需求
前端几台机器是负载均衡分布在多台机器上,每次查看日志要登录每台机器查看很麻烦,如果能把多台机器tomcat日志打到一台机器上方便查看,功能相同的打到同一个日志下
环境
系统:CentOS release 6.10 (Final)
默认rsyslog版本为rsyslogd 5.8.10 需要升级到最新版本rsyslogd 8.2010.0
192.168.1.2 服务端IP
192.168.1.3 客户端IP
Rsyslog实现
1 升级rsyslog
# cd /etc/yum.repos.d
# wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
# yum update rsyslog
[root@VM_220_5_centos yum.repos.d]# rsyslogd -v
rsyslogd 8.2010.0 (aka 2020.10) compiled with:
PLATFORM: x86_64-redhat-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: No
Config file: /etc/rsyslog.conf
PID file: /var/run/syslogd.pid
Number of Bits in RainerScript integers: 64
########################
#######################
如果卸载再安装rsyslog,卸载时会将crontab卸载
[root@VM_220_5_centos ~]# yum remove rsyslog
Loaded plugins: fastestmirror, security
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package rsyslog.x86_64 0:8.2010.0-2.el6 will be erased
--> Processing Dependency: syslog for package: cronie-1.4.4-16.el6_8.2.x86_64
--> Running transaction check
---> Package cronie.x86_64 0:1.4.4-16.el6_8.2 will be erased
--> Processing Dependency: cronie = 1.4.4-16.el6_8.2 for package: cronie-anacron-1.4.4-16.el6_8.2.x86_64
--> Running transaction check
---> Package cronie-anacron.x86_64 0:1.4.4-16.el6_8.2 will be erased
--> Processing Dependency: /etc/cron.d for package: crontabs-1.10-33.el6.noarch
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package crontabs.noarch 0:1.10-33.el6 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================================================
Package Arch Version Repository Size
===============================================================================================
Removing:
rsyslog x86_64 8.2010.0-2.el6 @rsyslog_v8 2.1 M
Removing for dependencies:
cronie x86_64 1.4.4-16.el6_8.2 @anaconda-CentOS-201703281317.x86_64/6.9 174 k
cronie-anacron x86_64 1.4.4-16.el6_8.2 @anaconda-CentOS-201703281317.x86_64/6.9 43 k
crontabs noarch 1.10-33.el6 @anaconda-CentOS-201703281317.x86_64/6.9 2.4 k
Transaction Summary
===============================================================================================
Remove 4 Package(s)
Installed size: 2.3 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Erasing : cronie-anacron-1.4.4-16.el6_8.2.x86_64 1/4
Erasing : crontabs-1.10-33.el6.noarch 2/4
Erasing : cronie-1.4.4-16.el6_8.2.x86_64 3/4
Erasing : rsyslog-8.2010.0-2.el6.x86_64 4/4
warning: /etc/rsyslog.conf saved as /etc/rsyslog.conf.rpmsave
warning: /etc/logrotate.d/syslog saved as /etc/logrotate.d/syslog.rpmsave
Verifying : rsyslog-8.2010.0-2.el6.x86_64 1/4
Verifying : crontabs-1.10-33.el6.noarch 2/4
Verifying : cronie-anacron-1.4.4-16.el6_8.2.x86_64 3/4
Verifying : cronie-1.4.4-16.el6_8.2.x86_64 4/4
Removed:
rsyslog.x86_64 0:8.2010.0-2.el6
Dependency Removed:
cronie.x86_64 0:1.4.4-16.el6_8.2 cronie-anacron.x86_64 0:1.4.4-16.el6_8.2
crontabs.noarch 0:1.10-33.el6
Complete!
See https://www.rsyslog.com for more information.
安装时却不会安装相应的依赖,所以如果使用
yum remove rsyslog
需要
yum install rsyslog
yum install cronie
2 客户端配置
- rsyslog.conf配置
去掉下面配置的注释,没有就添加
# vim /etc/rsyslog.conf
#imuxsock模块,支持本地系统日志的模块
module(load="imuxsock")
#imklog模块,支持内核日志的模块
module(load="imklog")
#imfile模块,支持对文件进行操作
module(load="imfile" )
#使用udp协议
module(load="imudp")
input(type="imudp" port="514")
#使用tcp模块
module(load="imtcp" MaxSessions="500")
input(type="imtcp" port="514")
######################################
######################################
注意:
1 module(load="imuxsock" SysSock.Use="off") 刚开始从网上搜加上SysSock.Use="off"后来发现/var/log/messages无法输出日志了!!!
# provides support for local system logging (e.g. via logger command)
2 module(load="imfile" ) 一定要加,是对/etc/rsyslog.d/tomcat1.conf
input(type="imfile"
File="/usr/local/tomcat1/logs/catalina-daemon.out" #日志路径
Facility="local1"
Severity="info"
Tag="tomcat1" #定义日志标签,重要,服务端根据这个标签可以识别日志
PersistStateInterval="1" #回写偏移量数据到文件间隔时间(秒),根据实际情况而定
Ruleset="remote" #rsyslog.conf中定义的rule名称
)
这块配置的支持
新增配置,添加到配置最后即可
# vim /etc/rsyslog.conf
ruleset(name="remote"){
action(type="omfwd"
target="192.168.1.2"
port="514"
protocol="tcp"
queue.type="linkedList"
queue.spoolDirectory="/data/log/rsyslog"
queue.fileName="remoteQueue_192_168_1_3"
queue.maxDiskSpace="5g"
queue.saveOnShutdown="on"
action.resumeRetryCount="-1"
)
stop
}
去掉将所有日志打入/var/log/messages这一项,否则所有日志都会打入到messages中,会很大
测试客户端不修改这块也可以,服务端要修改因为日志都会打入服务端
# vim /etc/rsyslog.conf
# 注释掉这一行
*.info;mail.none;authpriv.none;cron.none /var/log/messages
替换成
*.info;mail.none;authpriv.none;cron.none;local1.none;local2.none;local3.none;local4.none ;local5.none;local6.none /var/log/message
#########################
#########################
注意:
*.info 表示所有info的日志都打入 /var/log/messages
mail.none; 排除mail日志以及authpriv cron日志,默认打入其他日志
我们自己定义local1-6 日志也不需要打入/var/log/messages中
/etc/rsyslog.conf的其他配置可以保持不变,注意要有
$IncludeConfig /etc/rsyslog.d/*.conf
- 新增子配置文件
在 /etc/rsyslog.d/目录下新增配置文件tomcat1.conf
cd /etc/rsyslog.d/
# vim tomcat1.conf
$WorkDirectory /data/log/rsyslog #默认为/var/lib/rsyslog
input(type="imfile"
File="/usr/local/tomcat1/logs/catalina-daemon.out" #日志路径
Facility="local1"
Severity="info"
Tag="tomcat1" #定义日志标签,重要,服务端根据这个标签可以识别日志
PersistStateInterval="1" #回写偏移量数据到文件间隔时间(秒),根据实际情况而定
reopenOnTruncate="on" #解决日志截断后无法读取日志的情况
Ruleset="remote" #rsyslog.conf中定义的rule名称
)
保存文件并检查配置文件是否正确
# rsyslogd -N 1
rsyslogd: version 8.2010.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
到这里客户端的配置文件已经写好,重启rsyslog
# service rsyslog stop
# service rsyslog start
防火墙
vim /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
service iptables restart
3 服务端配置
- 防火墙配置与客户端一致
vim /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
service iptables restart
- 配置rsyslog
# vim /etc/rsyslog.conf
#### MODULES ####
$PreserveFQDN on #用于正确的获取主机名,暂时应该没用到
$FileOwner root #存储的文件属主
$FileGroup root #文件属主
$FileCreateMode 0644 #生成的文件权限
$DirCreateMode 0755 #生成的目录权限
$Umask 0022
$PrivDropToUser root #可以删除日志的用户
$PrivDropToGroup root #可以删除日志的用户组
module(load="imuxsock" ) #imuxsock模块,支持本地系统日志的模块
module(load="imklog") #imklog模块,支持内核日志的模块
#使用udp协议
module(load="imudp")
input(type="imudp" port="514")
#使用tcp协议
module(load="imtcp" MaxSessions="500")
input(type="imtcp" port="514")
新增
$template SpiceTmpl,"%fromhost-ip%-%msg:2:$%\n" #定义一个模块
$template ChannelmanageTomcat1,"/data/log/rsyslog/tomcat1/catalina.log" #定义文件存储路
径及名称,%%中间的为变量
$template ChannelmanageTomcat2,"/data/log/rsyslog/tomcat2/catalina.log" #定义文件存储路
径及名称,%%中间的为变量
$template ChannelmanageTomcat3,"/data/log/rsyslog/tomcat3/catalina.log"
:rawmsg,contains,"tomcat1" ?ChannelmanageTomcat1;SpiceTmpl #contains过滤tag为tomcat1日志存储到ChannelmanageTomcat1模板定义的日志中去
:rawmsg,contains,"tomcat2" ?ChannelmanageTomcat2;SpiceTmpl
:rawmsg,contains,"tomcat3" ?ChannelmanageTomcat3;SpiceTmpl
去掉将所有日志打入/var/log/messages这一项,否则所有日志都会打入到messages中,会很大
# vim /etc/rsyslog.conf
# 注释掉这一行
## 记录所有日志类型的,信息等级大于等于info级别的信息到messages文件(mail邮件信息,authpriv验证信息和corn时间和任务信息除外)
*.info;mail.none;authpriv.none;cron.none /var/log/messages
替换成
*.info;mail.none;authpriv.none;cron.none;local1.none;local2.none;local3.none /var/log/message
客户端中tomcat1.conf配置文件中Facility="local1" ,所以将local1.none设置不打入到messages文件中,只打入自定义模板中
#############################
#############################
Facility简介:Facility是syslog的模块,通过facility概念来定义日志消息的来源,以方便对日志进行分类。Facility:有以下设备可选,如有某些需要使用可查看相关文档。
kern 内核消息
user 用户级消息
mail 邮件
daemon 系统服务
syslog 日志系统服务
security/authorization messages
line printer subsystem
network news subsystem
UUCP subsystem uucp系统消息
clock daemon
security/authorization messages
FTP daemon
NTP subsystem
log audit
log alert
clock daemon
local0 - local7
- 重启服务,收集日志
服务端
mkdir -p /data/log/rsyslog
# service rsyslog stop
# service rsyslog start
[root@VM-220-2_centos /]# ll /data/log/rsyslog/*/*
-rw-r--r-- 1 root root 1836819 Oct 20 13:46 /data/log/rsyslog/tomcat1/catalina.log
-rw-r--r-- 1 root root 22427 Oct 20 11:57 /data/log/rsyslog/tomcat2/catalina.log
-rw-r--r-- 1 root root 496596 Oct 20 11:57 /data/log/rsyslog/tomcat3/catalina.log
客户端
[root@VM_220_5_centos rsyslog.d]# ll /data/log/rsyslog/
total 12
-rw------- 1 root root 120 Oct 20 11:57 imfile-state:664196:417dd13bb2a2ef57
-rw------- 1 root root 121 Oct 20 11:57 imfile-state:664229:5c8e6ac0b55be7e6
-rw------- 1 root root 128 Oct 20 13:48 imfile-state:672673:616ddd1c9e981ac9
需要关注
1 防火墙开放
2 /data/log/rsyslog// 日志切割
3 有时候文件夹无法创建,日志无法输出,可以先将服务端/data/log/rsyslog/ 客户端/data/log/rsyslog/ 删除后尝试重启两边rsyslog服务
4 第二天发现日志无法传输过去,因为tomcat日志设置每天截取,后在/etc/rsyslog.d/tomcat1.conf中添加了一行
eopenOnTruncate="on"
解决
参考:
https://www.cnblogs.com/paul8339/p/12463868.html
https://www.jianshu.com/p/7dc582b04981
https://www.cnblogs.com/zhaoyangjian724/p/6199141.html