V5配置語法:
推送端設置
[root@nginx01 ~]# cat /etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see/usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, seehttp://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for localsystem logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
$ModLoadimfile ##裝載imfile模塊
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default.This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info orhigher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages ##不記錄local5的日誌
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
#cron.* /var/log/cron
cron.* @192.168.10.50
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in aspecial file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define aSINGLE forwarding
# rule. They belong together, do NOT split them. Ifyou create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. Ifthe remote host is
# down, messages are spooled to disk and sent whenit is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spoolfiles
#$ActionQueueFileName fwdRule1 # unique name prefixfor spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages todisk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g.192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
$InputFileName/application/nginx/logs/access.log ##讀取日誌文件(要監控的日誌文件)
$InputFileTagweb_access ##日誌寫入日誌附加標籤字符串
$InputFileSeverityinfo ##日誌等級
$InputFileStateFile/etc/rsyslog.d/stat-access ##記錄日誌點等信息。(相當於msyql的master.info)文件名變了,
這個StateFile標誌必須變,否則無法傳輸。
$InputFileFacilitylocal5 ##設施類別
$InputFilePollInterval1 ##檢查日誌文件間隔(秒)
$InputFilePersistStateInterval1 ##回寫偏移量數據到文件間隔時間(秒)
$InputRunFileMonitor ##激活讀取,可以設置多組日誌讀取,每組結束時設置本參數。以示生效。
local5.* @192.168.10.51 ##代表local5設施的所有級別通過udp協議傳送到192.168.10.51
接收端配置
[root@lb01 ~]# cat /etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see/usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, seehttp://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for localsystem logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoadimudp ##載入imudp模塊
$UDPServerRun514 ##開啓udp接收並制定端口號
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplateRSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default.This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info orhigher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages ##不記錄local5設施的日誌
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in aspecial file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define aSINGLE forwarding
# rule. They belong together, do NOT split them. Ifyou create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. Ifthe remote host is
# down, messages are spooled to disk and sent whenit is up again.
#$WorkDirectory /var/lib/rsyslog # where to placespool files
#$ActionQueueFileName fwdRule1 # unique name prefixfor spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages todisk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g.192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
#定義一個模板用來指定接收的日誌消息的格式(默認會在記錄的日誌前加幾個字段)
$templateSpiceTmpl,"%msg%\n" ##%msg:2:$%爲去掉日誌開頭的空格
#定義一個模板用來指定接收的日誌文件的存放路徑%……%之間的是定義日誌按照年-月-日命名
$templateDynaFile,"/data/www/wifiin/logs/remote/nginx/%$YEAR%-%$MONTH%-%$DAY%.log"
#接收客戶端local5設施傳送來的日誌並存放到指定位置(位置可用定義的模板。?代表使用動態的模板)
local5.* ?DynaFile;SpiceTmpl
編輯/etc/sysconfig/rsyslog中SYSLOGD_OPTIONS=””開啓遠程日誌接收功能
[root@lb01 ~]# cat /etc/sysconfig/rsyslog
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibilitymode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS=""
或者
vi /etc/sysconfig/syslog
#######################################
把SYSLOGD_OPTIONS="-m0"
改成SYSLOGD_OPTIONS="-r -m 0"
#######################################
相關解釋說明:
-r:打開接受外來日誌消息的功能,其監控514 UDP端口;
-x:關閉自動解析對方日誌服務器的FQDN信息,這能避免DNS不完整所帶來的麻煩;
-m:修改syslog的內部mark消息寫入間隔時間(0爲關閉),例如240爲每隔240分鐘寫入一次"--MARK--"信息;
-h:默認情況下,syslog不會發送從遠端接受過來的消息到其他主機,而使用該選項,則把該開關打開,所有
接受到的信息都可根據syslog.conf中定義的@主機轉發過去
V8配置語法:
v8 queue語法官方文檔:
http://www.rsyslog.com/doc/v8-stable/rainerscript/queue_parameters.html?highlight=queue
v8模塊官方文檔
http://www.rsyslog.com/doc/v8-stable/configuration/modules/idx_output.html
發送端配置:
[root@wifiin-server-speedcloud-131 ~]# cat/etc/rsyslog.conf
# rsyslog configuration file
# note that most of this config file uses old-styleformat,
# because it is well-known AND quite suitable forsimple cases
# like we have with the default config. For moreadvanced
# things, RainerScript configuration is suggested.
# For more information see/usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, seehttp://www.rsyslog.com/doc/troubleshoot.html
$MaxMessageSize 1M
##定義規則##
##定義使用的模塊類型、目標主機、端口號、使用的協議、壓縮模式、壓縮級別、隊列類型、隊列大小等。
###RULESET####
ruleset(name="remote"){
action(type="omfwd"Target="124.193.131.2" Port="514" Protocol="tcp"compression.mode="single"compression.stream.flushOnTXEnd="off" ZipLevel="9"queue.filename="remoteQueue_124_193_131_2"queue.spoolDirectory="/var/log" queue.type="LinkedList"queue.saveonshutdown="on" queue.size="100000"queue.maxdiskspace="1000M" queue.maxfilesize="1000M" action.resumeretrycount="-1"queue.dequeuebatchsize="500" )
stop
}
#### MODULES ####
module(load="imuxsock") # providessupport for local system logging (e.g. via logger command)
module(load="imklog") # provides kernel logging support(previously done by rklogd)
#module(load"immark") # provides --MARK-- message capability
module(load="imfile") ##載入imfile模塊
# Provides UDP syslog reception
# for parameters seehttp://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be donejust once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters seehttp://www.rsyslog.com/doc/imtcp.html
module(load="imtcp")# needs to be done just once ##載入imtcp模塊
input(type="imtcp"port="514") ##開啓tcp接收日誌
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default.This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info orhigher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages ##不記錄local1設施的日誌
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in aspecial file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define aSINGLE forwarding
# rule. They belong together, do NOT split them. Ifyou create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. Ifthe remote host is
# down, messages are spooled to disk and sent whenit is up again.
#$WorkDirectory /var/lib/rsyslog # where to placespool files
#$ActionQueueFileName fwdRule1 # unique name prefixfor spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages todisk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g.192.168.0.1:514, port optional
:rawmsg, contains, "gdnsd" stop
#*.* @@(z9)124.193.131.2:514
# ### end of the forwarding rule ###
# sdk.wifiin.cnnginx logs push
input(type="imfile" ##輸入類型爲imfile
StateFile="/etc/rsyslog.d/access_sdk_nginx" ##記錄日誌點等信息。(相當於msyql的master.info)
文件名變了,這個StateFile標誌必須變,否則無法傳輸。
File="/data/www/wifiin/logs/nginx/access_sdk.wifiin.cn.log" ##讀取日誌文件(要監控的日誌文件)
Facility="local1" ##設施類別
Severity="info" ##日誌等級
Tag="sdk_nginx_access" ##日誌附加標籤字符串(接收端可以通過過濾這個字符串來選擇接收日誌)
PersistStateInterval="1" ##回寫偏移量數據到文件間隔時間(秒)
Ruleset="remote") ##使用remote規則
input(type="imfile"
StateFile="/etc/rsyslog.d/error_sdk_nginx"
File="/data/www/wifiin/logs/nginx/error_sdk.wifiin.cn.log"
Facility="local1"
Severity="info"
Tag="sdk_nginx_error"
PersistStateInterval="1"
Ruleset="remote")
接收端配置:
[root@lb02 sdk_nginx]# cat /etc/rsyslog.conf
# rsyslog configuration file
# note that most of this config file uses old-styleformat,
# because it is well-known AND quite suitable forsimple cases
# like we have with the default config. For moreadvanced
# things, RainerScript configuration is suggested.
# For more information see/usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, seehttp://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
module(load="imuxsock") # providessupport for local system logging (e.g. via logger command)
module(load="imklog") # provides kernel logging support(previously done by rklogd)
#module(load"immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be donejust once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters seehttp://www.rsyslog.com/doc/imtcp.html
module(load="imtcp")# needs to be done just once ##載入imtcp模塊
input(type="imtcp"port="514") ##開啓tcp接收日誌
##定義記錄日誌信息模板
$template SpiceTmpl,"%HOSTNAME% %msg:2:$%\n"
##定義日誌存放位置及日誌名格式
$template NginxAccessDynaFile,"/data/www/wifiin/logs/remote/sdk_nginx/access-%$year%-%$month%-%$day%.log"
$template NginxErrorDynaFile,"/data/www/wifiin/logs/remote/sdk_nginx/error-%$year%-%$month%-%$day%.log"
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplateRSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default.This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info orhigher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages ##不記錄local1的日誌信息
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in aspecial file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
##解決local0-local7不夠用的問題
##過濾Tag中包含sdk_nginx_access的日誌並應用?NginxAccessDynaFile;SpiceTmpl模板
:rawmsg,contains,"sdk_nginx_access" ?NginxAccessDynaFile;SpiceTmpl
##過濾Tag中包含sdk_nginx_error的日誌並應用?NginxErrorDynaFile;SpiceTmpl模板
:rawmsg,contains,"sdk_nginx_error" ?NginxErrorDynaFile;SpiceTmpl
# ### begin forwarding rule ###
# The statement between the begin ... end define aSINGLE forwarding
# rule. They belong together, do NOT split them. Ifyou create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. Ifthe remote host is
# down, messages are spooled to disk and sent whenit is up again.
#$WorkDirectory /var/lib/rsyslog # where to placespool files
#$ActionQueueFileName fwdRule1 # unique name prefixfor spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages todisk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g.192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###