Rsyslog簡介
rsyslog是一個開源工具,被普遍用於Linux系統以經過TCP/UDP協議轉發或接收日誌消息。rsyslog守護進程能夠被配置成兩種環境,一種是配置成日誌收集服務器,rsyslog進程能夠從網絡中收集其它主機上的日誌數據,這些主機會將日誌配置爲發送到另外的遠程服務器。rsyslog的另一個用法,就是能夠配置爲客戶端,用來過濾和發送內部日誌消息到本地文件夾(如/var/log)或一臺能夠路由到的遠程rsyslog服務器上。node
安裝Rsyslog守護進程
yum install rsyslog
Server端配置
[root@opm log]# grep -v "^#" /etc/rsyslog.conf | grep -v "^$"$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$ModLoad immark # provides --MARK-- message capability$ModLoad imudp$UDPServerRun 514$ModLoad imtcp$InputTCPServerRun 514$WorkDirectory /var/lib/rsyslog$AllowedSender tcp, 192.168.30.0/24$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log":fromhost-ip, !isequal, "127.0.0.1" ?Remote$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none /data/log/messagesauthpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.log
a.容許網段內的主機以協議來傳輸AllowedSendertcp,192.168.30.0/24容許30.0網段內的主機以tcp協議來傳輸b.template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%YEARMONTH%-%過濾本機的日誌。DAYc.:fromhost−ip,!isequal,"127.0.0.1"?Remote過濾server本機的日誌。d.InputTCPServerRun 514 開啓tcp,tcp和udp 能夠共存的服務器
Client端配置
[root@test1 ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$WorkDirectory /var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.55authpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.log$template myFormat,"%timestamp% %fromhost-ip%%msg%\n"$ActionFileDefaultTemplate myFormat
驗證,在服務器上進到 /data/log 目錄下,進行查看。網絡
收集系統其它服務日誌.
[root@node1 ~]# egrep -v '^#|^$' /etc/rsyslog.conf$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal$ModLoad immark # provides --MARK-- message capability$WorkDirectory /var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.67authpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg :omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.logmodule(load="imfile" PollingInterval="5")$InputFileName /var/log/nova/nova-compute.log$InputFileTag nova-info:$InputFileStateFile state-nova-info$InputRunFileMonitor
其實只添加了後5行的內容,對每項簡單解釋下tcp
module(load="imfile" PollingInterval="5") 加載imfile 模塊,並5秒刷新一次
要監控的日誌文件路徑InputFileName/var/log/nova/nova−compute.log 要監控的日誌文件路徑InputFileTag nova-info: 定義文件標籤 ,注意最後是冒號:
定義狀態文件InputFileStateFilestate−nova−info 定義狀態文件InputRunFileMonitor 激活讀取,能夠設置多組日誌讀取,每組結束時設置本參數ide