Rsyslog简介
rsyslog是一个开源工具,被普遍用于Linux系统以经过TCP/UDP协议转发或接收日志消息。rsyslog守护进程能够被配置成两种环境,一种是配置成日志收集服务器,rsyslog进程能够从网络中收集其它主机上的日志数据,这些主机会将日志配置为发送到另外的远程服务器。rsyslog的另一个用法,就是能够配置为客户端,用来过滤和发送内部日志消息到本地文件夹(如/var/log)或一台能够路由到的远程rsyslog服务器上。node
安装Rsyslog守护进程
yum install rsyslog
Server端配置
[root@opm log]# grep -v "^#" /etc/rsyslog.conf | grep -v "^$"$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$ModLoad immark # provides --MARK-- message capability$ModLoad imudp$UDPServerRun 514$ModLoad imtcp$InputTCPServerRun 514$WorkDirectory /var/lib/rsyslog$AllowedSender tcp, 192.168.30.0/24$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log":fromhost-ip, !isequal, "127.0.0.1" ?Remote$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none /data/log/messagesauthpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.log
a.容许网段内的主机以协议来传输AllowedSendertcp,192.168.30.0/24容许30.0网段内的主机以tcp协议来传输b.template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%YEARMONTH%-%过滤本机的日志。DAYc.:fromhost−ip,!isequal,"127.0.0.1"?Remote过滤server本机的日志。d.InputTCPServerRun 514 开启tcp,tcp和udp 能够共存的服务器
Client端配置
[root@test1 ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$WorkDirectory /var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.55authpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.log$template myFormat,"%timestamp% %fromhost-ip%%msg%\n"$ActionFileDefaultTemplate myFormat
验证,在服务器上进到 /data/log 目录下,进行查看。网络
收集系统其它服务日志.
[root@node1 ~]# egrep -v '^#|^$' /etc/rsyslog.conf$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$ModLoad immark # provides --MARK-- message capability$WorkDirectory /var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.67authpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.logmodule(load="imfile" PollingInterval="5")$InputFileName /var/log/nova/nova-compute.log$InputFileTag nova-info:$InputFileStateFile state-nova-info$InputRunFileMonitor
其实只添加了后5行的内容,对每项简单解释下tcp
module(load="imfile" PollingInterval="5") 加载imfile 模块,并5秒刷新一次
要监控的日志文件路径InputFileName/var/log/nova/nova−compute.log 要监控的日志文件路径InputFileTag nova-info: 定义文件标签 ,注意最后是冒号:
定义状态文件InputFileStateFilestate−nova−info 定义状态文件InputRunFileMonitor 激活读取,能够设置多组日志读取,每组结束时设置本参数ide