基本介紹
Rsyslog是一個syslogd的多線程加強版,rsyslog vs. syslog-ng 連接是rsyslog官方和syslog特性和性能上的一些對比,目前大部分Linux發行版本默認也是使用rsyslog記錄日誌。這裏介紹rsyslog遠程傳輸的幾種方式,對遠程日誌傳輸能夠有一個瞭解。html
rsyslog提供三個遠程日誌傳輸方式:bash
- UDP: 數據包傳輸可信度不高
- TCP: 數據包傳輸可信度比較高
- RELP: 數據包傳輸可信度最高,避免數據丟失,比較新的協議,目前應用較少
如下爲man手冊對RELP協議的一個介紹:多線程
RELP can be used instead of UDP or plain TCP syslog to provide reliable delivery of syslog messages. Please note that plain TCP syslog does NOT provide truly reliable delivery, with it messages may be lost when there is a connection problem or the server shuts down. RELP prevents message loss in hose cases.app
關於RELP的更進一步瞭解能夠參考 Using TLS with RELP RELP Input Module RELP Output Module (omrelp)async
相關配置
To forward messages to another host via UDP, prepend the hostname with the at sign (「@」). To forward it via plain tcp, prepend two at signs (「@@」). To forward via RELP, prepend the string 「:omrelp:」 in front of the hostname.tcp
UDP傳輸
Server端配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 $AllowedSender UDP, 192.168.80.0/24 # This one is the template to generate the log filename dynamically, depending on the client's IP address. # 根據客戶端的IP單獨存放主機日誌在不一樣目錄,syslog須要手動建立 $template Remote,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" # Log all messages to the dynamically formed file. :fromhost-ip, !isequal, "127.0.0.1" ?Remote # 排除本地主機IP日誌記錄,只記錄遠程主機日誌 # 注意此規則須要在其它規則以前,不然配置沒有意義,遠程主機的日誌也會記錄到Server的日誌文件中 & ~ # 忽略以前全部的日誌,遠程主機日誌記錄完以後再也不繼續往下記錄 |
或者把以上配置單獨存放在/etc/rsyslog.d/中的xxx.conf配置文件中,儘可能避免修改主配置文件,固然若是要獨立文件主配置文件中必須含有如下配置ide
1 2 3 |
# grep 'rsyslog.d' /etc/rsyslog.conf # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf |
Client端配置
1
|
*.* @192.168.80.130 |
以上配置完成以後/etc/init.d/rsyslog restart性能
TCP傳輸
TCP配置和UDP相似,以下this
Server端配置
1 2 3 4 5 6 7 8 9 10 11 |
# Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 $AllowedSender TCP, 192.168.80.0/24 # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template Remote,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" # Log all messages to the dynamically formed file. :fromhost-ip, !isequal, "127.0.0.1" ?Remote & ~ |
Client端配置
1
|
*.* @@192.168.80.130 |
客戶端和服務端重啓相關服務便可spa
關於TCP和UDP的傳輸方式,rsyslog官方推薦使用TCP傳輸方式
In general, we suggest to use TCP syslog. It is way more reliable than UDP syslog and still pretty fast. The main reason is, that UDP might suffer of message loss. This happens when the syslog server must receive large bursts of messages. If the system buffer for UDP is full, all other messages will be dropped. With TCP, this will not happen. But sometimes it might be good to have a UDP server configured as well. That is, because some devices (like routers) are not able to send TCP syslog by design. In that case, you would need both syslog server types to have everything covered. If you need both syslog server types configured, please make sure they run on proper ports. By default UDP syslog is received on port 514. TCP syslog needs a different port because often the RPC service is using this port as well.
RELP傳輸
RELP須要安裝rsyslog-relp相應模塊
1
|
# yum install rsyslog-relp -y |
Server端配置
1 2 3 4 5 6 7 8 |
$ModLoad imrelp # 加載相應模塊 $InputRELPServerRun 20514 # 監聽端口 # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template Remote,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" # Log all messages to the dynamically formed file. :fromhost-ip, !isequal, "127.0.0.1" ?Remote |
Client端配置
1 2 3 4 5 |
$ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName srvrfwd # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down *.* :omrelp:192.168.80.130:20514 |
客戶端和服務端重啓相關服務便可
參考和拓展資料
- Using TLS with RELP
- RELP Input Module
- RELP Output Module (omrelp)
- Rsyslog remote logging using RELP
- UDP Rsyslog
- TCP Rsyslog
–EOF–