共计 8067 个字符,预计需要花费 21 分钟才能阅读完成。
(一)Rsyslog 简介
ryslog 是一个快速处理收集系统日志的程序,提供了高性能、安全功能和模块化设计。rsyslog 是 syslog 的升级版,它将多种来源输入输出转换结果到目的地。
rsyslog 是一个开源工具,被广泛用于 Linux 系统以通过 TCP/UDP 协议转发或接收日志消息。rsyslog 守护进程可以被配置成两种环境,一种是配置成日志收集服务器,rsyslog 进程可以从网络中收集其它主机上的日志数据,这些主机会将日志配置为发送到另外的远程服务器。rsyslog 的另外一个用法,就是可以配置为客户端,用来过滤和发送内部日志消息到本地文件夹(如 /var/log)或一台可以路由到的远程 rsyslog 服务器上。
logrotate 是一个日志文件管理工具。用来把旧文件轮转、压缩、删除,并且创建新的日志文件。我们可以根据日志文件的大小、天数等来转储,便于对日志文件管理,一般都是通过 cron 计划任务来完成的。
| 序号 | IP 地址 | 类型 | 备注 |
|---|---|---|---|
| 1 | 192.168.99.99 | Server 端 | |
| 2 | 192.168.99.98 | client 端 |
(二)rsyslog server 服务端配置
1,rsyslog 默认是安装的,如果没有安装通过
[root@localhost samba]# yum install rsyslog -y
2,修改 /etc/rsyslog.conf 配置文件,启用 udp 和 tcp 模块 $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp
$InputTCPServerRun 514
[root@localhost samba]# vim /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
##### 开启 udp 接收日志
$ModLoad imudp
$UDPServerRun 514
$template RemoteHost,”/data/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log”
*.* ?RemoteHost
& ~
#### 开启 tcp 协议接受日志
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
####### 启用 /etc/rsyslog.d/*.conf 目录下所有以.conf 结尾的配置文件
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local0.* /etc/keepalived/keepalived.log
3, 重启 rsyslog 服务
[root@zabbix 2018-05-23]# systemctl restart rsyslog
[root@zabbix 2018-05-23]# systemctl status rsyslog
[root@localhost samba]# netstat -anp|grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 1445/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 1445/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 1445/rsyslogd
udp6 0 0 :::514 :::* 1445/rsyslogd
(三)rsyslog 客户端的配置
1,编辑 rsylog 客户端的配置文件:
[root@server98 log]# grep -v “^$” /etc/rsyslog.conf | grep -v “^#”
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,”%timestamp% %fromhost-ip% %msg%\n” ####### 自定义模板的相关信息
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.* @192.168.99.99:514 ######## 该声明告诉 rsyslog 守护进程,将系统上各个设备的各种日志的所有消息路由到远程 rsyslog 服务器(192.168.99.99)的 UDP 端口 514。@@是通过 tcp 传输,一个 @是通过 udp 传输。
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local0.* /etc/keepalived/keepalived.log
2,重启客户端 rsyslog 服务
[root@server98 log]# systemctl restart rsyslog
[root@server98 log]# systemctl status rsyslog
● rsyslog.service – System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since 四 2018-05-24 16:57:04 CST; 4s ago
Main PID: 44765 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─44765 /usr/sbin/rsyslogd -n
5 月 24 16:57:04 server98 systemd[1]: Starting System Logging Service…
5 月 24 16:57:04 server98 systemd[1]: Started System Logging Service.
(四)查看客户端和服务端的日志是否正常生成。
(1)查看服务端是否在 /data/ 日期 /ip.log 正常生成。
[root@zabbix 2018-05-24]# tail -f /data/2018-05-24/192.168.99.98.log
2018-05-24T17:02:52+08:00 server98 postfix/pickup[41198]: AAC764ACB03: uid=0 from=<smokealert@company.xy>
2018-05-24T17:02:52+08:00 server98 postfix/cleanup[45967]: AAC764ACB03: message-id=<20180524090252.AAC764ACB03@server98.localdomain>
2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AAC764ACB03: from=<smokealert@company.xy>, size=851, nrcpt=1 (queue active)
2018-05-24T17:02:52+08:00 server98 postfix/smtp[39596]: AAC764ACB03: to=<alertee@address.somewhere>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=address.somewhere type=AAAA: Host not found)
2018-05-24T17:02:52+08:00 server98 postfix/cleanup[45967]: AB6804ACB0B: message-id=<20180524090252.AB6804ACB0B@server98.localdomain>
2018-05-24T17:02:52+08:00 server98 postfix/bounce[45968]: AAC764ACB03: sender non-delivery notification: AB6804ACB0B
2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AB6804ACB0B: from=<>, size=2811, nrcpt=1 (queue active)
2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AAC764ACB03: removed
2018-05-24T17:02:52+08:00 server98 postfix/smtp[39597]: AB6804ACB0B: to=<smokealert@company.xy>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=company.xy type=AAAA: Host not found)
2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AB6804ACB0B: removed
2018-05-24T17:14:33+08:00 server98 root: hello world
(2)在客户端生成日志,是否日志同步,都有
[root@server98 ~]# tail -f /var/log/messages
May 24 17:11:40 server98 Keepalived_vrrp[49377]: VRRP_Script(chk_http_port) succeeded
May 24 17:11:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2
May 24 17:11:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2
May 24 17:12:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2
May 24 17:12:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2
May 24 17:13:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2
May 24 17:13:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2
May 24 17:14:33 server98 root: hello world
至此,日志服务端和客户端日志同步完成。
备注:
1,Facility 是 syslog 的模块: rsyslog 通过 facility 概念来定义日志消息的来源,以方便对日志进行分类。Facility: 有 0 -23 种设备可选,在 python 的 syslog 库中有一部分缺失
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16-23 local0 – local7
常用的有:
2,Severity: 日志等级
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug
重要的配置文件:
1,rsyslog server 服务端的配置:
[root@zabbix 2018-05-23]# grep -v “^$” /etc/rsyslog.conf | grep -v “^#”
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$template RemoteHost,”/data/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log”
*.* ?RemoteHost
& ~
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local0.* /etc/keepalived/keepalived.log
2,rsyslog 客户端的配置
[root@server98 log]# grep -v “^$” /etc/rsyslog.conf | grep -v “^#”
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,”%timestamp% %fromhost-ip% %msg%\n”
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none @192.168.99.99:514
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local0.* /etc/keepalived/keepalived.log
