一、簡介
RSYSLOG is the rocket-fast system for log processing.
It offers high-performance, great security features and a modular design. While it started as a regular syslogd, rsyslog has evolved into a kind of swiss army knife of logging, being able to accept inputs from a wide variety of sources, transform them, and output to the results to diverse destinations.
RSYSLOG can deliver over one million messages per second to local destinations when limited processing is applied (based on v7, December 2013). Even with remote destinations and more elaborate processing the performance is usually considered "stunning".
1、rsyslog 是一個快速處理收集系統日誌的程序,提供了高性能、強大的安全特性和模塊化設計
2、rsyslog 是syslog 的升級版,自centos6起,系統日誌配置文件/etc/syslog.conf不再存在,取而代之的是/etc/rsyslog.conf
3、判斷服務器上是否安裝rsyslog,命令:rsyslogd -version
4、如果服務器上沒有安裝rsyslog,則安裝,命令:yum install rsyslog -y
二、部署
1、環境圖
2、rsyslog server上的部署操作
(1)編輯rsyslog配置文件,路徑/etc/rsyslog.conf,修改前最好先備份一份,修改後的文件內容如下:
[root@opm log]# grep -v "^#" /etc/rsyslog.conf | grep -v "^$"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad immark # provides --MARK-- message capability
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$AllowedSender tcp, 192.168.233.0/24
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /data/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
b.$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" 定義模板,接受日誌文件路徑,區分了不同主機的日誌
c.:fromhost-ip, !isequal, "127.0.0.1" ?Remote 過濾server 本機的日誌。
d.$InputTCPServerRun 514 開啓tcp,tcp和udp 可以共存的
(2)創建日誌目錄,儘量選擇系統內比較大的區域創建,因爲考慮到要存放很多服務器的日誌文件。
mkdir -pv /data/log
(3)重啓rsyslog服務,並查看監聽端口,514 是否是tcp協議
重啓:systemctl restart rsyslog
查看端口:netstat -tunlp | grep rsyslog
3、rsyslog client上的部署操作
(1)node1上的配置
同樣,先備份/etc/rsyslog.conf,然後配置rsyslog.conf文件,配置完成後,重啓rsyslog服務
[root@node1 ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %msg%\n"
$ActionFileDefaultTemplate myFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none @192.168.233.128
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log(2)ceph1上的配置
先備份,然後配置rsyslog.conf文件,最後重啓rsyslog服務
[root@ceph1 ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none @192.168.233.128
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$template myFormat,"%timestamp% %fromhost-ip%%msg%\n"
$ActionFileDefaultTemplate myFormat三、驗證
1、進入服務端的/data/log下,查看日誌,使用tree,可以看到樹形結構
messages:server 端的系統日誌
文件夾192.168.233.129: node1 客戶端的日誌
文件夾192.168.233.130: ceph1 客戶端的日誌
2、查看node1的日誌
在客戶端node的命令行中輸入:logger "hello world"
在服務端server中查看客戶端node的日誌,在命令行中輸入:
tail -f /data/log/192.168.233.129/192.168.233.129_2018-02-25.log
