centos7/redhat7 搭建rsyslog日志服务器
测试环境
server:10.0.0.100
client:10.0.0.10server:
1.安装rsyslog
yum -y install rsyslog2.配置rsyslog
[root@master log]# grep -vE '^$|^#' /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
#允许客户端通过udp:514 端口连接
$ModLoad imtcp
$InputTCPServerRun 514
#允许客户端通过tcp:514 端口连接
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
##这里是服务端添加的配置 begin
# 使用RemoteLogs模板接受客户端的日志,保存到本地的/var/log/remote目录下,下面第一层子目录是通过年月日的命令格式,然后是每台客户端的ip命令的log
$template RemoteLogs,"/var/log/remote/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%.log"
# 所有服务所有级别的日志都记录
*.* ?RemoteLogs
#服务端本机的日志不记录
$template Remote,"/mnt/syslog/%$YEAR%%$MONTH%/%FROMHOST-IP%/%$YEAR%%$MONTH%%$DAY%-%FROMHOST-IP%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
#指示rsyslog在将消息写入文件后停止处理消息。如果不包含"&~",则消息将被写入本地文件
& ~
##这里是服务端添加的配置 end
$ActionFileEnableSync on
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
*.err /var/log/errors
$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
:programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl
authpriv.info /var/log/authpriv_info
*.info /var/log/info
auth.none /var/log/auth_none如果希望自定义客户端日志的保存格式,请参考本文最底部的链接
3.重启rsyslog
systemctl restart rsyslog
systemctl status rsyslog
查看状态rsyslog服务是否正常
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-11-23 10:16:38 CST; 35min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 9834 (rsyslogd)
Tasks: 10
CGroup: /system.slice/rsyslog.service
└─9834 /usr/sbin/rsyslogd -n
[root@master log]# netstat -anput|grep syslog
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 9834/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 9834/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 9834/rsyslogd
udp6 0 0 :::514 :::* 9834/rsyslogd
此时说明配置正常,处于监听状client
1.安装rsyslog
2.配置rsyslog
authpriv.* @10.0.0.100:514
#一个@表示通过udp:514 通信
authpriv.* @@10.0.0.100:514
#两个@表示通过tcp:514 通信
根据你自己要保存的日志修改,我只是测试,就保存了登录系统相关的日志3.重启rsyslog
验证:
在服务端查看 /var/log/remote 目录下面是否有客户端的日志产生
[root@master /]# ls /var/log/remote
2021-11-23
[root@master /]# ls /var/log/remote/2021-11-23/
10.0.0.10.log 127.0.0.1.log
[root@master /]# cat /var/log/remote/2021-11-23/10.0.0.10.log
Nov 23 10:18:12 apache_0 sshd[1349]: pam_unix(sshd:session): session closed for user root
Nov 23 10:18:12 apache_0 sshd[1353]: pam_unix(sshd:session): session closed for user root
Nov 23 10:18:14 apache_0 sshd[1404]: Accepted password for root from 10.0.0.1 port 53252 ssh2
Nov 23 10:18:14 apache_0 sshd[1404]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 23 10:18:14 apache_0 sshd[1408]: Accepted password for root from 10.0.0.1 port 53253 ssh2
Nov 23 10:18:15 apache_0 sshd[1408]: pam_unix(sshd:session): session opened for user root by (uid=0)
[root@master /]#此时说明搭建完毕,验证成功
微信
支付宝本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。