rsyslog可以理解为增强版的syslog,在syslog的基础上扩展了很多其他功能,如数据库支持(Mysql,PostgreSQL、Oracle等)、日志内容筛选、定义日志格式模板等。除了默认的udp协议外,rsyslog还支持tcp协议来接收日志,可以yum安装,也可以源码安装,下载地址:
http://www.rsyslog.com/download/
rsyslog功能很丰富,我只测了一部分,但这已经能够满足我的需求
a. mysql支持
rsyslog很多功能都是以模块的形式实现的,比如这个mysql支持,首先在编译的时候我们必须将这个模块编译进去,然后在/etc/rsyslog.conf加载”$ModLoad ommysql“,然后在指定哪些日志需要存放在数据里。在使用mysql模块前,我们需要手工建库、定义表,这些步骤手册里都有详细说明,操作起来也不难。
b. filter(日志筛选)
filter是rsyslog的一大亮点,通常情况下,我们并不是所有的日志都要收集,比如我们只需要error以下级别的日志、或者我们再要包含特定内容的日志。灵活运用filter我们可以很轻易地实现这些需求。下面举几个例子,使用方法手册里有详细介绍:
1 2 |
:msg, contains, "test_message" /var/log/test.log &~ |
如果日志内容包含”test_message”就存放在/var/log/test.log中,”&~”的意思是丢弃,不做后续处理。即使后面还有”:msg, contains,“test_message” /var/log/test2.log”,这条日志也不会再存在test2.log中。
1 2 |
if $msg contains 'test_message' then /var/log/test.log &~ |
上面的例子的另一种写法,用if的好处是可以定义一些复杂的条件匹配
filter非常的实用,syslog中仅仅定义的local0~local7几个用户自定义的facility。使用filter我们轻松解决自定义facility不够用的问题
c. template
使用template定义日志格式模板,可以规范不通的类型的日志,很方便我们查看,使用起来也很简单,但是template的定义必须放在rsyslog.conf的顶端。
1 2 |
$template myFormat,"%timestamp% %hostname% %pri-text% %msg%\n" $ActionFileDefaultTemplate myFormat |
第一行我们定义了一个名为myFormat的模板,第二行的意思是把我们定义的myFormat作为rsyslog的默认模板。如果只是需要在特定日志上套用这个模板可以这样写
1 |
$template myFormat,"%timestamp% %hostname% %pri-text% %msg%\n" |
1.防止系统崩溃无法获取系统日志分享崩溃原因,用rsyslog可以把日志传输到远程的日志服务器上
2.使用rsyslog日志可以减轻系统压力,因为使用rsyslog可以有效减轻系统的磁盘IO
3.rsyslog使用tcp传输非常可靠,可以对日志进行过滤,提取出有效的日志,rsyslog是轻量级的日志软件,在大量日志写的情况下,系统负载基本上在0.1以下
一、安装前准备
1.下载rsyslog-5.6.2
2.准备两台机器(linux或者unix),一台客户端,一台服务端
服务端和客户端的安装步骤:
1. #指定安装目录
2. ./configure --prefix=/Application/rsyslog
3.
4. #编译
5. make
6.
7. #安装
8. make install
9. #添加lib
10. echo "/Application/rsyslog/lib/rsyslog" >> /etc/ld.so.conf
11. #更新lib
12. ldconfig
13.
14. #产生配置文件
15. cp /etc/syslog.conf /etc/rsyslog.conf
#产生服务文件
vi/etc/init.d/rsyslog
1. #!/bin/bash
2. #
3. # rsyslog Starts rsyslogd/rklogd.
4. #
5. #
6. # chkconfig: - 12 88
7. # description: Syslog is the facility by which many daemons use to log \
8. # messages to various system log files. It is a good idea to always \
9. # run rsyslog.
10. ### BEGIN INIT INFO
11. # Provides: $syslog
12. # Required-Start: $local_fs $network $remote_fs
13. # Required-Stop: $local_fs $network $remote_fs
14. # Default-Stop: 0 1 2 3 4 5 6
15. # Short-Description: Enhanced system logging and kernel message trapping daemons
16. # Description: Rsyslog is an enhanced multi-threaded syslogd supporting,
17. # among others, MySQL, syslog/tcp, RFC 3195, permitted
18. # sender lists, filtering on any message part, and fine
19. # grain output format control.
20. ### END INIT INFO
21.
22. # Source function library.
23. basedir=/Application/rsyslog
24. moddir=/Application/rsyslog/lib/rsyslog/
25. rsyslogdfile=$basedir/sbin/rsyslogd
26. . /etc/init.d/functions
27.
28. RETVAL=0
29.
30. start() {
31. [ -x $rsyslogdfile ] || exit 5
32.
33. # Do not start rsyslog when sysklogd is running
34. if [ -e /var/run/syslogd.pid ] ; then
35. echo $"Shut down sysklogd before you run rsyslog";
36. exit 1;
37. fi
38.
39. # Source config
40. if [ -f /etc/sysconfig/rsyslog ] ; then
41. . /etc/sysconfig/rsyslog
42. else
43. SYSLOGD_OPTIONS="-M $moddir"
44. fi
45.
46. if [ -z "$SYSLOG_UMASK" ] ; then
47. SYSLOG_UMASK=077;
48. fi
49. umask $SYSLOG_UMASK
50.
51. echo -n $"Starting system logger: "
52. daemon $rsyslogdfile $SYSLOGD_OPTIONS
53. RETVAL=$?
54. echo
55. [ $RETVAL -eq 0 ] && touch /var/lock/subsys/rsyslog
56. return $RETVAL
57. }
58. stop() {
59. echo -n $"Shutting down system logger: "
60. killproc $rsyslogdfile
61. RETVAL=$?
62. echo
63. [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/rsyslog
64. return $RETVAL
65. }
66. reload() {
67. RETVAL=1
68. syslog=`cat /var/run/rsyslogd.pid 2>/dev/null`
69. echo -n "Reloading system logger..."
70. if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
71. kill -HUP "$syslog";
72. RETVAL=$?
73. fi
74. if [ $RETVAL -ne 0 ]; then
75. failure
76. else
77. success
78. fi
79. echo
80. return $RETVAL
81. }
82. rhstatus() {
83. status rsyslogd
84. }
85. restart() {
86. stop
87. start
88. }
89.
90. case "$1" in
91. start)
92. start
93. ;;
94. stop)
95. stop
96. ;;
97. restart)
98. restart
99. ;;
100. reload|force-reload)
101. reload
102. ;;
103. status)
104. rhstatus
105. ;;
106. condrestart)
107. [ -f /var/lock/subsys/rsyslog ] && restart || :
108. ;;
109. *)
110. echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart}"
111. exit 2
112. esac
113.
114. exit $?
#启动服务
1. #产生服务文件
2. chmod +x /etc/init.d/rsyslog
3. #启动前先把syslog停止
4. service syslog stop
5. service rsyslog start
#配置服务端
vi/etc/rsyslog.conf #在文件开始加上,同时确保514端口能够被客户端用tcp访问
1. #指定日志文件的拥有者
2. $FileOwner apache
3. #使用tcp方式
4. $ModLoad imtcp # needs to be done just once
5. #tcp接收连接数为500个
6. $InputTCPMaxSessions 500
7. #tcp接收信息的端口
8. $InputTCPServerRun 514
9.
10. #为信息加上日志时间
11. $template logformat,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
12. #定义的日志文件的名称,按照年月日
13. $template DynFile,"/Application/sdns/log/%$year%%$month%%$day%.log"
14. #把包含sdns_log标志的信息写到DynFile定义的日志文件里
15. :rawmsg, contains, "sdns_log" ?DynFile;logformat
16. #这个表示丢弃包含sdns_log标志的信息
17. :rawmsg, contains, "sdns_log" ~
配置客户端
vi/etc/rsyslog.conf #在文件开始加上
1. #把包含sdns_log的信息通过tcp发到192.168.1.2 @@表示tcp @表示udp
2. :rawmsg, contains, "sdns_log" @@192.168.1.2
3. #这个表示丢弃包含sdns_log标志的信息,防止这个信息写到本机的/var/log/message
4. :rawmsg, contains, "sdns_log" ~
测试:
在客户端上执行
logger-p user.info "sdns_log 34334"
在服务端的/Application/sdns/log/目录里是否有日志产生
服务端:192.168.12.98 Centos6.2
客户端:192.168.12.57 Centos5.5
服务端安装:
1. 安装rsyslog以及rsyslog-mysql接口支持:
#yum install -y rsyslog rsyslog-mysql
2. 修改配置
#vim /etc/rsyslog.conf
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modulesare not found.
$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local systemlogging (e.g. via logger command)
$ModLoad imklog # kernel logging (formerly provided by rklogd)
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in aspecial file.
uucp,news.crit -/var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If theremote host is
# down, messages are spooled to disk and sent when itis up again.
#$WorkDirectory /rsyslog/spool # where to place spoolfiles
#$ActionQueueFileName uniqName # unique name prefixfor spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages todisk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514,port optional
#*.* @@192.168.12.14:514
# ######### Receiving Messages from Remote Hosts##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (ifcompiled to support it)
$ModLoad imtcp.so # load module
$InputTCPServerRun 514 # start up TCP listener atport 514
#tcp接收连接数为500个
$InputTCPMaxSessions 500
# UDP Syslog Server:
#$ModLoad imudp.so # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server atstandard port 514
##为信息加上日志时间
#$template logformat,"%TIMESTAMP:::date-mysql%%FROMHOST-IP%%msg%\n"
##定义的日志文件的名称,按照年月日
#$templateDynFile,"/Application/sdns/log/%$year%%$month%%$day%.log"
##把包含sdns_log标志的信息写到DynFile定义的日志文件里
#:rawmsg, contains, "sdns_log"?DynFile;logformat
##这个表示丢弃包含sdns_log标志的信息
#:rawmsg, contains, "sdns_log" ~
3. 开启接收远程信息:
#vim /etc/sysconfig/rsyslog
修改成:SYSLOGD_OPTIONS=”-m0 –r”
4. 确保防火墙没有阻止
直接关闭防火墙
或者
iptables -I INPUT -p tcp -m state --state NEW -m tcp -dport514 -j ACCEPT
5. 关闭syslog
#service syslog stop
6. 开启rsyslog
#service rsyslog start
客户端安装:
1. 安装rsyslog
#yum install -y rsyslog
2. 修改配置
#vim /etc/rsyslog.conf
# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Provides kernel logging support (previously done byrklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. vialogger command)
$ModLoad imuxsock
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in aspecial file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
$ModLoad imtcp.so # load module
$InputTCPServerRun 514 # start up TCP listener at port514
#把包含sdns_log的信息通过tcp发到192.168.1.2@@表示tcp @表示udp
#:rawmsg, contains, "sdns_log"@@192.168.1.2
#这个表示丢弃包含sdns_log标志的信息,防止这个信息写到本机的/var/log/message
#:rawmsg, contains, "sdns_log" ~
# @@表示tcp @表示udp
*.*;mail.none;authpriv.none;cron.none @@192.168.12.98
authpriv.* @@192.168.12.98
*.emerg @@192.168.12.98
3. 关闭syslog
#service syslog stop
4. 开启rsyslog
#service rsyslog start
都配置好了,测试:
在客户端上执行:
logger -p user.info "sdns_log34334"
到服务端去看/var/log/message
也可参考如下链接:
http://yifangyou.blog.51cto.com/900206/609330
http://blog.csdn.net/gui694278452/article/details/7755296
http://xmgu2008.blog.163.com/blog/static/1391223802010518115219906/
http://blog.csdn.net/hxh129/article/details/8089474