客戶端配置rsyslog(centos自帶rsyslog,不需要另外下載)
vim /etc/rsyslog.conf
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
$ModLoad imfile #load the dimfile module
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.(內核)
kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!(記錄的內核消息、各種服務的公共消息,報錯信息等)
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.(包含驗證和授權方面信息)
authpriv.* /var/log/secure
# Log all the mail messages in one place.(包含來着系統運行電子郵件服務器的日誌信息)
mail.* -/var/log/maillog
# Log cron stuff(每當cron進程開始一個工作時,就會將相關信息記錄在這個文件中)
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log(自定義的消息)
local7.* /var/log/boot.log
# 監視指定路徑
$InputFileName /usr/local/nginx/logs/access.log
# 設置唯一標籤(唯一,必須唯一)
$InputFileTag req_access
# 數據類型
$InputFileSeverity info
$InputFileStateFile /etc/rsyslog.d/stat-access
# 設置設備名爲local5
$InputFileFacility local5
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
# 將此設備所有的數據全部發送到遠程服務器中 @:UDP協議,@@:TCP協議
local5.* @@192.168.194.6:514
$InputFileName /usr/local/nginx/logs/error.log
$InputFileTag req_error
$InputFileSeverity info
$InputFileStateFile /etc/rsyslog.d/stat-error
$InputFileFacility local6
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
local6.* @@192.168.194.6:514
日誌類型:
auth –pam產生的日誌
authpriv –ssh,ftp等登錄信息的驗證信息
cron –時間任務相關
kern –內核
lpr –打印
mail –郵件
mark(syslog)–rsyslog服務內部的信息,時間標識
news –新聞組
user –用戶程序產生的相關信息
uucp –unix to unix copy, unix主機之間相關的通訊
local 1~7 –自定義的日誌設備
連接符號:
.xxx: 表示大於等於xxx級別的信息
.=xxx:表示等於xxx級別的信息
.!xxx:表示在xxx之外的等級的信息
日誌級別:
級別從低到高,記錄的信息越來越少
debug –有調式信息的,日誌信息最多
info –一般信息的日誌,最常用
notice –最具有重要性的普通條件的信息
warning –警告級別
err –錯誤級別,阻止某個功能或者模塊不能正常工作的信息
crit –嚴重級別,阻止整個系統或者整個軟件不能正常工作的信息
alert –需要立刻修改的信息
emerg –內核崩潰等嚴重信息
none –什麼都不記錄
處理方式:
/var/log/file 發送到日誌文件
@@192.168.0.1 發送到TCP server
@192.168.0.1 發送到UDP server
user1,user2 發送到在線用戶user1,user2
~ 丟棄該日誌
^/path/script 執行的腳本,^後面跟可以執行的腳本,日誌內容可以作爲腳本的第一個參數,可以用來觸發告警
在配置服務端之前可以在服務端抓包,查看數據是否傳輸過來
tcpdump -i ens33 port 514
顯示兩邊有數據往來後,再配置logstash
服務端配置rsyslog
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
# Provides TCP syslog reception
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# end of the forwarding rule ###
# ********************Please copy the following text************************
# 配置遠程來的數據格式和存放路徑
$template SpiceTmpl1,"%msg%\n"
$template DynaFile1,"/var/log/remote_nginx/access-%$YEAR%-%$MONTH%-%$DAY%.log"
local5.* ?DynaFile1;SpiceTmpl1
$template SpiceTmpl,"%msg%\n"
$template DynaFile,"/var/log/remote_nginx/error-%$YEAR%-%$MONTH%-%$DAY%.log"
local6.* ?DynaFile;SpiceTmpl
查看路徑中是否新建日誌文件併產生實時數據:
tail -f /var/log/remote_nginx/access-2020-01-06.log
TIP:
兩邊都配置完rsyslog可以傳輸數據後,如果想將服務器端換成成logstash收集日誌,配置完logstash後,直接啓動會報錯:
查看端口使用情況
netstat -an |grep 514
在服務端使用 systemctl stop rsyslog 命令關閉rsyslog後,就不會出現514端口被佔用,address already in used 的情況。
再次啓動logstash 收集日誌就OK啦