linux rsyslog日志服务器

搭建成日志服务器后，将接收来自rsyslog客户端的日志。

1、安装rsyslog软件

[root@centos6 ~]# rpm -qa|grep rsyslog
rsyslog-5.8.10-12.el6.x86_64

2、编辑配置文件/etc/rsyslog.conf，开启udp和tcp协议的514端口，用于接收客户端日志

egrep -v '^#|^$' /etc/rsyslog.conf
[root@centos6 ~]# vim /etc/rsyslog.conf
#Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

#Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

重启生效
[root@centos6 ~]# service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@centos6 ~]# netstat -tupln|grep rsyslog
tcp        0      0 0.0.0.0:514                 0.0.0.0:*                   LISTEN      19385/rsyslogd      
tcp        0      0 :::514                      :::*                        LISTEN      19385/rsyslogd      
udp        0      0 0.0.0.0:514                 0.0.0.0:*                               19385/rsyslogd      
udp        0      0 :::514                      :::*                                    19385/rsyslogd      
[root@centos6 ~]# 

3、在客户端的/etc/rsyslog.conf中配置将本地哪些facility.level发送给远程的日志服务器

vim /etc/rsyslog.conf
*.* @172.16.0.131:514 #for udp
*.* @@172.16.0.131:514  #for tcp

重启rsyslog服务
systemctl restart rsyslog

4、在客户端测试发送给远程日志服务器

[root@centos7 ~]# logger -t "test-7" "this is a test for centos 7 log"
[root@centos7 ~]# 

在本地会记录一份日志消息，在远程上的/var/log/messages里也会记录
Sep  9 14:02:08 centos6 kernel: imklog 5.8.10, log source = /proc/kmsg started.
Sep  9 14:02:08 centos6 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="20421" x-info="http://www.rsyslog.com"] start
Sep  6 15:53:47 centos7 test-7: this is a test for centos 7 log