rsyslog的安装、使用、详解
# 关于rsyslog
rsyslog是比syslog功能更强大的日志记录系统,可以将日志输出到文件,数据库和其它程序。Centos 7.x默认的rsyslog版本是8.x。 rsyslog 是一个快速处理收集系统日志的程序,提供了高性能、安全功能和模块化设计。rsyslog 是syslog 的升级版,它将多种来源输入输出转换结果到目的地,并可定制和过滤、筛选。据官网介绍,现在可以处理100万条信息。
特性:
1、可以直接将日志写入到数据库。
2、日志队列(内存队列和磁盘队列)。
3、灵活的模板机制,可以得到多种输出格式。
4、插件式结构,多种多样的输入、输出模块。
5、可以把日志存放在Mysql ,PostgreSQL,Oracle等数据库中
# 系统环境
server端
[root@iZbp13gj9fz5t0mxux5nfyZ ~]# cat /etc/redhat-release
Alibaba Cloud Linux release 3 (Soaring Falcon)
[root@iZbp13gj9fz5t0mxux5nfyZ 2024-05-29]# rsyslogd -v
rsyslogd 8.2102.0-15.1.al8 (aka 2021.02) compiled with:
PLATFORM: x86_64-koji-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: Yes
Config file: /etc/rsyslog.conf
PID file: /var/run/rsyslogd.pid
Number of Bits in RainerScript integers: 64
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
client端
[root@cvm-3jvysn225i225 ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@cvm-3jvysn225i225 ~]# rsyslogd -v
rsyslogd 8.24.0-57.el7_9.3, compiled with:
PLATFORM: x86_64-redhat-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 64
See http://www.rsyslog.com for more information.
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 客户端的配置
rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # reads kernel messages (the same are read from journald)
module(load="imfile" PollingInterval="5")
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
<<<<<<< HEAD
*.info;mail.none;authpriv.none;cron.none /var/log/messages
=======
*.info;mail.none;authpriv.none;cron.none;local1.none;local2.none /var/log/messages
>>>>>>> 66a4eec5bf87769080cf8996acaf2b6e4bfe4840
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local0.* /var/log/boot.log
<<<<<<< HEAD
ruleset(name="remoteLogging"){
action(type="omfwd"
Target="114.55.113.57"
=======
*.debug /var/log/rsyslog_debug.log
ruleset(name="remoteLogging"){
action(type="omfwd"
Target="114.55.118.57"
>>>>>>> 66a4eec5bf87769080cf8996acaf2b6e4bfe4840
Port="514"
Protocol="tcp"
queue.type="LinkedList"
queue.filename="app-queue"
action.resumeRetryCount="-1"
queue.size="10000"
queue.dequeuebatchsize="100"
queue.maxdiskspace="1g"
queue.saveonshutdown="on"
)
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
app.conf
input(type="imfile"
File="/data/nginx/logs/*.log"
<<<<<<< HEAD
Tag="app1"
=======
Tag="nginx-app1"
>>>>>>> 66a4eec5bf87769080cf8996acaf2b6e4bfe4840
Facility="local1"
PersistStateInterval="1"
Ruleset="remoteLogging"
reopenOnTruncate="on"
)
input(type="imfile"
File="/opt/apps/artalk/data/*.log"
<<<<<<< HEAD
Tag="app2"
=======
Tag="artalk-app2"
>>>>>>> 66a4eec5bf87769080cf8996acaf2b6e4bfe4840
Ruleset="remoteLogging"
PersistStateInterval="1"
reopenOnTruncate="on"
Facility="local2"
)
<<<<<<< HEAD
local1.* @@114.55.115.57:514
local2.* @@114.55.115.57:514
=======
local1.* @@114.55.118.57:514
local2.* @@114.55.118.57:514
>>>>>>> 66a4eec5bf87769080cf8996acaf2b6e4bfe4840
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# 服务端配置
rsyslog.conf
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
global(workDirectory="/var/lib/rsyslog")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
<<<<<<< HEAD
$template RemoteLogs,"/data/logs/%FROMHOST-IP%/%$YEAR%-%$MONTH%-%$DAY%/%PROGRAMNAME%.log"
if $fromhost-ip == '127.0.0.1' then stop
*.* ?RemoteLogs
2
3
4
5
6
7
8
9
10
11
12
13
14
logs
└── 103.152.133.13
├── 2024-05-27
│ ├── app1.log
│ └── app2.log
├── 2024-05-28
│ ├── app1.log
│ └── app2.log
└── 2024-05-29
├── app1.log
└── app2.log
======= $FileCreateMode 0644 $DirCreateMode 0755 $FileOwner devops $FileGroup devops $Umask 0022 $PrivDropToUser root $PrivDropToGroup root $template NginxLogFile,"/data/logs/nginx/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%/%PROGRAMNAME%.log" $template ArtalkLogFile,"/data/logs/artalk/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%/%PROGRAMNAME%.log" :syslogtag,contains,"nginx" ?NginxLogFile & stop :syslogtag,contains,"artalk" ?ArtalkLogFile & stop .info;mail.none;authpriv.none;cron.none /var/log/messages authpriv. /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron .emerg :omusrmsg: uucp,news.crit /var/log/spooler local7.* /var/log/boot.log
收集的日志目录展示
```bash
logs
├── artalk
│ └── 2024-06-05
│ └── 103.152.133.13
│ └── artalk-app2.log
└── nginx
└── 2024-06-05
└── 103.152.133.13
└── nginx-app1.log
2
3
4
5
6
7
8
9
10
11
12
66a4eec5bf87769080cf8996acaf2b6e4bfe4840
|