服务器(9)--Linux之系统日志rsyslog转发
一、简介
RSYSLOG is the rocket-fast system for log processing.
It offers high-performance, great security features and a modular design. While it started as a regular syslogd, rsyslog has evolved into a kind of swiss army knife of logging, being able to accept inputs from a wide variety of sources, transform them, and output to the results to diverse destinations.
RSYSLOG can deliver over one million messages per second to local destinations when limited processing is applied (based on v7, December 2013). Even with remote destinations and more elaborate processing the performance is usually considered "stunning".
1、rsyslog 是一个快速处理收集系统日志的程序,提供了高性能、强大的安全特性和模块化设计
2、rsyslog 是syslog 的升级版,自centos6起,系统日志配置文件/etc/syslog.conf不再存在,取而代之的是/etc/rsyslog.conf
3、判断服务器上是否安装rsyslog,命令:rsyslogd -version
4、如果服务器上没有安装rsyslog,则安装,命令:yum install rsyslog -y
二、部署
1、环境图
2、rsyslog server上的部署操作
(1)编辑rsyslog配置文件,路径/etc/rsyslog.conf,修改前最好先备份一份,修改后的文件内容如下:
[root@opm log]# grep -v "^#" /etc/rsyslog.conf | grep -v "^$"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad immark # provides --MARK-- message capability
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$AllowedSender tcp, 192.168.233.0/24
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /data/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
b.$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" 定义模板,接受日志文件路径,区分了不同主机的日志
c.:fromhost-ip, !isequal, "127.0.0.1" ?Remote 过滤server 本机的日志。
d.$InputTCPServerRun 514 开启tcp,tcp和udp 可以共存的
(2)创建日志目录,尽量选择系统内比较大的区域创建,因为考虑到要存放很多服务器的日志文件。
mkdir -pv /data/log
(3)重启rsyslog服务,并查看监听端口,514 是否是tcp协议
重启:systemctl restart rsyslog
查看端口:netstat -tunlp | grep rsyslog
3、rsyslog client上的部署操作
(1)node1上的配置
同样,先备份/etc/rsyslog.conf,然后配置rsyslog.conf文件,配置完成后,重启rsyslog服务
[root@node1 ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %msg%\n"
$ActionFileDefaultTemplate myFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none @192.168.233.128
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log(2)ceph1上的配置
先备份,然后配置rsyslog.conf文件,最后重启rsyslog服务
[root@ceph1 ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none @192.168.233.128
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$template myFormat,"%timestamp% %fromhost-ip%%msg%\n"
$ActionFileDefaultTemplate myFormat三、验证
1、进入服务端的/data/log下,查看日志,使用tree,可以看到树形结构
messages:server 端的系统日志
文件夹192.168.233.129: node1 客户端的日志
文件夹192.168.233.130: ceph1 客户端的日志
2、查看node1的日志
在客户端node的命令行中输入:logger "hello world"
在服务端server中查看客户端node的日志,在命令行中输入:
tail -f /data/log/192.168.233.129/192.168.233.129_2018-02-25.log
