关于rsyslog

rsyslog是比syslog功能更强大的日志记录系统，可以将日志输出到文件，数据库和其它程序。Centos 7.x默认的rsyslog版本是8.x。     rsyslog 是一个快速处理收集系统日志的程序，提供了高性能、安全功能和模块化设计。rsyslog 是syslog 的升级版，它将多种来源输入输出转换结果到目的地，并可定制和过滤、筛选。据官网介绍，现在可以处理100万条信息。
特性：
       1、可以直接将日志写入到数据库。
       2、日志队列（内存队列和磁盘队列）。
       3、灵活的模板机制，可以得到多种输出格式。
       4、插件式结构，多种多样的输入、输出模块。
       5、可以把日志存放在Mysql ，PostgreSQL，Oracle等数据库中

系统环境

server端

[root@iZbp13gj9fz5t0mxux5nfyZ ~]# cat /etc/redhat-release 
Alibaba Cloud Linux release 3 (Soaring Falcon) 
[root@iZbp13gj9fz5t0mxux5nfyZ 2024-05-29]# rsyslogd -v
rsyslogd  8.2102.0-15.1.al8 (aka 2021.02) compiled with:
        PLATFORM:                               x86_64-koji-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        systemd support:                        Yes
        Config file:                            /etc/rsyslog.conf
        PID file:                               /var/run/rsyslogd.pid
        Number of Bits in RainerScript integers: 64

client端

[root@cvm-3jvysn225i225 ~]# cat /etc/redhat-release 
CentOS Linux release 7.8.2003 (Core)
[root@cvm-3jvysn225i225 ~]# rsyslogd -v
rsyslogd 8.24.0-57.el7_9.3, compiled with:
        PLATFORM:                               x86_64-redhat-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.

客户端的配置

编辑rsyslog.conf，新增下面配置

#添加下面配置，module模块需要放到指定的module位置下
module(load="imfile" PollingInterval="5")
#ruleset配置放到最下方即可
ruleset(name="remoteLogging"){
action(type="omfwd"
       Target="114.55.113.57"
       Port="514"
       Protocol="tcp"
       queue.type="LinkedList"
       queue.filename="rtp-queue"
       action.resumeRetryCount="-1"
       queue.size="100000"
       queue.dequeuebatchsize="10000"
       queue.maxdiskspace="2g"
       queue.saveonshutdown="on"
)
}

#修改配置，添加收集的日志禁止输出到/var/log/messages中
*.info;mail.none;authpriv.none;cron.none;local1.none;local2.none                /var/log/messages

app.conf

input(type="imfile"
      File="/data/nginx/logs/*.log"
      Tag="app1"
      Facility="local1"
      PersistStateInterval="1"
      Ruleset="remoteLogging"
      reopenOnTruncate="on"
      )
input(type="imfile"
      File="/opt/apps/artalk/data/*.log"
      Tag="app2"
      Ruleset="remoteLogging"
      PersistStateInterval="1"
      reopenOnTruncate="on"
      Facility="local2"
      )
local1.* @@114.55.115.57:514
local2.* @@114.55.115.57:514

服务端配置

rsyslog.conf

module(load="imtcp")
input(type="imtcp" port="514")
$FileCreateMode 0644
$DirCreateMode 0755
$FileOwner devops
$FileGroup devops
$Umask 0022
$PrivDropToUser root
$PrivDropToGroup root
#### RULES ####
$template RemoteLogs,"/data/logs/%FROMHOST-IP%/%$YEAR%-%$MONTH%-%$DAY%/%PROGRAMNAME%.log"
:syslogtag,contains,"app1" ?RemoteLogs
& stop
$template app2_file,"/data/logs/%FROMHOST-IP%/%$YEAR%-%$MONTH%-%$DAY%/%PROGRAMNAME%.log"
:syslogtag,contains,"app2" ?app2_file
& stop

    logs
    └── 103.152.133.13
        ├── 2024-05-27
        │   ├── app1.log
        │   └── app2.log
        ├── 2024-05-28
        │   ├── app1.log
        │   └── app2.log
        └── 2024-05-29
            ├── app1.log
            └── app2.log

参考链接：https://www.cnblogs.com/kevingrace/p/5570411.html