Linux下使用Rsyslog搭建集中日志服务器

2022-07-13 14:25:04 浏览数 (1)

(一)Rsyslog简介

ryslog 是一个快速处理收集系统日志的程序,提供了高性能、安全功能和模块化设计。rsyslog 是syslog 的升级版,它将多种来源输入输出转换结果到目的地。

rsyslog是一个开源工具,被广泛用于Linux系统以通过TCP/UDP协议转发或接收日志消息。rsyslog守护进程可以被配置成两种环境,一种是配置成日志收集服务器,rsyslog进程可以从网络中收集其它主机上的日志数据,这些主机会将日志配置为发送到另外的远程服务器。rsyslog的另外一个用法,就是可以配置为客户端,用来过滤和发送内部日志消息到本地文件夹(如/var/log)或一台可以路由到的远程rsyslog服务器上。

logrotate是一个日志文件管理工具。用来把旧文件轮转、压缩、删除,并且创建新的日志文件。我们可以根据日志文件的大小、天数等来转储,便于对日志文件管理,一般都是通过cron计划任务来完成的。

序号

IP地址

类型

备注

1

192.168.99.99

Server端

2

192.168.99.98

client端

 (二)rsyslog server服务端配置 1,rsyslog默认是安装的,如果没有安装通过 [root@localhost samba]# yum install rsyslog -y

2,修改/etc/rsyslog.conf配置文件,启用udp和tcp模块 $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514

[root@localhost samba]# vim /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal

 #####开启udp接收日志 $ModLoad imudp $UDPServerRun 514 $template RemoteHost,"/data/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"  *.*  ?RemoteHost & ~ ####开启tcp协议接受日志 $ModLoad imtcp $InputTCPServerRun 514

$WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#######启用/etc/rsyslog.d/*.conf目录下所有以.conf结尾的配置文件 $IncludeConfig /etc/rsyslog.d/*.conf   

$OmitLocalLogging on $IMJournalStateFile imjournal.state *.info;mail.none;authpriv.none;cron.none                /var/log/messages authpriv.*                                              /var/log/secure mail.*                                                  -/var/log/maillog cron.*                                                  /var/log/cron *.emerg                                                :omusrmsg:* uucp,news.crit                                          /var/log/spooler local7.*                                                /var/log/boot.log local0.*                                                /etc/keepalived/keepalived.log

3,重启rsyslog服务

[root@zabbix 2018-05-23]# systemctl restart rsyslog [root@zabbix 2018-05-23]# systemctl status rsyslog [root@localhost samba]# netstat -anp|grep 514 tcp        0      0 0.0.0.0:514            0.0.0.0:*              LISTEN      1445/rsyslogd      tcp6      0      0 :::514                  :::*                    LISTEN      1445/rsyslogd      udp        0      0 0.0.0.0:514            0.0.0.0:*                          1445/rsyslogd      udp6      0      0 :::514                  :::*                                1445/rsyslogd 

(三)rsyslog客户端的配置 1,编辑rsylog客户端的配置文件:

[root@server98 log]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $template myFormat,"%timestamp% %fromhost-ip% %msg%n"  #######自定义模板的相关信息 $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state *.*          @192.168.99.99:514                      ########该声明告诉rsyslog守护进程,将系统上各个设备的各种日志的所有消息路由到远程rsyslog服务器(192.168.99.99)的UDP端口514。@@是通过tcp传输,一个@是通过udp传输。 *.info;mail.none;authpriv.none;cron.none                /var/log/messages authpriv.*                                              /var/log/secure mail.*                                                  -/var/log/maillog cron.*                                                  /var/log/cron *.emerg                                                :omusrmsg:* uucp,news.crit                                          /var/log/spooler local7.*                                                /var/log/boot.log local0.*                                            /etc/keepalived/keepalived.log

2,重启客户端rsyslog服务

[root@server98 log]# systemctl restart rsyslog [root@server98 log]# systemctl status rsyslog ● rsyslog.service - System Logging Service   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)   Active: active (running) since 四 2018-05-24 16:57:04 CST; 4s ago  Main PID: 44765 (rsyslogd)   CGroup: /system.slice/rsyslog.service           └─44765 /usr/sbin/rsyslogd -n

5月 24 16:57:04 server98 systemd[1]: Starting System Logging Service... 5月 24 16:57:04 server98 systemd[1]: Started System Logging Service.

(四)查看客户端和服务端的日志是否正常生成。 (1)查看服务端是否在/data/日期/ip.log正常生成。

[root@zabbix 2018-05-24]# tail -f /data/2018-05-24/192.168.99.98.log 2018-05-24T17:02:52 08:00 server98 postfix/pickup[41198]: AAC764ACB03: uid=0 from=<smokealert@company.xy> 2018-05-24T17:02:52 08:00 server98 postfix/cleanup[45967]: AAC764ACB03: message-id=<20180524090252.AAC764ACB03@server98.localdomain> 2018-05-24T17:02:52 08:00 server98 postfix/qmgr[2356]: AAC764ACB03: from=<smokealert@company.xy>, size=851, nrcpt=1 (queue active) 2018-05-24T17:02:52 08:00 server98 postfix/smtp[39596]: AAC764ACB03: to=<alertee@address.somewhere>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=address.somewhere type=AAAA: Host not found) 2018-05-24T17:02:52 08:00 server98 postfix/cleanup[45967]: AB6804ACB0B: message-id=<20180524090252.AB6804ACB0B@server98.localdomain> 2018-05-24T17:02:52 08:00 server98 postfix/bounce[45968]: AAC764ACB03: sender non-delivery notification: AB6804ACB0B 2018-05-24T17:02:52 08:00 server98 postfix/qmgr[2356]: AB6804ACB0B: from=<>, size=2811, nrcpt=1 (queue active) 2018-05-24T17:02:52 08:00 server98 postfix/qmgr[2356]: AAC764ACB03: removed 2018-05-24T17:02:52 08:00 server98 postfix/smtp[39597]: AB6804ACB0B: to=<smokealert@company.xy>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=company.xy type=AAAA: Host not found) 2018-05-24T17:02:52 08:00 server98 postfix/qmgr[2356]: AB6804ACB0B: removed 2018-05-24T17:14:33 08:00 server98 root: hello world

(2)在客户端生成日志,是否日志同步,都有 [root@server98 ~]# tail -f /var/log/messages May 24 17:11:40 server98 Keepalived_vrrp[49377]: VRRP_Script(chk_http_port) succeeded May 24 17:11:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2 May 24 17:11:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2 May 24 17:12:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2 May 24 17:12:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2 May 24 17:13:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2 May 24 17:13:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2 May 24 17:14:33 server98 root: hello world

至此,日志服务端和客户端日志同步完成。

备注:

1,Facility是syslog的模块: rsyslog通过facility概念来定义日志消息的来源,以方便对日志进行分类。Facility:有0-23种设备可选,在python的syslog库中有一部分缺失 0 kernel messages 1 user-level messages 2 mail system 3 system daemons 4 security/authorization messages 5 messages generated internally by syslogd 6 line printer subsystem 7 network news subsystem 8 UUCP subsystem 9 clock daemon 10 security/authorization messages 11 FTP daemon 12 NTP subsystem 13 log audit 14 log alert 15 clock daemon 16-23     local0 - local7

常用的有:

2,Severity:日志等级 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notice 6 Informational 7 Debug

重要的配置文件:

1,rsyslog server服务端的配置:

[root@zabbix 2018-05-23]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#" $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $ModLoad imudp $UDPServerRun 514 $template RemoteHost,"/data/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log" *.*  ?RemoteHost & ~ $ModLoad imtcp $InputTCPServerRun 514 $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state *.info;mail.none;authpriv.none;cron.none                /var/log/messages authpriv.*                                              /var/log/secure mail.*                                                  -/var/log/maillog cron.*                                                  /var/log/cron *.emerg                                                :omusrmsg:* uucp,news.crit                                          /var/log/spooler local7.*                                                /var/log/boot.log local0.*                                                /etc/keepalived/keepalived.log

2,rsyslog 客户端的配置

[root@server98 log]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#" $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $WorkDirectory /var/lib/rsyslog $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $template myFormat,"%timestamp% %fromhost-ip% %msg%n" $IncludeConfig /etc/rsyslog.d/*.conf $OmitLocalLogging on $IMJournalStateFile imjournal.state *.info;mail.none;authpriv.none;cron.none          @192.168.99.99:514 *.info;mail.none;authpriv.none;cron.none                /var/log/messages authpriv.*                                              /var/log/secure mail.*                                                  -/var/log/maillog cron.*                                                  /var/log/cron *.emerg                                                :omusrmsg:* uucp,news.crit                                          /var/log/spooler local7.*                                                /var/log/boot.log local0.*                                            /etc/keepalived/keepalived.log

0 人点赞