rsyslog 可以理解为多线程增强版的syslog。 在syslog的基础上扩展了很多其他功能,如数据库支持(MySQL、PostgreSQL、Oracle等)、日志内容筛选、定义日志格式模板等。目前大多数Linux发行版默认也是使用rsyslog进行日志记录。rsyslog提供了三种远程传输协议:

  1. UDP 传输协议
  2. 基于传统UDP协议进行远程日志传输,也是传统syslog使用的传输协议; 可靠性比较低,但性能损耗最少, 在网络情况比较差, 或者接收服务器压力比较高情况下,
  3. 可能存在丢日志情况。 在对日志完整性要求不是很高,在可靠的局域网环境下可以使用。
  4.  
  5. TCP 传输协议
  6. 基于传统TCP协议明文传输,需要回传进行确认,可靠性比较高; 但在接收服务器宕机或者两者之间网络出问题的情况下,会出现丢日志情况。 这种协议相比于UDP
  7. 可靠性方面已经好很多,并且rsyslog原生支持,配置简单, 同时针对可能丢日志情况,可以进行额外配置提高可靠性,因此使用比较广。
  8.  
  9. RELP 传输协议
  10. RELPReliable Event Logging Protocol)是基于TCP封装的可靠日志消息传输协议; 是为了解决TCP  UDP 协议的缺点而在应用层实现的传输协议,也是三者
  11. 之中最可靠的。 需要多安装一个包rsyslog-relp以支持该协议。
  12.  
  13. 对于线上服务器,为了日志安全起见,建议使用还是使用 RELP 协议进行传输。

rsyslog的简单配置记录(如下将公司防火墙上的日志(UDP)打到IDC的rsyslog日志服务器上)

  1. 一、rsyslog服务端的部署
  2. 安装rsyslog 程序(rsyslog默认已经在各发行版安装,如果系统中没有的话,可以用yum 进行安装,如下:)
  3. [root@zabbix ~]# yum install rsyslog -y
  4.  
  5. 配置:
  6. [root@zabbix ~]# cat /etc/rsyslog.conf
  7. # rsyslog v5 configuration file
  8.  
  9. # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
  10. # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
  11.  
  12. #### MODULES ####
  13.  
  14. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
  15. $ModLoad imklog   # provides kernel logging support (previously done by rklogd)
  16. $ModLoad immark  # provides --MARK-- message capability
  17.  
  18. # Provides UDP syslog reception
  19. $ModLoad imudp                                          #开启udp的514端口。也可以开启tcp的514端口,这里只接受udp的
  20. $UDPServerRun 514
  21.  
  22. # Provides TCP syslog reception
  23. #$ModLoad imtcp
  24. #$InputTCPServerRun 514
  25.  
  26. $WorkDirectory /var/lib/rsyslog
  27. $AllowedSender udp, 192.168.17.0/8                    #仅仅接收来自192.168.17.0/8网段的主机的udp日志(这个是公司防火墙的ip地址)
  28. #### GLOBAL DIRECTIVES ####
  29.  
  30. # Use default timestamp format
  31. $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
  32. $template Remote,"/data/fw_logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"           #定义模板,接受日志文件路径,区分了不同主机的日志
  33. :fromhost-ip, !isequal, "127.0.0.1" ?Remote                                                        # 过滤server 本机的日志
  34. # File syncing capability is disabled by default. This feature is usually not required,
  35. # not useful and an extreme performance hit
  36. #$ActionFileEnableSync on
  37.  
  38. # Include all config files in /etc/rsyslog.d/
  39. $IncludeConfig /etc/rsyslog.d/*.conf
  40.  
  41. #### RULES ####
  42.  
  43. # Log all kernel messages to the console.
  44. # Logging much else clutters up the screen.
  45. #kern.*                                                 /dev/console
  46.  
  47. # Log anything (except mail) of level info or higher.
  48. # Don't log private authentication messages!
  49. *.info;mail.none;authpriv.none;cron.none                /var/log/messages
  50.  
  51. # The authpriv file has restricted access.
  52. authpriv.*                                              /var/log/secure
  53.  
  54. # Log all the mail messages in one place.
  55. mail.*                                                  -/var/log/maillog
  56. local4.*                                                /data/fw.log
  57.  
  58. # Log cron stuff
  59. cron.*                                                  /var/log/cron
  60.  
  61. # Everybody gets emergency messages
  62. *.emerg                                                 *
  63.  
  64. # Save news errors of level crit and higher in a special file.
  65. uucp,news.crit                                          /var/log/spooler
  66.  
  67. # Save boot messages also to boot.log
  68. local7.*                                                /var/log/boot.log
  69.  
  70. # ### begin forwarding rule ###
  71. # The statement between the begin ... end define a SINGLE forwarding
  72. # rule. They belong together, do NOT split them. If you create multiple
  73. # forwarding rules, duplicate the whole block!
  74. # Remote Logging (we use TCP for reliable delivery)
  75. #
  76. # An on-disk queue is created for this action. If the remote host is
  77. # down, messages are spooled to disk and sent when it is up again.
  78. #$WorkDirectory /var/lib/rsyslog # where to place spool files
  79. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
  80. #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
  81. #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
  82. #$ActionQueueType LinkedList   # run asynchronously
  83. #$ActionResumeRetryCount -1    # infinite retries if host is down
  84. # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
  85. #*.* @@remote-host:514
  86. # ### end of the forwarding rule ###
  87.  
  88. [root@zabbix ~]# mkdir /data/fw_logs/
  89.  
  90. [root@zabbix ~]# /etc/init.d/rsyslog restart
  91.  
  92. 二、在公司防火墙(192.168.17.41/42)上配置udp日志输出策略(在防火墙添加rsyslog服务端的ip和514端口)
  93.  
  94. 三、过一会儿,在rsyslog日志服务器上设置的日志目录下就能看到防火墙的日志输出了
  95. [root@zabbix ~]# ll /data/fw_logs/
  96. total 4.0K
  97. drwxrwxrwx   4 root root   46 Jul 28 10:40 .
  98. drwxr-xr-x. 18 root root 4.0K Jul 28 10:38 ..
  99. drwx------   2 root root   41 Jul 28 10:37 192.168.17.41
  100. drwx------   2 root root   41 Jul 28 10:40 192.168.17.42
  101. [root@zabbix ~]# ll /data/fw_logs/192.168.17.41
  102. total 16K
  103. drwx------ 2 root root  41 Jul 28 10:37 .
  104. drwxrwxrwx 4 root root  46 Jul 28 10:40 ..
  105. -rw------- 1 root root 13K Jul 28 14:02 192.168.17.41_2017-07-28.log
  106.  
  107. ------------------------------------------------------------------------------------
  108. 可以将上面rsyslog服务端的rsyslog.conf里的ip白名单设置为客户机的ip端,比如:
  109. $AllowedSender tcp, 172.18.0.0/16                  #表示接收172.18.0.0/16网段的客户机的tcp日志输入,前提是打开tcp的514端口
  110.  
  111. 客户机的配置:
  112. 只需要在rsyslog.conf文件里添加下面一行:
  113. *.*                               @172.18.10.20                     #后面的ip是rsyslog服务端的ip地址
  114.  
  115. 启动rsyslog日志即可!

====================再看一例=======================
以上配置的是将公司防火墙的日志打到rsyslog里。现在有这么一个需求:
公司IDC的另外两台服务器172.19.10.24和172.19.10.25上部署了gitlab、nexus、jenkins、jira和wiki,上面的权限设置的比较杂,很多人都有登录需求。现在需要将登录到这两台服务器上的用户的所有操作过程记录下来,记录达到rsyslog日志里,相当于做用户操作记录的审计工作。

  1. 配置如下(结合上面的安装配置)(服务端的ip172.19.16.21):
  2. 1rsyslog服务端配置  (相比于上面的配置,这里去掉了AllowedSender的来源ip的白名单限制。即允许接收所有机器的日志;上面的防火墙日志还是能继续收集)
  3. [root@zabbix ~]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$"
  4. $ModLoad imudp
  5. $UDPServerRun 514
  6. $WorkDirectory /var/lib/rsyslog
  7. $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
  8. $template Remote,"/data/fw_logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
  9. :fromhost-ip, !isequal, "127.0.0.1" ?Remote
  10. $IncludeConfig /etc/rsyslog.d/*.conf
  11. *.info;mail.none;authpriv.none;cron.none                /var/log/messages
  12. authpriv.*                                              /var/log/secure
  13. mail.*                                                  -/var/log/maillog
  14. cron.*                                                  /var/log/cron
  15. *.emerg                                                 *
  16. uucp,news.crit                                          /var/log/spooler
  17. local7.*                                                /var/log/boot.log
  18. local5.*                                              /var/log/history.log
  19.  
  20. [root@zabbix ~]# /etc/init.d/rsyslog restart
  21.  
  22. 2)在172.19.10.24上的配置
  23. [root@gitlab ~]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$"
  24. $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
  25. $IncludeConfig /etc/rsyslog.d/*.conf
  26. *.info;mail.none;authpriv.none;cron.none                /var/log/messages
  27. authpriv.*                                              /var/log/secure
  28. mail.*                                                  -/var/log/maillog
  29. cron.*                                                  /var/log/cron
  30. *.emerg                                                 *
  31. uucp,news.crit                                          /var/log/spooler
  32. local7.*                                                /var/log/boot.log
  33. local5.*    @172.19.16.21
  34.  
  35. [root@gitlab ~]# /etc/init.d/rsyslog restart
  36.  
  37. [root@gitlab ~]# cat /etc/profile                  #在该文件的底部添加下面内容
  38. .......
  39. export HISTTIMEFORMAT
  40. export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'
  41.  
  42. 3)在另一台172.19.10.25上做类似配置配置
  43. [root@nexus ~]# cat /etc/rsyslog.conf |grep -v "#"|grep -v "^$"
  44. $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
  45. $IncludeConfig /etc/rsyslog.d/*.conf
  46. *.info;mail.none;authpriv.none;cron.none                /var/log/messages
  47. authpriv.*                                              /var/log/secure
  48. mail.*                                                  -/var/log/maillog
  49. cron.*                                                  /var/log/cron
  50. *.emerg                                                 *
  51. uucp,news.crit                                          /var/log/spooler
  52. local7.*                                                /var/log/boot.log
  53. local5.*   @172.19.16.21 
  54.  
  55. [root@nexus ~]# /etc/init.d/rsyslog restart
  56.  
  57. [root@nexus ~]# cat /etc/profile
  58. .......
  59. export HISTTIMEFORMAT
  60. export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'
  61.  
  62. 4)过一段时间,发现在rsyslog服务端的日志目录/data/fw_logs下面已经有收集到的日志了
  63. [root@zabbix fw_logs]# pwd
  64. /data/fw_logs
  65. [root@zabbix fw_logs]# cd
  66. [root@zabbix ~]# cd /data/fw_logs/
  67. [root@zabbix fw_logs]# ll
  68. total 12K
  69. drwxrwxrwx   6 root root   84 Aug 16 18:28 .
  70. drwxr-xr-x. 18 root root 4.0K Aug 16 17:58 ..
  71. drwx------   2 root root   74 Aug 17 09:50 172.19.10.24
  72. drwx------   2 root root   74 Aug 17 10:00 172.19.10.25
  73. drwx------   2 root root 4.0K Aug 17 00:01 192.168.17.41
  74. drwx------   2 root root 4.0K Aug 17 00:01 192.168.17.42
  75. [root@zabbix fw_logs]# cd 172.19.10.24/
  76. [root@zabbix 172.19.10.24]# ll
  77. total 20K
  78. drwx------ 2 root root  74 Aug 17 09:50 .
  79. drwxrwxrwx 6 root root  84 Aug 16 18:28 ..
  80. -rw------- 1 root root 14K Aug 16 20:45 172.19.10.24_2017-08-16.log
  81. -rw------- 1 root root 771 Aug 17 10:03 172.19.10.24_2017-08-17.log
  82. [root@zabbix 172.19.10.24]# cat 172.19.10.24_2017-08-16.log
  83. Aug 16 18:39:56 gitlab bash[138413]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
  84. Aug 16 18:39:56 gitlab bash[138418]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
  85. Aug 16 18:39:56 gitlab bash[138422]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
  86. Aug 16 18:39:57 gitlab bash[138426]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
  87. Aug 16 18:40:30 gitlab bash[138610]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/root,command:[2017-08-16 18:40:03]root pts/0 2017-08-16 18:40 (172.16.255.202)exit
  88. Aug 16 18:40:43 gitlab bash[138652]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:43]root pts/0 2017-08-16 18:40 (172.16.255.202)cd /data/
  89. Aug 16 18:40:43 gitlab bash[138657]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:43]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
  90. Aug 16 18:40:47 gitlab bash[138666]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:47]root pts/0 2017-08-16 18:40 (172.16.255.202)mkdir hahahahah
  91. Aug 16 18:40:48 gitlab bash[138671]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:48]root pts/0 2017-08-16 18:40 (172.16.255.202)cd hahahahah/
  92. Aug 16 18:40:48 gitlab bash[138677]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:48]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
  93. Aug 16 18:40:54 gitlab bash[138696]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:54]root pts/0 2017-08-16 18:40 (172.16.255.202)echo "Asdfasdf" >heihei
  94. Aug 16 18:40:54 gitlab bash[138702]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:54]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
  95. .......
  96.  
  97. 有上面日志可以看出,在172.19.10.24这台机器上的操作记录都被详细记录下来了。这样,就能清楚地知道登录到这台机器上的用户都做了些什么了.......

=====================通过rsyslog收集nginx日志到远程服务器上====================
需求说明:通过rsyslog服务将192.168.10.21服务器上的/data/nginx/logs/www.kevin.com-access.log日志实时同步到192.168.10.52服务器上(路径为/data/rsyslog/nginx)

1)192.168.10.21为rsyslog客户端,即日志的推送端rsyslog日志是客户机主动将自己的日志推送到远程服务器上。
操作如下:
[root@nginx-server ~]# yum install rsyslog -y
[root@nginx-server ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
[root@nginx-server ~]# cat /etc/rsyslog.conf
# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
$ModLoad imfile                               ##装载imfile模块,这一行手动添加

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages             ##不记录local5的日志

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
user.info /var/log/history

#在文件底部添加下面几行内容
$InputFileName /data/nginx/logs/www.kevin.com-access.log        ##读取日志文件(要监控的日志文件)
$InputFileTag web_access             ##日志写入日志附加标签字符串
$InputFileSeverity info           ##日志等级
$InputFileStateFile /etc/rsyslog.d/stat-access         ##记录日志点等信息。(相当于msyql的master.info)文件名变了,
这个StateFile标志必须变,否则无法传输。
$InputFileFacility local5         ##设施类别
$InputFilePollInterval 1          ##检查日志文件间隔(秒)
$InputFilePersistStateInterval 1       ##回写偏移量数据到文件间隔时间(秒)
$InputRunFileMonitor                          ##激活读取,可以设置多组日志读取,每组结束时设置本参数。以示生效。
local5.* @192.168.10.52            ##代表local5设施的所有级别通过udp协议传送到192.168.10.51

重启rsyslog服务
[root@nginx-server ~]# /etc/init.d/rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]

由于作为日志的推送端,rsyslog日志不需要开启514端口(如上在rsyslog.conf文件里没有打开dup或tcp的514端口)
[root@nginx-server ~]# lsof -i:514
[root@nginx-server ~]#

2)192.168.10.52为rsyslog服务端,即日志的接收端。
配置如下:
[root@log-server ~]# yum install rsyslog -y
[root@log-server ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp                   ##载入imudp模块
$UDPServerRun 514            ##开启udp接收并制定端口号

# Provides TCP syslog reception
$ModLoad imtcp                 ##载入imtcp模块。
$InputTCPServerRun 514             ##开启tcp接收并制定端口号。tcp和udp两个端口模块可以同时使用!

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#定义一个模板用来指定接收的日志消息的格式(默认会在记录的日志前加几个字段)
$template  SpiceTmpl,"%msg%\n"                   ##%msg:2:$%为去掉日志开头的空格

#定义一个模板用来指定接收的日志文件的存放路径%……%之间的是定义日志按照年-月-日命名
$template  DynaFile,"/data/rsyslog/nginx/%$YEAR%-%$MONTH%-%$DAY%.log"

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none                /var/log/messages            ##不记录local5设施的日志

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

#接收客户端local5设施传送来的日志并存放到指定位置(位置可用定义的模板。?代表使用动态的模板)
local5.*                       ?DynaFile;SpiceTmpl

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

编辑/etc/sysconfig/rsyslog中"SYSLOGD_OPTIONS="开启远程日志接收功能
[root@log-server ~]# cat /etc/sysconfig/rsyslog
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS="-c 5"

创建日志接收过来后定义的存放目录
[root@log-server ~]# mkdir -p /data/rsyslog/nginx

重启rsyslog服务
[root@log-server ~]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@log-server ~]# lsof -i:514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 24594 root 2u IPv4 38927639 0t0 TCP *:shell (LISTEN)
rsyslogd 24594 root 3u IPv4 38927635 0t0 UDP *:syslog
rsyslogd 24594 root 4u IPv6 38927636 0t0 UDP *:syslog
rsyslogd 24594 root 5u IPv6 38927640 0t0 TCP *:shell (LISTEN)

查看日志是否接收过来了
[root@log-server ~]# ll /data/rsyslog/nginx/
total 550876
-rw------- 1 root root 483539594 Jun 13 12:58 2018-06-13.log
[root@log-server ~]# tail -2 /data/rsyslog/nginx/2018-06-13.log
1.203.163.198 - [27/Apr/2018:00:17:53 +0800] "POST /scf/%7B%7BloginConfig.loginSubmitUrl%7D%7D HTTP/1.1" 302 0 "https://www.kevin.com/scf/login" Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36 - 0.010 0.003 10.0.54.21:9020 302
1.203.163.198 - [27/Apr/2018:00:17:53 +0800] "POST /scf/%7B%7BloginConfig.loginSubmitUrl%7D%7D HTTP/1.1" 302 0 "https://www.kevin.com/scf/login" Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36 - 0.012 0.003 10.0.54.21:9020 302

=========================温馨提示========================
rsyslog也可以收集多个日志文件,需要注意的是:
$InputFileTag        定义的APPNAME必须唯一,同一台主机上不同的应用应当使用不同的APPNAME,否则会导致新定义的TOKEN和TAG不生效;
$template         定义的模板名必须唯一,否则会导致新定义的TOKEN和TAG不生效;
$InputFileStateFile       定义的StateFile必须唯一,它被rsyslog用于记录文件上传进度,否则会导致混乱;

如下是rsyslog收集多个日志的配置,这里以2个日志文件为例:

日志的推送端配置

  1. [root@external-lb01 ~]# cat /etc/rsyslog.conf
  2. ..........
  3. $ModLoad imfile
  4.  
  5. .........
  6. *.info;mail.none;authpriv.none;cron.none;local5.none;local4.none                /var/log/messages
  7.  
  8. .........
  9.  
  10. $InputFileName /data/nginx/logs/portal.kevin.com-access.log
  11. $InputFileTag portal_access
  12. $InputFileSeverity info
  13. $InputFileStateFile /etc/rsyslog.d/stat1-access
  14. $InputFileFacility local4
  15. $InputFilePollInterval 1
  16. $InputFilePersistStateInterval 1
  17. $InputRunFileMonitor
  18. local4.*  @192.168.10.52
  19.  
  20. $InputFileName /data/nginx/logs/www.kevin.com-access.log
  21. $InputFileTag web_access
  22. $InputFileSeverity info
  23. $InputFileStateFile /etc/rsyslog.d/stat-access
  24. $InputFileFacility local5
  25. $InputFilePollInterval 1
  26. $InputFilePersistStateInterval 1
  27. $InputRunFileMonitor
  28. local5.*  @192.168.10.52
  29.  
  30. 重启日志发送端的rsyslog服务
  31. [root@external-lb01 ~]# /etc/init.d/rsyslog restart

日志的接收端配置

  1. [root@open-falcon01 ~]# cat /etc/rsyslog.conf
  2. ........
  3. $ModLoad imudp
  4. $UDPServerRun 514
  5.  
  6. # Provides TCP syslog reception
  7. $ModLoad imtcp
  8. $InputTCPServerRun 514
  9.  
  10. .........
  11. $template SpiceTmpl,"%msg%\n"
  12. $template DynaFile,"/data/external-lb/nginx/nginx-access.log"
  13.  
  14. $template SpiceTmpl2,"%msg%\n"
  15. $template DynaFile2,"/data/external-lb/portal/portal-access.log"
  16.  
  17. .........
  18. *.info;mail.none;authpriv.none;cron.none;local5.none;local4.none                /var/log/messages
  19.  
  20. .........
  21. local5.*                                                ?DynaFile;SpiceTmpl
  22. local4.*                                                ?DynaFile2;SpiceTmpl2
  23.  
  24. 重启日志接收端的rsyslog服务
  25. [root@open-falcon01 ~]# /etc/init.d/rsyslog restart
  26.  
  27. 查看,当访问对应对应的url时,就会有转发后的文件产生,并实时有日志内容转发过来
  28. [root@open-falcon01 ~]# ll /data/external-lb/nginx/nginx-access.log
  29. -rw------- 1 root root 1067372 Oct  9 10:51 /data/external-lb/nginx/nginx-access.log
  30. [root@open-falcon01 ~]# ll /data/external-lb/portal/portal-access.log
  31. -rw------- 1 root root 88141 Oct  9 22:26 /data/external-lb/portal/portal-access.log

==========================================================================
注意:
a)如果发现日志还没有接收过来,即/data/rsyslog/nginx目录下没有日志产生,就同时重启推送端和接收端的rsyslog服务。确保双方的iptables防火墙和selinux关闭!
b)也可以自行修改接收的日志文件的存放路径,如改为下面的配置:
$template DynaFile,"/data/rsyslog/nginx/nginx-access.log"
则日志收集后存放的文件如下:
[root@log-server ~]# ll /data/rsyslog/nginx/
total 571716
-rw------- 1 root root 483539594 Jun 13 12:58 2018-06-13.log
-rw------- 1 root root 101893593 Jun 13 13:13 nginx-access.log

Linux下rsyslog日志收集服务环境部署记录的更多相关文章

  1. Linux下rsyslog日志收集服务环境部署记录【转】

    rsyslog 可以理解为多线程增强版的syslog. 在syslog的基础上扩展了很多其他功能,如数据库支持(MySQL.PostgreSQL.Oracle等).日志内容筛选.定义日志格式模板等.目 ...

  2. Linux下squid代理缓存服务环境部署

    代理服务器英文全称是Proxy Server,其功能就是代理网络用户去取得网络信息. Squid是一个缓存Internet 数据的软件,其接收用户的下载申请,并自动处理所下载的数据.当一个用户想要下载 ...

  3. linux下syslog-ng日志集中管理服务部署记录

    syslog是Linux系统默认的日志守护进程,默认的syslog配置文件是/etc/syslog.conf文件.syslog守护进程是可配置的,它允许人们为每一种类型的系统信息精确地指定一个存放地点 ...

  4. Linux下Rsyslog日志远程集中式管理

    Rsyslog简介 Rsyslog的全称是 rocket-fast system for log,它提供了高性能,高安全功能和模块化设计.rsyslog能够接受从各种各样的来源,将其输入,输出的结果到 ...

  5. Centos下SFTP双机高可用环境部署记录

    SFTP(SSH File Transfer Protocol),安全文件传送协议.有时也被称作 Secure File Transfer Protocol 或 SFTP.它和SCP的区别是它允许用户 ...

  6. X3850 Linux 下DSA日志收集办法

    收集工具下载 RHEL 6: 32bit-- [IBM 下载]http://delivery04.dhe.ibm.com/sar/CMA/XSA/03tza/1/ibm_utl_dsa_dsytb7x ...

  7. Centos下内网DNS主从环境部署记录

    一.DNS是什么?DNS(Domain Name System),即域名系统.它使用层次结构的命名系统,将域名和IP地址相互映射,形成一个分布式数据库系统. DNS采用C-S架构,服务器端工作在UDP ...

  8. Centos7下GlusterFS分布式存储集群环境部署记录

    0)环境准备 GlusterFS至少需要两台服务器搭建,服务器配置最好相同,每个服务器两块磁盘,一块是用于安装系统,一块是用于GlusterFS. 192.168.10.239 GlusterFS-m ...

  9. Linux 实现rsyslog日志里面的IP地址记录 未测试

    之前我是在bashrc中添加了一句,让系统操作日志时向rsyslog发送一份内容,现在只要在发送的时候,自己再获取下当前的远程登录IP加进去就可以,像这样 /etc/bashrc sshClientI ...

随机推荐

  1. Java同步、异步区别

    一.概念: 1.同步:所有的操作都做完,才返回给用户.这样用户在线等待的时间太长,给用户一种卡死了的感觉(就是系统迁移中,点击了迁移,界面就不动了,但是程序还在执行,卡死了的感觉).这种情况下,用户不 ...

  2. [Demo_03] MapReduce 实现多类型输出

    0. 说明 MapReduce 实现将最高气温统计数据输出为文本格式和 SequenceFile 格式 在最高气温统计的基础上进行操作 1. 核心代码 // 多输出格式设置 MultipleOutpu ...

  3. 百度-淘宝-360搜索引擎搜索API

    百度(baidu) Api地址:http://suggestion.baidu.com/su?wd=设计&p=3&cb=window.bdsug.sug window.bdsug.su ...

  4. AMP架构补充与wordpress部署

    1.httpd的虚拟主机不能使用的问题 httpd中新建一个虚拟主机,并添加访问URI路径的时候,需要给此路径指定访问权限.今天遇到一个虚拟主机不能使用的问题,语法检测没有报错,并且还可以正常启动服务 ...

  5. vue的组件详解

    什么是组件 组件(Component)是 Vue.js 最强大的功能之一.(好比电脑中的每一个元件(键盘,鼠标,CPU),它是一个具有独立的逻辑和功能或界面,同时又能根据规定的接口规则进行互相融合,变 ...

  6. Centos7下安装docker(1)

    1.确认系统没安装任何docker相关的安装包 yum remove docker docker-common docker-selinux docker-engine centos7的docker存 ...

  7. 深入浅出RxJava(三:响应式的好处)

    在第一篇中,我介绍了RxJava的基础知识.第二篇中,我向你展示了操作符的强大.但是你可能仍然没被说服.这篇里面,我讲向你展示RxJava的其他的一些好处,相信这篇足够让你去使用Rxjava. 错误处 ...

  8. django -- 推荐商品算法

    协同过滤算法之基于物品的推荐算法 目前有关个性化推荐算法主要分为三大类:1.基于协同过滤的推荐:2.基于内容过滤的推荐和3.社会化推荐. 本文主要讨论基于协同过滤的推荐,而该算法也可以划分为两类: 1 ...

  9. 20145236《网络对抗》Exp7 网络欺诈技术防范

    20145236<网络对抗>Exp7 网络欺诈技术防范 一.基础问题回答 通常在什么场景下容易受到DNS spoof攻击? 随便连接没有设置密码的wifi的情况下比较容易受攻击,因为这样就 ...

  10. metamask源码学习-inpage.js

    The most confusing part about porting MetaMask to a new platform is the way we provide the Web3 API ...