rsyslog的安装、使用、详解
# 关于rsyslog
rsyslog是比syslog功能更强大的日志记录系统,可以将日志输出到文件,数据库和其它程序。Centos 7.x默认的rsyslog版本是8.x。 rsyslog 是一个快速处理收集系统日志的程序,提供了高性能、安全功能和模块化设计。rsyslog 是syslog 的升级版,它将多种来源输入输出转换结果到目的地,并可定制和过滤、筛选。据官网介绍,现在可以处理100万条信息。
特性:
1、可以直接将日志写入到数据库。
2、日志队列(内存队列和磁盘队列)。
3、灵活的模板机制,可以得到多种输出格式。
4、插件式结构,多种多样的输入、输出模块。
5、可以把日志存放在Mysql ,PostgreSQL,Oracle等数据库中
# 系统环境
server端
[root@iZbp13gj9fz5t0mxux5nfyZ ~]# cat /etc/redhat-release
Alibaba Cloud Linux release 3 (Soaring Falcon)
[root@iZbp13gj9fz5t0mxux5nfyZ 2024-05-29]# rsyslogd -v
rsyslogd 8.2102.0-15.1.al8 (aka 2021.02) compiled with:
PLATFORM: x86_64-koji-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: Yes
Config file: /etc/rsyslog.conf
PID file: /var/run/rsyslogd.pid
Number of Bits in RainerScript integers: 64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
client端
[root@cvm-3jvysn225i225 ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@cvm-3jvysn225i225 ~]# rsyslogd -v
rsyslogd 8.24.0-57.el7_9.3, compiled with:
PLATFORM: x86_64-redhat-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 64
See http://www.rsyslog.com for more information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 客户端的配置
编辑rsyslog.conf,新增下面配置
#添加下面配置,module模块需要放到指定的module位置下
module(load="imfile" PollingInterval="5")
#ruleset配置放到最下方即可
ruleset(name="remoteLogging"){
action(type="omfwd"
Target="114.55.113.57"
Port="514"
Protocol="tcp"
queue.type="LinkedList"
queue.filename="rtp-queue"
action.resumeRetryCount="-1"
queue.size="100000"
queue.dequeuebatchsize="10000"
queue.maxdiskspace="2g"
queue.saveonshutdown="on"
)
}
#修改配置,添加收集的日志禁止输出到/var/log/messages中
*.info;mail.none;authpriv.none;cron.none;local1.none;local2.none /var/log/messages
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
app.conf
input(type="imfile"
File="/data/nginx/logs/*.log"
Tag="app1"
Facility="local1"
PersistStateInterval="1"
Ruleset="remoteLogging"
reopenOnTruncate="on"
)
input(type="imfile"
File="/opt/apps/artalk/data/*.log"
Tag="app2"
Ruleset="remoteLogging"
PersistStateInterval="1"
reopenOnTruncate="on"
Facility="local2"
)
local1.* @@114.55.115.57:514
local2.* @@114.55.115.57:514
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 服务端配置
rsyslog.conf
module(load="imtcp")
input(type="imtcp" port="514")
$FileCreateMode 0644
$DirCreateMode 0755
$FileOwner devops
$FileGroup devops
$Umask 0022
$PrivDropToUser root
$PrivDropToGroup root
#### RULES ####
$template RemoteLogs,"/data/logs/%FROMHOST-IP%/%$YEAR%-%$MONTH%-%$DAY%/%PROGRAMNAME%.log"
:syslogtag,contains,"app1" ?RemoteLogs
& stop
$template app2_file,"/data/logs/%FROMHOST-IP%/%$YEAR%-%$MONTH%-%$DAY%/%PROGRAMNAME%.log"
:syslogtag,contains,"app2" ?app2_file
& stop
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
logs
└── 103.152.133.13
├── 2024-05-27
│ ├── app1.log
│ └── app2.log
├── 2024-05-28
│ ├── app1.log
│ └── app2.log
└── 2024-05-29
├── app1.log
└── app2.log
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
参考链接:https://www.cnblogs.com/kevingrace/p/5570411.html


上次更新: 2025/04/03, 13:47:00