RHEL7經過Rsyslog搭建集中日誌服務器

服務器端配置文件配置選項解析： [root@localhost samba]# vim /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #####開啓udp接收日誌 $ModLoad imudp $UDPServerRun 514 $template RemoteHost,"/data/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"   
*.*  ?RemoteHost & ~ ####開啓tcp協議接受日誌 $ModLoad imtcp $InputTCPServerRun 514 $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat #######啓用/etc/rsyslog.d/*.conf目錄下全部以.conf結尾的配置文件 $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log local0.* /etc/keepalived/keepalived.log

客戶端配置文件配置選項解析 [root@server98 log]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#" $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $template myFormat,"%timestamp% %fromhost-ip% %msg%\n" #自定義模板的相關信息 $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state *.* @172.25.0.55:514 #該聲明告訴rsyslog守護進程，將系統上各個設備的各類日誌的全部消息路由到遠程rsyslog服務器（172.25.0.55）的UDP端口514。@@是經過tcp傳輸，一個@是經過udp傳輸。 *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log local0.* /etc/keepalived/keepalived.log

:FROMHOST-IP, isequal, "10.26.44.206" /var/log/10.26.44.206.log :FROMHOST-IP, isequal, "11.40.169.210" /var/log/11.40.169.210.log a:$template Remote,"/date/log/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" b.$template Remote,"/data/log/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" 定義模板，接受日誌文件路徑，區分了不一樣主機的日誌 c.:fromhost-ip, !isequal, "127.0.0.1" ?Remote 過濾server 本機的日誌 最簡單的辦法； $template myFormat,"%timestamp% %fromhost-ip%%msg%\n" $template Remote,"/var/log/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" :fromhost-ip, !isequal, "127.0.0.1" -?Remote;myFormat

5.1.3 客戶端重要配置

[root@rhel7 log]# grep -v "^#" /etc/rsyslog.conf | grep -v "^$" $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $template myFormat,"%timestamp% %fromhost-ip% %msg%\n" $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state *.* @172.25.0.55:514 *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log

5.1.4 服務端重要配置

[root@foundation 2019-07-01]# grep -v "^#" /etc/rsyslog.conf | grep -v "^$" $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514 $template RemoteHost,"/var/log/rsyslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"   
*.*  ?RemoteHost & ~ $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log

5.2 rsyslog使用數據庫做爲存儲介質

注意：客戶端配置和前面一致便可。

5.2.1 配置

服務端僅作下面的配置便可。

1 [root@foundation ~]# yum install rsyslog-mysql

使用腳本建立數據庫：

[root@foundation ~]# mysql -ursyslog -h127.0.0.1 -p </usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql Enter password:

爲Rsyslog建立數據庫帳戶

mysql> set global validate_password_policy=0; Query OK, 0 rows affected (0.00 sec) mysql> set global validate_password_length=4; Query OK, 0 rows affected (0.00 sec) mysql> GRANT ALL ON Syslog.* TO 'rsyslog'@'127.0.0.1' IDENTIFIED BY 'test'; Query OK, 0 rows affected, 1 warning (0.01 sec) mysql> GRANT ALL ON Syslog.* TO 'rsyslog'@'localhost' IDENTIFIED BY 'test'; Query OK, 0 rows affected, 1 warning (0.01 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec)

在/etc/rsyslog.conf中加入以下配置

重啓rsyslogd

1 systemctl restart rsyslog.service 2 systemctl enable rsyslog.service

5.2.2 測試

使用rsyslog用戶登陸數據庫後查看

部分截圖

5.2.3 附MySQL導入導出SQL文件

導出整個數據庫中的全部數據： 1、在linux命令行下輸入： mysqldump -u userName -p dabaseName > fileName.sql fileName.sql最好加上路徑名 導出數據庫中的某個表的數據： mysqldump -u userName -p dabaseName tableName > fileName.sql 導出整個數據庫中的全部的表結構 在linux命令行下輸入： mysqldump -u userName -p -d dabaseName > fileName.sql 注意：是加了-d 導出整個數據庫中某個表的表結構 在linux命令行下輸入： mysqldump -u userName -p -d dabaseName tableName > fileName.sql 注意：是加了-d 導入mysql方法1(測試好用) 進入linux命令命令行下： mysql -u root -p 回車 輸入密碼 mysql> use weifang mysql> source /home/user/data/fileName.sql 注意fileName.sql要有路徑名，例如：source /home/user/data/fileName.sql 導入mysql方法2(測試一次，導入數據後佔空間異常大，還需驗證) 進入linux命令命令行下： mysql -uroot -p database < fileName.sql 注意fileName.sql要有路徑名