|
|
我要入营,结交更多好友,开启更多功能,轻松玩转服务器大本营!
您需要 登录 才可以下载或查看,没有账号?我要入营
x
1、rsyslog 介绍
rsyslog 是一个快速处理收集系统日志的开源程序,提供了高性能、安全功能和模块化设计。rsyslog 是 syslog 的升级版,它将多种来源输入输出转换结果到目的地, rsyslog 被广泛用于 Linux 系统以通过 TCP/UDP 协议转发或接收日志消息。
如何搭建日志服务器?rsyslog日志服务器搭建配置教程
如何搭建日志服务器?rsyslog日志服务器搭建配置教程
rsyslog 守护进程可以被配置成两种环境,一种是配置成日志收集服务器,rsyslog 进程可以从网络中收集其它主机上的日志数据,这些主机会将日志配置为发送到另外的远程服务器。rsyslog 的另外一个用法,就是可以配置为客户端,用来过滤和发送内部日志消息到本地文件夹(如 /var/log)或一台可以路由到的远程 rsyslog 服务器上。
2、实验目的
实现 Client 主机通过 rsyslog 发送自身的系统日志到 Rsyslog Server 服务器,服务器端将该主机系统日志存放到一个指定的目录里面,进行按 IP 和日志简单分类存储。
3、实验环境
服务端和客户端系统都为 Centos7.7
服务端 IP:10.0.0.120 客户端 IP:10.0.0.100
服务端和客户端关闭防火墙和 selinux
- systemctl stop firewalld
- setenforce 0
服务端和客户端都安装 rsyslog 服务
- yum -y install rsyslog #无网络自行配置 yum 源
4、配置服务端
- vim /etc/rsyslog.conf #修改rsyslog配置文件,标蓝的即为需要的内容,标红的为解释说明
- # rsyslog configuration file
- # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
- # If you experience problems, see [url]http://www.rsyslog.com/doc/troubleshoot.html[/url]
- #### MODULES ####
- # The imjournal module bellow is now used as a message source instead of imuxsock.
- $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
- $ModLoad imjournal # provides access to the systemd journal
- #$ModLoad imklog # reads kernel messages (the same are read from journald)
- #$ModLoad immark # provides --MARK-- message capability
- # Provides UDP syslog reception
- $ModLoad imudp
- $UDPServerRun 514
- # Provides TCP syslog reception
- $ModLoad imtcp
- $InputTCPServerRun 514
- #### GLOBAL DIRECTIVES ####
- # Where to place auxiliary files
- $WorkDirectory /var/lib/rsyslog
- $AllowedSender udp, 10.0.0.0/24
- #收集的IP网段
- # Use default timestamp format
- $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
- $template Remote,"/opt/n9e/rsyslog/logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" #定义模板,接受日志文件路径,区分了不同主机的日志,日志目录自行指定
- :fromhost-ip, !isequal, "127.0.0.1" ?Remote # 过滤服务端本机的日志
- # File syncing capability is disabled by default. This feature is usually not required,
- # not useful and an extreme performance hit
- #$ActionFileEnableSync on
- # Include all config files in /etc/rsyslog.d/
- $IncludeConfig /etc/rsyslog.d/*.conf
- # Turn off message reception via local log socket;
- # local messages are retrieved through imjournal now.
- $OmitLocalLogging on
- # File to store the position in the journal
- $IMJournalStateFile imjournal.state
- #### RULES ####
- # 添加创建目录的注释
- $CreateDirs on
- # Log all kernel messages to the console.
- # Logging much else clutters up the screen.
- #kern.* /dev/console
- # Log anything (except mail) of level info or higher.
- # Don't log private authentication messages!
- *.info;mail.none;authpriv.none;cron.none /var/log/messages
- # The authpriv file has restricted access.
- authpriv.* /var/log/secure
- # Log all the mail messages in one place.
- mail.* -/var/log/maillog
- # Log cron stuff
- cron.* /var/log/cron
- # Everybody gets emergency messages
- *.emerg :omusrmsg:*
- # Save news errors of level crit and higher in a special file.
- uucp,news.crit /var/log/spooler
- # Save boot messages also to boot.log
- local7.* /var/log/boot.log
- # ### begin forwarding rule ###
- # The statement between the begin ... end define a SINGLE forwarding
- # rule. They belong together, do NOT split them. If you create multiple
- # forwarding rules, duplicate the whole block!
- # Remote Logging (we use TCP for reliable delivery)
- #
- # An on-disk queue is created for this action. If the remote host is
- # down, messages are spooled to disk and sent when it is up again.
- #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
- #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
- #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
- #$ActionQueueType LinkedList # run asynchronously
- #$ActionResumeRetryCount -1 # infinite retries if host is down
- # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
- # *.* @@192.168.44.212:514
- # ### end of the forwarding rule ###
- systemctl restart rsyslog #重启rsyslog服务
5、配置客户端
- vim /etc/rsyslog.conf #修改rsyslog配置文件,标蓝的即为需要的内容,标红的为解释说明
- # rsyslog configuration file
- # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
- # If you experience problems, see [url]http://www.rsyslog.com/doc/troubleshoot.html[/url]
- #### MODULES ####
- # The imjournal module bellow is now used as a message source instead of imuxsock.
- $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
- $ModLoad imjournal # provides access to the systemd journal
- #$ModLoad imklog # reads kernel messages (the same are read from journald)
- #$ModLoad immark # provides --MARK-- message capability
- # Provides UDP syslog reception
- #$ModLoad imudp
- #$UDPServerRun 514
- # Provides TCP syslog reception
- #$ModLoad imtcp
- #$InputTCPServerRun 514
- #### GLOBAL DIRECTIVES ####
- # Where to place auxiliary files
- $WorkDirectory /var/lib/rsyslog
- # Use default timestamp format
- $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
- # File syncing capability is disabled by default. This feature is usually not required,
- # not useful and an extreme performance hit
- #$ActionFileEnableSync on
- # Include all config files in /etc/rsyslog.d/
- $IncludeConfig /etc/rsyslog.d/*.conf
- # Turn off message reception via local log socket;
- # local messages are retrieved through imjournal now.
- $OmitLocalLogging on
- # File to store the position in the journal
- $IMJournalStateFile imjournal.state
- #### RULES ####
- # Log all kernel messages to the console.
- # Logging much else clutters up the screen.
- #kern.* /dev/console
- # Log anything (except mail) of level info or higher.
- # Don't log private authentication messages!
- *.info;mail.none;authpriv.none;cron.none /var/log/messages
- # The authpriv file has restricted access.
- authpriv.* /var/log/secure
- # Log all the mail messages in one place.
- mail.* -/var/log/maillog
- # Log cron stuff
- cron.* /var/log/cron
- # Everybody gets emergency messages
- *.emerg :omusrmsg:*
- # Save news errors of level crit and higher in a special file.
- uucp,news.crit /var/log/spooler
- # Save boot messages also to boot.log
- local7.* /var/log/boot.log
- # ### begin forwarding rule ###
- # The statement between the begin ... end define a SINGLE forwarding
- # rule. They belong together, do NOT split them. If you create multiple
- # forwarding rules, duplicate the whole block!
- # Remote Logging (we use TCP for reliable delivery)
- #
- # An on-disk queue is created for this action. If the remote host is
- # down, messages are spooled to disk and sent when it is up again.
- $ActionQueueFileName fwdRule1 # unique name prefix for spool files
- $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
- $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
- $ActionQueueType LinkedList # run asynchronously
- $ActionResumeRetryCount -1 # infinite retries if host is down
- # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
- #*.* @@remote-host:514
- # ### end of the forwarding rule ###
- *.* @10.0.0.120 #指定服务端IP
- systemctl restart rsyslog #重启rsyslog服务
6、在服务端验证效果
切换到服务端存放日志文件的路径,可以看到已经生成了日志,rsyslog 日志服务配置成功。
如何搭建日志服务器?rsyslog日志服务器搭建配置教程
感谢您的阅读,服务器大本营-技术文章内容集合站,助您成为更专业的服务器管理员! |
|
![点击直接加入[服务器大本营QQ频道]](https://www.fwqdby.com/data/attachment/common/cf/163843sqpktkbsqklllbt6.jpg)
|Archiver|手机版|网站地图|服务器大本营
( 赣ICP备2021009089号 )
发表于 
置顶卡
变色卡
千斤顶