centos7，客戶端和服務端使用rsyslog進行日誌傳輸

客戶端配置rsyslog（centos自帶rsyslog，不需要另外下載）

vim /etc/rsyslog.conf

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
$ModLoad imfile #load the dimfile module
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

$OmitLocalLogging on

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.(內核)
kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!(記錄的內核消息、各種服務的公共消息，報錯信息等)
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.(包含驗證和授權方面信息)
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.(包含來着系統運行電子郵件服務器的日誌信息)
mail.*                                                  -/var/log/maillog


# Log cron stuff(每當cron進程開始一個工作時，就會將相關信息記錄在這個文件中)
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log(自定義的消息)
local7.*                                                /var/log/boot.log


# 監視指定路徑
$InputFileName    /usr/local/nginx/logs/access.log
# 設置唯一標籤（唯一，必須唯一）
$InputFileTag    req_access 
# 數據類型
$InputFileSeverity   info 
$InputFileStateFile    /etc/rsyslog.d/stat-access
# 設置設備名爲local5
$InputFileFacility    local5   
$InputFilePollInterval    1    
$InputFilePersistStateInterval 1 
$InputRunFileMonitor   
# 將此設備所有的數據全部發送到遠程服務器中   @：UDP協議，@@：TCP協議
local5.*  @@192.168.194.6:514



$InputFileName    /usr/local/nginx/logs/error.log
$InputFileTag    req_error
$InputFileSeverity   info 
$InputFileStateFile    /etc/rsyslog.d/stat-error
$InputFileFacility    local6  
$InputFilePollInterval    1  
$InputFilePersistStateInterval 1 
$InputRunFileMonitor   
local6.*  @@192.168.194.6:514

日誌類型：

auth        –pam產生的日誌
authpriv    –ssh,ftp等登錄信息的驗證信息
cron        –時間任務相關
kern        –內核
lpr         –打印
mail        –郵件
mark(syslog)–rsyslog服務內部的信息,時間標識
news        –新聞組
user        –用戶程序產生的相關信息
uucp        –unix to unix copy, unix主機之間相關的通訊
local 1~7   –自定義的日誌設備

連接符號：

.xxx: 表示大於等於xxx級別的信息
.=xxx：表示等於xxx級別的信息
.!xxx：表示在xxx之外的等級的信息

日誌級別：

級別從低到高，記錄的信息越來越少
debug       –有調式信息的，日誌信息最多
info        –一般信息的日誌，最常用
notice      –最具有重要性的普通條件的信息
warning     –警告級別
err         –錯誤級別，阻止某個功能或者模塊不能正常工作的信息
crit        –嚴重級別，阻止整個系統或者整個軟件不能正常工作的信息
alert       –需要立刻修改的信息
emerg       –內核崩潰等嚴重信息
none        –什麼都不記錄

處理方式：

/var/log/file	發送到日誌文件
@@192.168.0.1	發送到TCP server
@192.168.0.1	發送到UDP server
user1,user2	    發送到在線用戶user1，user2
~		        丟棄該日誌
^/path/script	執行的腳本，^後面跟可以執行的腳本，日誌內容可以作爲腳本的第一個參數，可以用來觸發告警

 

 

 

 

在配置服務端之前可以在服務端抓包，查看數據是否傳輸過來 

tcpdump -i ens33 port 514

顯示兩邊有數據往來後，再配置logstash

 

服務端配置rsyslog

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

# Provides TCP syslog reception

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# end of the forwarding rule ###


# ********************Please copy the following text************************

# 配置遠程來的數據格式和存放路徑

$template  SpiceTmpl1,"%msg%\n"
$template  DynaFile1,"/var/log/remote_nginx/access-%$YEAR%-%$MONTH%-%$DAY%.log"
local5.*   ?DynaFile1;SpiceTmpl1


$template  SpiceTmpl,"%msg%\n"
$template  DynaFile,"/var/log/remote_nginx/error-%$YEAR%-%$MONTH%-%$DAY%.log"
local6.*   ?DynaFile;SpiceTmpl

查看路徑中是否新建日誌文件併產生實時數據：

tail -f /var/log/remote_nginx/access-2020-01-06.log 

 

 

 

 

 

 

 

 

 

 

 

 

TIP:

兩邊都配置完rsyslog可以傳輸數據後，如果想將服務器端換成成logstash收集日誌，配置完logstash後，直接啓動會報錯：

查看端口使用情況

netstat -an |grep 514

在服務端使用 systemctl stop rsyslog 命令關閉rsyslog後，就不會出現514端口被佔用，address already in used 的情況。

再次啓動logstash 收集日誌就OK啦