Centos7 配置rsyslog客户端接收远程日志

rsyslog

因为路由器我设定每天重启，但是日志一重启就会清除，并且路由器最多只能保存1024条记录，所以我想把路由器的日志记录到一台服务器上，发现路由器包含远程日志功能

于是我就在我的centos7服务器配置了下rsyslog，把日志记录到这里

编辑服务端的/etc/rsyslog.conf文件
注意下中文注释地方

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp  # 引用udp协议的模块
$UDPServerRun 514  # 设置udp协议使用端口

# Provides TCP syslog reception
$ModLoad imtcp  # 引用tcp协议的模块
$InputTCPServerRun 514  # 设置tcp协议使用端口

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template Remote,"/var/log/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%.log" # 设置远程日志存放路径和文件格式
:fromhost-ip, !isequal, "127.0.0.1" ?Remote  # 如果是本机日志则不记录

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# 关于内核的所有日志都放到/dev/console(控制台)
#kern.*                                                 /dev/console  

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# 记录所有日志类型的info级别以及大于info级别的信息到/var/log/messages，但是mail邮件信息，authpriv验证方面的信息和cron时间任务相关的信息除外
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
# authpriv验证相关的所有信息存放在/var/log/secure
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
# 邮件的所有信息存放在/var/log/maillog; 这里有一个-符号, 表示是使用异步的方式记录, 因为日志一般会比较大
mail.*                                                  -/var/log/maillog

# Log cron stuff
# 计划任务有关的信息存放在/var/log/cron
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
# 启动的相关信息
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

然后重启rsyslog

systemctl restart rsyslog

客户端直接填写ip，端口默认是514，就完成了

本文由 Yuuuuuu 创作，采用 知识共享署名4.0 国际许可协议进行许可
本站文章除注明转载/出处外，均为本站原创或翻译，转载前请务必署名
最后编辑时间为: Oct 24, 2018 at 10:10 am

https://note.guotianyu.cn/linux/centos7-rsyslog.html