data/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"
*.* ?RemoteHost
& ~
####开启tcp协议接受日志
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#######启用/etc/rsyslog.d/*.conf目录下所有以.conf结尾的配置文件
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local0.* /etc/keepalived/keepalived.log3、启动rsyslog服务
systemctl restart rsyslog
systemctl status rsyslog
netstat -anp | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 41910/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 41910/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 41910/rsyslogd
udp6 0 0 :::514 :::* 41910/rsyslogd4、rsyslog 客户端的配置
安装
yum -y install rsyslog 查看配置文件
grep -v "^$" /etc/rsyslog.conf | grep -v "^#"内容如下
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %msg%\n" #######自定义模板的相关信息
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.* @172.16.5.151:514 ########该声明告诉rsyslog守护进程,将系统上各个设备的各种日志的所有消息路由到远程rsyslog服务器(172.16.5.151)的UDP端口514。@@是通过tcp传输,一个@是通过udp传输。
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local0.* /etc/keepalived/keepalived.log5、重启Rsyslog客户端
systemctl restart rsyslog
systemctl status rsyslog查看服务端是否在/data/日期/ip.log正常生成
tail -f /data/syslog/2021-08-03/172.16.5.150.log查看客户端日志是否同步
tail -f /var/log/messages日志服务端和客户端日志同步完成
rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
#$FileCreateMode 0640
$FileCreateMode 0755
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
$template RemoteHost,"/mnt/disk0/syslog/%$YEAR%%$MONTH%/%FROMHOST-IP%/%$YEAR%%$MONTH%%$DAY%-%FROMHOST-IP%.log"
*.* ?RemoteHost
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
#auth,authpriv.* /var/log/auth.log
#*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
#kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
#mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
#mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*————————————————
版权声明:本文为CSDN博主「运维 涛涛」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/weixin_46545831/article/details/119355869
微信
支付宝本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。