rsyslog配置以及原理

rsyslog

日志由程序产生,在内存中产生。通过Rsyslog来将内存中程序产生的日志持久化到硬盘,并且支持udp、tcp等协议来进行不同服务器的日志同步。

/var/log/messages:大多数系统日志信息纪录在此

/var/log/secure:安全和身份认证相关的消息和错误的日志文件

/var/log/maillog:与邮件服务器相关的日志文件

/var/log/cron:与定时任务相关的日志文件

/var/log/boot.log:与系统启动有关的日志文件

pam:在linux中执行某些程序,这些程序在执行前要对启动它的用户进行认证,符合一定要求后才允许执行,例如login、su等,在linux中进行身份验证或是状态的验证程序由pam来进行。pam即可动态加载验证模块,因为可以按需要动态的对验证的内容进行变更,大大提高验证的灵活性。

Linux-pam:是一套共享库,使本地系统管理员可以随意选择程序的认证方式。使用配置/etc/pam.d/下的文件来管理对程序的认证方式。应用程序调用相应的配置文件,从而调用本地的认证模块,模块放置在/lib/secureity下,以加载动态库的形式进行,像我们使用su命令时,系统提示你输入root用户的密码,这就是su命令通过调用PAM模块实现的。

日志类型分为:

auth:pam产生的日志

authpriv:ssh,ftp等登陆信息的验证信息

cron:时间任务相关

kern:内核

lpr:打印

mail:邮件

mark(syslog)-rsyslog:服务内部的信息,时间标识

news:新闻组

user:用户程序产生的相关信息

uucp:unix to unix copy,unix主机之间相关的通讯

local 1-7:自定义的日志设备

日志级别:(由上到下,级别由低到高,记录信息越来越少)

debug:有调试信息的,日志信息最多

info:一般信息的日志,最常用

notice:具有重要性的普通条件的信息

warning:警告级别

err:错误级别,阻止某个功能或者模块不能正常工作的信息

crit:严重级别,阻止整个系统或者整个软件不能正常运行的信息

alert:需要立刻修改的信息

emerg:内核崩溃等严重信息

none:什么都不记录

配置

test1 作为日志服务器收集日志
test4 作为客户端

test1配置

1.安装
yum install rsyslog -y
2.更改配置文件
vim /etc/rsyslog.conf
#这四行去掉注释
$ModLoad imudp          收集udp日志,并开启端口
$UDPServerRun 514

$ModLoad imtcp          收集tcp日志,并开启端口
$InputTCPServerRun 514


#添加

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#表示收集的日志存放在/var/log/rsyslog/下,收集那个机器的日志就以那个机器ip命名
$template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"

#不收集本机的日志
:fromhost-ip, !isequal, "127.0.0.1" ?RemoteLogs
& ~


3.重启服务
systemctl restart rsyslog.service

2.test4客户端配置

1.安装
yum install rsyslog -y
2.配置
# 无论什么级别的日志都收集到 /var/log/messages
 *.*;mail.none;authpriv.none;cron.none                /var/log/messages
   #*.info;mail.none;authpriv.none;cron.none                /var/log/messages  只收集info以上的日志
#在最底部添加
*.* @@192.168.134.25:514  #@@两个代表收集tcp的日志    
*.* @192.168.134.25:514   #@代表收集udp的日志

#192.168.206.25是日志服务器的地址
3.重启服务
systemctl restart rsyslog.service

3.测试

#此时再看服务端就有ip对应的日志
[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-1
192.168.134.28_2023-12-11.log  192.168.134.28_2023-12-12.log
1.此时我们让test4的nginx报错
[root@test4 ~]# grep http  /etc/nginx/nginx.conf
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/
http ;{
                      '$status $body_bytes_sent "$http_referer" '
2.重启nginx,此时test1服务端就有日志产生
[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-1
192.168.134.28_2023-12-11.log  192.168.134.28_2023-12-12.log
[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-12.log
Dec 12 08:56:49 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9285:162270604 (system bus name :1.1063, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 08:56:49 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9285:162270604 (system bus name :1.1063, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:01:01 test4 systemd[1]: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd[1]: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd: Started Session 512 of user root.
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)








Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 nginx[9867]: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 systemd[1]: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd[1]: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd[1]: nginx.service failed.
Dec 12 09:36:42 test4 systemd: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd: nginx.service failed.
Dec 12 09:36:42 test4 systemd[1]: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd[1]: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd[1]: nginx.service failed.
Dec 12 09:36:42 test4 systemd: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd: nginx.service failed.
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

你可能感兴趣的:(linux,运维,elk,elasticsearch)