基于Linux搭建rsyslog日志服务器
2023-09-14 11:23:26 4 举报在Linux环境下,我们可以使用rsyslog服务来搭建一个日志服务器。首先,需要安装rsyslog软件包。然后,通过编辑rsyslog配置文件(通常位于/etc/rsyslog.conf),设置输入、过滤和输出规则,以便收集、处理和存储来自不同来源的日志信息。接下来,启动并启用rsyslog服务,使其在系统启动时自动运行。最后,配置客户端设备将日志发送到rsyslog服务器。这样,我们就成功搭建了一个基于Linux的rsyslog日志服务器,可以集中管理和分析系统中的各种日志信息,有助于提高系统运维效率和故障排查能力。
作者其他创作
大纲/内容
安装步骤:yum install rsyslog 安装完成后对 rsyslog 进行配置,进入 rsyslog 的配置文件 vim /etc/rsyslog.conf 配置成如下文本
配置文件:
# rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES #####MODULES ##### The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
comm
and)
$ModLoad imjournal # provides access to the systemd journal#$ModLoad imklog # reads kernel messages (the same are read from journald)#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ##### rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES ##### The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imjournal # provides access to the systemd journal#$ModLoad imklog # reads kernel messages (the same are read from journald)#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514#### GLOBAL DIRECTIVES #####DIRECTIVES ##### rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES ##### The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imjournal # provides access to the systemd journal#$ModLoad imklog # reads kernel messages (the same are read from journald)#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514#### GLOBAL DIRECTIVES ##### Where to place auxiliary files$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,# not useful and an extreme performance hit#$ActionFileEnableSync on# Include all config files in /etc/rsyslog.d/$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;# local messages are retrieved through imjournal now.$OmitLocalLogging on
# File to store the position in the journal$IMJournalStateFile imjournal.state
#### RULES ########## The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imjournal # provides access to the systemd journal#$ModLoad imklog # reads kernel messages (the same are read from journald)#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514#### GLOBAL DIRECTIVES ##### Where to place auxiliary files$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,# not useful and an extreme performance hit#$ActionFileEnableSync on# Include all config files in /etc/rsyslog.d/$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;# local messages are retrieved through imjournal now.$OmitLocalLogging on
# File to store the position in the journal$IMJournalStateFile imjournal.state
#### RULES ##### Log all kernel messages to the console.# cal7.* /var/log/boot.log## Logging much else clutters up the screen.#kern.* /dev/console# Log anything (except mail) of level info or higher.# Don't log private authentication messages!
*.alert /var/log/alert.log
*.notice /var/log/notice.log
*.error /var/log/err.log
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown#$ActionQueueType LinkedList # run asynchronously#$ActionResumeRetryCount -1 # infinite retries if host is down# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional#*.* @@remote-host:514#/var/log/boot.log## Logging much else clutters up the screen.#kern.* /dev/console# Log anything (except mail) of level info or higher.# Don't log private authentication messages!
*.alert /var/log/alert.log
*.notice /var/log/notice.log
*.error /var/log/err.log
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown#$ActionQueueType LinkedList # run asynchronously#$ActionResumeRetryCount -1 # infinite retries if host is down# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional#*.* @@remote-host:514# ### end of the forwarding rule ###
# rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES #####MODULES ##### The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
comm
and)
$ModLoad imjournal # provides access to the systemd journal#$ModLoad imklog # reads kernel messages (the same are read from journald)#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ##### rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES ##### The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imjournal # provides access to the systemd journal#$ModLoad imklog # reads kernel messages (the same are read from journald)#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514#### GLOBAL DIRECTIVES #####DIRECTIVES ##### rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES ##### The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imjournal # provides access to the systemd journal#$ModLoad imklog # reads kernel messages (the same are read from journald)#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514#### GLOBAL DIRECTIVES ##### Where to place auxiliary files$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,# not useful and an extreme performance hit#$ActionFileEnableSync on# Include all config files in /etc/rsyslog.d/$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;# local messages are retrieved through imjournal now.$OmitLocalLogging on
# File to store the position in the journal$IMJournalStateFile imjournal.state
#### RULES ########## The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger
command)
$ModLoad imjournal # provides access to the systemd journal#$ModLoad imklog # reads kernel messages (the same are read from journald)#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514#### GLOBAL DIRECTIVES ##### Where to place auxiliary files$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,# not useful and an extreme performance hit#$ActionFileEnableSync on# Include all config files in /etc/rsyslog.d/$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;# local messages are retrieved through imjournal now.$OmitLocalLogging on
# File to store the position in the journal$IMJournalStateFile imjournal.state
#### RULES ##### Log all kernel messages to the console.# cal7.* /var/log/boot.log## Logging much else clutters up the screen.#kern.* /dev/console# Log anything (except mail) of level info or higher.# Don't log private authentication messages!
*.alert /var/log/alert.log
*.notice /var/log/notice.log
*.error /var/log/err.log
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown#$ActionQueueType LinkedList # run asynchronously#$ActionResumeRetryCount -1 # infinite retries if host is down# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional#*.* @@remote-host:514#/var/log/boot.log## Logging much else clutters up the screen.#kern.* /dev/console# Log anything (except mail) of level info or higher.# Don't log private authentication messages!
*.alert /var/log/alert.log
*.notice /var/log/notice.log
*.error /var/log/err.log
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown#$ActionQueueType LinkedList # run asynchronously#$ActionResumeRetryCount -1 # infinite retries if host is down# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional#*.* @@remote-host:514# ### end of the forwarding rule ###
配置文件解释:
此处用的是 udp 514 端口进行接收日志,并且我把日志分成了如下四个级别分别对应一个日志文件夹。
1、alert /var/log/alert.log
2、notice /var/log/notice.log
3、error /var/log/err.log
4、info /var/log/messages
此处用的是 udp 514 端口进行接收日志,并且我把日志分成了如下四个级别分别对应一个日志文件夹。
1、alert /var/log/alert.log
2、notice /var/log/notice.log
3、error /var/log/err.log
4、info /var/log/messages
然后进入/var/log 目录创建 3 个文件 alert.log 、notice.log、 err.log,命令如下:
touch alert.log touch notice.log touch err.log
touch alert.log touch notice.log touch err.log
然后开启 rsyslog 服务,命令如下:
systemctl restart rsyslog
systemctl restart rsyslog
查看状态,命令如下:
systemctl status rsyslog
systemctl status rsyslog
查看日志:
tail -100f shanshi.log
tail -100f shanshi.log
0 条评论
下一页
