首页 思维笔记 详情

基于Linux搭建rsyslog日志服务器

2023-09-14 11:23:26 4 举报
在Linux环境下,我们可以使用rsyslog服务来搭建一个日志服务器。首先,需要安装rsyslog软件包。然后,通过编辑rsyslog配置文件(通常位于/etc/rsyslog.conf),设置输入、过滤和输出规则,以便收集、处理和存储来自不同来源的日志信息。接下来,启动并启用rsyslog服务,使其在系统启动时自动运行。最后,配置客户端设备将日志发送到rsyslog服务器。这样,我们就成功搭建了一个基于Linux的rsyslog日志服务器,可以集中管理和分析系统中的各种日志信息,有助于提高系统运维效率和故障排查能力。
linux
日志系统
作者其他创作
大纲/内容
安装步骤:yum install rsyslog 安装完成后对 rsyslog 进行配置,进入 rsyslog 的配置文件 vim /etc/rsyslog.conf 配置成如下文本
配置文件:<br>#&nbsp;rsyslog&nbsp;configuration&nbsp;file#&nbsp;For&nbsp;more&nbsp;information&nbsp;see&nbsp;/usr/share/doc/rsyslog-*/rsyslog_conf.html#&nbsp;If&nbsp;you&nbsp;experience&nbsp;problems,&nbsp;see&nbsp;http://www.rsyslog.com/doc/troubleshoot.html####&nbsp;MODULES&nbsp;<span class="tag">#####</span><span class="tag"></span>MODULES&nbsp;#####&nbsp;The&nbsp;imjournal&nbsp;module&nbsp;bellow&nbsp;is&nbsp;now&nbsp;used&nbsp;as&nbsp;a&nbsp;message&nbsp;source&nbsp;instead&nbsp;of<br>imuxsock.<br>$ModLoad&nbsp;imuxsock&nbsp;#&nbsp;provides&nbsp;support&nbsp;for&nbsp;local&nbsp;system&nbsp;logging&nbsp;(e.g.&nbsp;via&nbsp;logger<br>comm<br>and)<br>$ModLoad&nbsp;imjournal&nbsp;#&nbsp;provides&nbsp;access&nbsp;to&nbsp;the&nbsp;systemd&nbsp;journal#$ModLoad&nbsp;imklog&nbsp;#&nbsp;reads&nbsp;kernel&nbsp;messages&nbsp;(the&nbsp;same&nbsp;are&nbsp;read&nbsp;from&nbsp;journald)#$ModLoad&nbsp;immark&nbsp;#&nbsp;provides&nbsp;--MARK--&nbsp;message&nbsp;capability#&nbsp;Provides&nbsp;UDP&nbsp;syslog&nbsp;reception$ModLoad&nbsp;imudp<br>$UDPServerRun&nbsp;514#&nbsp;Provides&nbsp;TCP&nbsp;syslog&nbsp;reception#$ModLoad&nbsp;imtcp#$InputTCPServerRun&nbsp;514<br>####&nbsp;GLOBAL&nbsp;DIRECTIVES&nbsp;<span class="tag">#####</span>&nbsp;rsyslog&nbsp;configuration&nbsp;file#&nbsp;For&nbsp;more&nbsp;information&nbsp;see&nbsp;/usr/share/doc/rsyslog-*/rsyslog_conf.html#&nbsp;If&nbsp;you&nbsp;experience&nbsp;problems,&nbsp;see&nbsp;http://www.rsyslog.com/doc/troubleshoot.html####&nbsp;MODULES&nbsp;<span class="tag">#####</span>&nbsp;The&nbsp;imjournal&nbsp;module&nbsp;bellow&nbsp;is&nbsp;now&nbsp;used&nbsp;as&nbsp;a&nbsp;message&nbsp;source&nbsp;instead&nbsp;of<br>imuxsock.<br>$ModLoad&nbsp;imuxsock&nbsp;#&nbsp;provides&nbsp;support&nbsp;for&nbsp;local&nbsp;system&nbsp;logging&nbsp;(e.g.&nbsp;via&nbsp;logger<br>command)<br>$ModLoad&nbsp;imjournal&nbsp;#&nbsp;provides&nbsp;access&nbsp;to&nbsp;the&nbsp;systemd&nbsp;journal#$ModLoad&nbsp;imklog&nbsp;#&nbsp;reads&nbsp;kernel&nbsp;messages&nbsp;(the&nbsp;same&nbsp;are&nbsp;read&nbsp;from&nbsp;journald)#$ModLoad&nbsp;immark&nbsp;#&nbsp;provides&nbsp;--MARK--&nbsp;message&nbsp;capability#&nbsp;Provides&nbsp;UDP&nbsp;syslog&nbsp;reception$ModLoad&nbsp;imudp<br>$UDPServerRun&nbsp;514#&nbsp;Provides&nbsp;TCP&nbsp;syslog&nbsp;reception#$ModLoad&nbsp;imtcp#$InputTCPServerRun&nbsp;514####&nbsp;GLOBAL&nbsp;DIRECTIVES&nbsp;<span class="tag">#####</span><span class="tag"></span>DIRECTIVES&nbsp;#####&nbsp;rsyslog&nbsp;configuration&nbsp;file#&nbsp;For&nbsp;more&nbsp;information&nbsp;see&nbsp;/usr/share/doc/rsyslog-*/rsyslog_conf.html#&nbsp;If&nbsp;you&nbsp;experience&nbsp;problems,&nbsp;see&nbsp;http://www.rsyslog.com/doc/troubleshoot.html####&nbsp;MODULES&nbsp;#####&nbsp;The&nbsp;imjournal&nbsp;module&nbsp;bellow&nbsp;is&nbsp;now&nbsp;used&nbsp;as&nbsp;a&nbsp;message&nbsp;source&nbsp;instead&nbsp;of<br>imuxsock.<br>$ModLoad&nbsp;imuxsock&nbsp;#&nbsp;provides&nbsp;support&nbsp;for&nbsp;local&nbsp;system&nbsp;logging&nbsp;(e.g.&nbsp;via&nbsp;logger<br>command)<br>$ModLoad&nbsp;imjournal&nbsp;#&nbsp;provides&nbsp;access&nbsp;to&nbsp;the&nbsp;systemd&nbsp;journal#$ModLoad&nbsp;imklog&nbsp;#&nbsp;reads&nbsp;kernel&nbsp;messages&nbsp;(the&nbsp;same&nbsp;are&nbsp;read&nbsp;from&nbsp;journald)#$ModLoad&nbsp;immark&nbsp;#&nbsp;provides&nbsp;--MARK--&nbsp;message&nbsp;capability#&nbsp;Provides&nbsp;UDP&nbsp;syslog&nbsp;reception$ModLoad&nbsp;imudp<br>$UDPServerRun&nbsp;514#&nbsp;Provides&nbsp;TCP&nbsp;syslog&nbsp;reception#$ModLoad&nbsp;imtcp#$InputTCPServerRun&nbsp;514####&nbsp;GLOBAL&nbsp;DIRECTIVES&nbsp;#####&nbsp;Where&nbsp;to&nbsp;place&nbsp;auxiliary&nbsp;files$WorkDirectory&nbsp;/var/lib/rsyslog<br>#&nbsp;Use&nbsp;default&nbsp;timestamp&nbsp;format<br>$ActionFileDefaultTemplate&nbsp;RSYSLOG_TraditionalFileFormat<br>#&nbsp;File&nbsp;syncing&nbsp;capability&nbsp;is&nbsp;disabled&nbsp;by&nbsp;default.&nbsp;This&nbsp;feature&nbsp;is&nbsp;usually&nbsp;not&nbsp;required,#&nbsp;not&nbsp;useful&nbsp;and&nbsp;an&nbsp;extreme&nbsp;performance&nbsp;hit#$ActionFileEnableSync&nbsp;on#&nbsp;Include&nbsp;all&nbsp;config&nbsp;files&nbsp;in&nbsp;/etc/rsyslog.d/$IncludeConfig&nbsp;/etc/rsyslog.d/*.conf<br>#&nbsp;Turn&nbsp;off&nbsp;message&nbsp;reception&nbsp;via&nbsp;local&nbsp;log&nbsp;socket;#&nbsp;local&nbsp;messages&nbsp;are&nbsp;retrieved&nbsp;through&nbsp;imjournal&nbsp;now.$OmitLocalLogging&nbsp;on<br>#&nbsp;File&nbsp;to&nbsp;store&nbsp;the&nbsp;position&nbsp;in&nbsp;the&nbsp;journal$IMJournalStateFile&nbsp;imjournal.state<br>####&nbsp;RULES&nbsp;<span class="tag">#####</span><span class="tag">#####</span>&nbsp;The&nbsp;imjournal&nbsp;module&nbsp;bellow&nbsp;is&nbsp;now&nbsp;used&nbsp;as&nbsp;a&nbsp;message&nbsp;source&nbsp;instead&nbsp;of<br>imuxsock.<br>$ModLoad&nbsp;imuxsock&nbsp;#&nbsp;provides&nbsp;support&nbsp;for&nbsp;local&nbsp;system&nbsp;logging&nbsp;(e.g.&nbsp;via&nbsp;logger<br>command)<br>$ModLoad&nbsp;imjournal&nbsp;#&nbsp;provides&nbsp;access&nbsp;to&nbsp;the&nbsp;systemd&nbsp;journal#$ModLoad&nbsp;imklog&nbsp;#&nbsp;reads&nbsp;kernel&nbsp;messages&nbsp;(the&nbsp;same&nbsp;are&nbsp;read&nbsp;from&nbsp;journald)#$ModLoad&nbsp;immark&nbsp;#&nbsp;provides&nbsp;--MARK--&nbsp;message&nbsp;capability#&nbsp;Provides&nbsp;UDP&nbsp;syslog&nbsp;reception$ModLoad&nbsp;imudp<br>$UDPServerRun&nbsp;514#&nbsp;Provides&nbsp;TCP&nbsp;syslog&nbsp;reception#$ModLoad&nbsp;imtcp#$InputTCPServerRun&nbsp;514####&nbsp;<span class="tag">GLOBAL&nbsp;</span>DIRECTIVES&nbsp;#####&nbsp;Where&nbsp;to&nbsp;place&nbsp;auxiliary&nbsp;files$WorkDirectory&nbsp;/var/lib/rsyslog<br>#&nbsp;Use&nbsp;default&nbsp;timestamp&nbsp;format<br>$ActionFileDefaultTemplate&nbsp;RSYSLOG_TraditionalFileFormat<br>#&nbsp;File&nbsp;syncing&nbsp;capability&nbsp;is&nbsp;disabled&nbsp;by&nbsp;default.&nbsp;This&nbsp;feature&nbsp;is&nbsp;usually&nbsp;not&nbsp;required,#&nbsp;not&nbsp;useful&nbsp;and&nbsp;an&nbsp;extreme&nbsp;performance&nbsp;hit#$ActionFileEnableSync&nbsp;on#&nbsp;Include&nbsp;all&nbsp;config&nbsp;files&nbsp;in&nbsp;/etc/rsyslog.d/$IncludeConfig&nbsp;/etc/rsyslog.d/*.conf<br>#&nbsp;Turn&nbsp;off&nbsp;message&nbsp;reception&nbsp;via&nbsp;local&nbsp;log&nbsp;socket;#&nbsp;local&nbsp;messages&nbsp;are&nbsp;retrieved&nbsp;through&nbsp;imjournal&nbsp;now.$OmitLocalLogging&nbsp;on<br>#&nbsp;File&nbsp;to&nbsp;store&nbsp;the&nbsp;position&nbsp;in&nbsp;the&nbsp;journal$IMJournalStateFile&nbsp;imjournal.state<br>####&nbsp;RULES&nbsp;#####&nbsp;Log&nbsp;all&nbsp;kernel&nbsp;messages&nbsp;to&nbsp;the&nbsp;console.#&nbsp;cal7.*&nbsp;/var/log/boot.log##&nbsp;Logging&nbsp;much&nbsp;else&nbsp;clutters&nbsp;up&nbsp;the&nbsp;screen.#kern.*&nbsp;/dev/console#&nbsp;Log&nbsp;anything&nbsp;(except&nbsp;mail)&nbsp;of&nbsp;level&nbsp;info&nbsp;or&nbsp;higher.#&nbsp;Don't&nbsp;log&nbsp;private&nbsp;authentication&nbsp;messages!<br>*.alert&nbsp;/var/log/alert.log<br>*.notice&nbsp;/var/log/notice.log<br>*.error&nbsp;/var/log/err.log<br>*.info;mail.none;authpriv.none;cron.none&nbsp;/var/log/messages<br>#&nbsp;The&nbsp;authpriv&nbsp;file&nbsp;has&nbsp;restricted&nbsp;access.<br>authpriv.*&nbsp;/var/log/secure<br>#&nbsp;Log&nbsp;all&nbsp;the&nbsp;mail&nbsp;messages&nbsp;in&nbsp;one&nbsp;place.<br>mail.*&nbsp;-/var/log/maillog#&nbsp;Log&nbsp;cron&nbsp;stuff<br>cron.*&nbsp;/var/log/cron<br>#&nbsp;Everybody&nbsp;gets&nbsp;emergency&nbsp;messages<br>*.emerg&nbsp;:omusrmsg:*<br>#&nbsp;Save&nbsp;news&nbsp;errors&nbsp;of&nbsp;level&nbsp;crit&nbsp;and&nbsp;higher&nbsp;in&nbsp;a&nbsp;special&nbsp;file.<br>uucp,news.crit&nbsp;/var/log/spooler#&nbsp;Save&nbsp;boot&nbsp;messages&nbsp;also&nbsp;to&nbsp;boot.log<br>local7.*&nbsp;/var/log/boot.log<br>#&nbsp;###&nbsp;begin&nbsp;forwarding&nbsp;rule&nbsp;###<br>#&nbsp;The&nbsp;statement&nbsp;between&nbsp;the&nbsp;begin&nbsp;...&nbsp;end&nbsp;define&nbsp;a&nbsp;SINGLE&nbsp;forwarding<br>#&nbsp;rule.&nbsp;They&nbsp;belong&nbsp;together,&nbsp;do&nbsp;NOT&nbsp;split&nbsp;them.&nbsp;If&nbsp;you&nbsp;create&nbsp;multiple<br>#&nbsp;forwarding&nbsp;rules,&nbsp;duplicate&nbsp;the&nbsp;whole&nbsp;block!<br>#&nbsp;Remote&nbsp;Logging&nbsp;(we&nbsp;use&nbsp;TCP&nbsp;for&nbsp;reliable&nbsp;delivery)<br>#<br>#&nbsp;An&nbsp;on-disk&nbsp;queue&nbsp;is&nbsp;created&nbsp;for&nbsp;this&nbsp;action.&nbsp;If&nbsp;the&nbsp;remote&nbsp;host&nbsp;is<br>#&nbsp;down,&nbsp;messages&nbsp;are&nbsp;spooled&nbsp;to&nbsp;disk&nbsp;and&nbsp;sent&nbsp;when&nbsp;it&nbsp;is&nbsp;up&nbsp;again.<br><span class="tag">#$ActionQueueFileName</span>&nbsp;fwdRule1&nbsp;#&nbsp;unique&nbsp;name&nbsp;prefix&nbsp;for&nbsp;spool&nbsp;files<br><span class="tag">#$ActionQueueMaxDiskSpace</span>&nbsp;1g&nbsp;#&nbsp;1gb&nbsp;space&nbsp;limit&nbsp;(use&nbsp;as&nbsp;much&nbsp;as&nbsp;possible)#$ActionQueueSaveOnShutdown&nbsp;on&nbsp;#&nbsp;save&nbsp;messages&nbsp;to&nbsp;disk&nbsp;on&nbsp;shutdown#$ActionQueueType&nbsp;LinkedList&nbsp;#&nbsp;run&nbsp;asynchronously#$ActionResumeRetryCount&nbsp;-1&nbsp;#&nbsp;infinite&nbsp;retries&nbsp;if&nbsp;host&nbsp;is&nbsp;down#&nbsp;remote&nbsp;host&nbsp;is:&nbsp;name/ip:port,&nbsp;e.g.&nbsp;192.168.0.1:514,&nbsp;port&nbsp;optional#*.*&nbsp;<span class="tag">@@remote-host:514#</span><span class="tag"></span>/var/log/boot.log##&nbsp;Logging&nbsp;much&nbsp;else&nbsp;clutters&nbsp;up&nbsp;the&nbsp;screen.#kern.*&nbsp;/dev/console#&nbsp;Log&nbsp;anything&nbsp;(except&nbsp;mail)&nbsp;of&nbsp;level&nbsp;info&nbsp;or&nbsp;higher.#&nbsp;Don't&nbsp;log&nbsp;private&nbsp;authentication&nbsp;messages!<br>*.alert&nbsp;/var/log/alert.log<br>*.notice&nbsp;/var/log/notice.log<br>*.error&nbsp;/var/log/err.log<br>*.info;mail.none;authpriv.none;cron.none&nbsp;/var/log/messages<br>#&nbsp;The&nbsp;authpriv&nbsp;file&nbsp;has&nbsp;restricted&nbsp;access.<br>authpriv.*&nbsp;/var/log/secure<br>#&nbsp;Log&nbsp;all&nbsp;the&nbsp;mail&nbsp;messages&nbsp;in&nbsp;one&nbsp;place.<br>mail.*&nbsp;-/var/log/maillog#&nbsp;Log&nbsp;cron&nbsp;stuff<br>cron.*&nbsp;/var/log/cron<br>#&nbsp;Everybody&nbsp;gets&nbsp;emergency&nbsp;messages<br>*.emerg&nbsp;:omusrmsg:*<br>#&nbsp;Save&nbsp;news&nbsp;errors&nbsp;of&nbsp;level&nbsp;crit&nbsp;and&nbsp;higher&nbsp;in&nbsp;a&nbsp;special&nbsp;file.<br>uucp,news.crit&nbsp;/var/log/spooler#&nbsp;Save&nbsp;boot&nbsp;messages&nbsp;also&nbsp;to&nbsp;boot.log<br>local7.*&nbsp;/var/log/boot.log<br>#&nbsp;###&nbsp;begin&nbsp;forwarding&nbsp;rule&nbsp;###<br>#&nbsp;The&nbsp;statement&nbsp;between&nbsp;the&nbsp;begin&nbsp;<span class="tag">...</span>&nbsp;end&nbsp;define&nbsp;a&nbsp;SINGLE&nbsp;forwarding<br>#&nbsp;rule.&nbsp;They&nbsp;belong&nbsp;together,&nbsp;do&nbsp;NOT&nbsp;split&nbsp;them.&nbsp;If&nbsp;you&nbsp;create&nbsp;multiple<br>#&nbsp;forwarding&nbsp;rules,&nbsp;duplicate&nbsp;the&nbsp;whole&nbsp;block!<br>#&nbsp;Remote&nbsp;Logging&nbsp;(we&nbsp;use&nbsp;TCP&nbsp;for&nbsp;reliable&nbsp;delivery)<br>#<br>#&nbsp;An&nbsp;on-disk&nbsp;queue&nbsp;is&nbsp;created&nbsp;for&nbsp;this&nbsp;action.&nbsp;If&nbsp;the&nbsp;remote&nbsp;host&nbsp;is<br>#&nbsp;down,&nbsp;messages&nbsp;are&nbsp;spooled&nbsp;to&nbsp;disk&nbsp;and&nbsp;sent&nbsp;when&nbsp;it&nbsp;is&nbsp;up&nbsp;again.<br>#$ActionQueueFileName&nbsp;fwdRule1&nbsp;#&nbsp;unique&nbsp;name&nbsp;prefix&nbsp;for&nbsp;spool&nbsp;files<br>#$ActionQueueMaxDiskSpace&nbsp;1g&nbsp;#&nbsp;1gb&nbsp;space&nbsp;limit&nbsp;(use&nbsp;as&nbsp;much&nbsp;as&nbsp;possible)#$ActionQueueSaveOnShutdown&nbsp;on&nbsp;#&nbsp;save&nbsp;messages&nbsp;to&nbsp;disk&nbsp;on&nbsp;shutdown#$ActionQueueType&nbsp;LinkedList&nbsp;#&nbsp;run&nbsp;asynchronously#$ActionResumeRetryCount&nbsp;-1&nbsp;#&nbsp;infinite&nbsp;retries&nbsp;if&nbsp;host&nbsp;is&nbsp;down#&nbsp;remote&nbsp;host&nbsp;is:&nbsp;name/ip:port,&nbsp;e.g.&nbsp;192.168.0.1:514,&nbsp;port&nbsp;optional#*.*&nbsp;@@remote-host:514#&nbsp;###&nbsp;end&nbsp;of&nbsp;the&nbsp;forwarding&nbsp;rule&nbsp;###<br><br><br>
配置文件解释:<br>此处用的是&nbsp;udp&nbsp;514&nbsp;端口进行接收日志,并且我把日志分成了如下四个级别分别对应一个日志文件夹。<br>1、alert&nbsp;/var/log/alert.log<br>2、notice&nbsp;/var/log/notice.log<br>3、error&nbsp;/var/log/err.log<br>4、info&nbsp;/var/log/messages
然后进入/var/log 目录创建 3 个文件 alert.log 、notice.log、 err.log,命令如下:<br>touch alert.log touch notice.log touch err.log<br>
然后开启 rsyslog 服务,命令如下:<br>systemctl restart rsyslog<br>
查看状态,命令如下:<br>systemctl status rsyslog<br><br>
查看日志:<br>tail -100f shanshi.log<br><br>
评论
0 条评论
下一页
为你推荐
查看更多
应用服务器集群
应用服务器集群
服务器
服务器
服务器
服务器
远端-公网服务器
远端-公网服务器
rsyslog
rsyslog
服务器搭建
服务器搭建
服务器
服务器
服务器连线图
服务器连线图
行业介绍、Linux简介、Linux的安装、服务器管理建议
行业介绍、Linux简介、Linux的安装、服务器管理建议
事件服务器
事件服务器