共计 18356 个字符,预计需要花费 46 分钟才能阅读完成。
rsyslog 可以理解为多线程增强版的 syslog。在 syslog 的基础上扩展了很多其他功能,如数据库支持(MySQL、PostgreSQL、Oracle 等)、日志内容筛选、定义日志格式模板等。目前大多数 Linux 发行版默认也是使用 rsyslog 进行日志记录。rsyslog 提供了三种远程传输协议:
rsyslog 的简单配置记录(如下将公司防火墙上的日志(UDP)打到 IDC 的 rsyslog 日志服务器上)
==================== 再看一例 =======================
以上配置的是将公司防火墙的日志打到 rsyslog 里。现在有这么一个需求:
公司 IDC 的另外两台服务器 172.19.10.24 和 172.19.10.25 上部署了 gitlab、nexus、jenkins、jira 和 wiki,上面的权限设置的比较杂,很多人都有登录需求。现在需要将登录到这两台服务器上的用户的所有操作过程记录下来,记录达到 rsyslog 日志里,相当于做用户操作记录的审计工作。
=====================通过 rsyslog 收集 nginx 日志到远程服务器上 ====================
需求说明:通过 rsyslog 服务将 192.168.10.21 服务器上的 /data/nginx/logs/www.kevin.com-access.log 日志实时同步到 192.168.10.52 服务器上(路径为 /data/rsyslog/nginx)。
1)192.168.10.21 为 rsyslog 客户端,即日志的推送端 。rsyslog 日志是客户机主动将自己的日志推送到远程服务器上。
操作如下:
[root@nginx-server ~]# yum install rsyslog -y
[root@nginx-server ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
[root@nginx-server ~]# cat /etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides –MARK– message capability
$ModLoad imfile ## 装载 imfile 模块,这一行手动添加
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages ## 不记录 local5 的日志
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin … end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
user.info /var/log/history
# 在文件底部添加下面几行内容
$InputFileName /data/nginx/logs/www.kevin.com-access.log ## 读取日志文件(要监控的日志文件)
$InputFileTag web_access ## 日志写入日志附加标签字符串
$InputFileSeverity info ## 日志等级
$InputFileStateFile /etc/rsyslog.d/stat-access ## 记录日志点等信息。(相当于 msyql 的 master.info) 文件名变了,
这个 StateFile 标志必须变,否则无法传输。
$InputFileFacility local5 ## 设施类别
$InputFilePollInterval 1 ## 检查日志文件间隔(秒)
$InputFilePersistStateInterval 1 ## 回写偏移量数据到文件间隔时间(秒)
$InputRunFileMonitor ## 激活读取,可以设置多组日志读取,每组结束时设置本参数。以示生效。
local5.* @192.168.10.52 ## 代表 local5 设施的所有级别通过 udp 协议传送到 192.168.10.51
重启 rsyslog 服务
[root@nginx-server ~]# /etc/init.d/rsyslog restart
关闭系统日志记录器:[确定]
启动系统日志记录器:[确定]
由于作为日志的推送端,rsyslog 日志不需要开启 514 端口(如上在 rsyslog.conf 文件里没有打开 dup 或 tcp 的 514 端口)
[root@nginx-server ~]# lsof -i:514
[root@nginx-server ~]#
2)192.168.10.52 为 rsyslog 服务端,即日志的接收端。
配置如下:
[root@log-server ~]# yum install rsyslog -y
[root@log-server ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides –MARK– message capability
# Provides UDP syslog reception
$ModLoad imudp ## 载入 imudp 模块
$UDPServerRun 514 ## 开启 udp 接收并制定端口号
# Provides TCP syslog reception
$ModLoad imtcp ## 载入 imtcp 模块。
$InputTCPServerRun 514 ## 开启 tcp 接收并制定端口号。tcp 和 udp 两个端口模块可以同时使用!
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# 定义一个模板用来指定接收的日志消息的格式(默认会在记录的日志前加几个字段)
$template SpiceTmpl,”%msg%\n” ##%msg:2:$% 为去掉日志开头的空格
# 定义一个模板用来指定接收的日志文件的存放路径 %……% 之间的是定义日志按照年 - 月 - 日命名
$template DynaFile,”/data/rsyslog/nginx/%$YEAR%-%$MONTH%-%$DAY%.log”
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages ## 不记录 local5 设施的日志
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# 接收客户端 local5 设施传送来的日志并存放到指定位置(位置可用定义的模板。? 代表使用动态的模板)
local5.* ?DynaFile;SpiceTmpl
# ### begin forwarding rule ###
# The statement between the begin … end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
编辑 /etc/sysconfig/rsyslog 中 ”SYSLOGD_OPTIONS=” 开启远程日志接收功能
[root@log-server ~]# cat /etc/sysconfig/rsyslog
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by “-c 2”
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS=”-c 5″
创建日志接收过来后定义的存放目录
[root@log-server ~]# mkdir -p /data/rsyslog/nginx
重启 rsyslog 服务
[root@log-server ~]# /etc/init.d/rsyslog restart
Shutting down system logger: [OK]
Starting system logger: [OK]
[root@log-server ~]# lsof -i:514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 24594 root 2u IPv4 38927639 0t0 TCP *:shell (LISTEN)
rsyslogd 24594 root 3u IPv4 38927635 0t0 UDP *:syslog
rsyslogd 24594 root 4u IPv6 38927636 0t0 UDP *:syslog
rsyslogd 24594 root 5u IPv6 38927640 0t0 TCP *:shell (LISTEN)
查看日志是否接收过来了
[root@log-server ~]# ll /data/rsyslog/nginx/
total 550876
-rw——- 1 root root 483539594 Jun 13 12:58 2018-06-13.log
[root@log-server ~]# tail -2 /data/rsyslog/nginx/2018-06-13.log
1.203.163.198 – [27/Apr/2018:00:17:53 +0800] “POST /scf/%7B%7BloginConfig.loginSubmitUrl%7D%7D HTTP/1.1” 302 0 “https://www.kevin.com/scf/login” Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36 – 0.010 0.003 10.0.54.21:9020 302
1.203.163.198 – [27/Apr/2018:00:17:53 +0800] “POST /scf/%7B%7BloginConfig.loginSubmitUrl%7D%7D HTTP/1.1” 302 0 “https://www.kevin.com/scf/login” Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36 – 0.012 0.003 10.0.54.21:9020 302
==========================================================================
注意:
a)如果发现日志还没有接收过来,即 /data/rsyslog/nginx 目录下没有日志产生,就同时重启推送端和接收端的 rsyslog 服务。确保双方的 iptables 防火墙和 selinux 关闭!
b)也可以自行修改接收的日志文件的存放路径,如改为下面的配置:
$template DynaFile,”/data/rsyslog/nginx/nginx-access.log”
则日志收集后存放的文件如下:
[root@log-server ~]# ll /data/rsyslog/nginx/
total 571716
-rw——- 1 root root 483539594 Jun 13 12:58 2018-06-13.log
-rw——- 1 root root 101893593 Jun 13 13:13 nginx-access.log
:
