建立 rsyslog 日志服务器
文章目录
- 1. rsyslog 介绍
- 2. 实验目的
- 3. 实验环境
- 4. 配置服务端
- 5. 配置客户端
- 6. 在服务端验证效果
1. rsyslog 介绍
rsyslog 是一个快速处理收集系统日志的开源程序,提供了高性能、安全功能和模块化设计。rsyslog 是 syslog 的升级版,它将多种来源输入输出转换结果到目的地, rsyslog 被广泛用于 Linux 系统以通过 TCP/UDP 协议转发或接收日志消息。
rsyslog 守护进程可以被配置成两种环境,一种是配置成日志收集服务器,rsyslog 进程可以从网络中收集其它主机上的日志数据,这些主机会将日志配置为发送到另外的远程服务器。rsyslog 的另外一个用法,就是可以配置为客户端,用来过滤和发送内部日志消息到本地文件夹(如 /var/log)或一台可以路由到的远程 rsyslog 服务器上。
2. 实验目的
实现 Client 主机通过 rsyslog 发送自身的系统日志到 Rsyslog Server 服务器,服务器端将该主机系统日志存放到一个指定的目录里面,进行按 IP 和日志简单分类存储。
3. 实验环境
- 服务端和客户端系统都为 Centos7.7
- 服务端 IP:10.0.0.120 客户端 IP:10.0.0.100
- 服务端和客户端关闭防火墙和 selinux
systemctl stop firewalld
setenforce 0
- 服务端和客户端都安装 rsyslog 服务
yum -y install rsyslog #无网络自行配置 yum 源
4. 配置服务端
vim /etc/rsyslog.conf #修改rsyslog配置文件,标蓝的即为需要的内容,标红的为解释说明# rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES ##### The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514#### GLOBAL DIRECTIVES ##### Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
$AllowedSender udp, 10.0.0.0/24
#收集的IP网段# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template Remote,"/opt/n9e/rsyslog/logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" #定义模板,接受日志文件路径,区分了不同主机的日志,日志目录自行指定
:fromhost-ip, !isequal, "127.0.0.1" ?Remote # 过滤服务端本机的日志# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on# File to store the position in the journal
$IMJournalStateFile imjournal.state#### RULES ####
# 添加创建目录的注释
$CreateDirs on
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages# The authpriv file has restricted access.
authpriv.* /var/log/secure# Log all the mail messages in one place.
mail.* -/var/log/maillog# Log cron stuff
cron.* /var/log/cron# Everybody gets emergency messages
*.emerg :omusrmsg:*# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler# Save boot messages also to boot.log
local7.* /var/log/boot.log# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
# *.* @@192.168.44.212:514
# ### end of the forwarding rule ###systemctl restart rsyslog #重启rsyslog服务
5. 配置客户端
vim /etc/rsyslog.conf #修改rsyslog配置文件,标蓝的即为需要的内容,标红的为解释说明# rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES ##### The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514#### GLOBAL DIRECTIVES ##### Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on# File to store the position in the journal
$IMJournalStateFile imjournal.state#### RULES ##### Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages# The authpriv file has restricted access.
authpriv.* /var/log/secure# Log all the mail messages in one place.
mail.* -/var/log/maillog# Log cron stuff
cron.* /var/log/cron# Everybody gets emergency messages
*.emerg :omusrmsg:*# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler# Save boot messages also to boot.log
local7.* /var/log/boot.log# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
*.* @10.0.0.120 #指定服务端IPsystemctl restart rsyslog #重启rsyslog服务
6. 在服务端验证效果
切换到服务端存放日志文件的路径,可以看到已经生成了日志,rsyslog 日志服务配置成功。
配置文件详解:
https://www.cnblogs.com/shu-sheng/p/13275474.html
建立 rsyslog 日志服务器相关推荐
- 虚拟机安装日志服务器,rsyslog日志服务器搭建
##本人使用的vm workstation pro 安装的虚拟机,操作系统为centos 7.4,搭建rsyslog 日志服务器,将日志服务器与mysql数据库.loganalyzer安装在同一个台服 ...
- Linux系统之部署Rsyslog 日志服务器
Linux系统之部署Rsyslog 日志服务器 一.检查服务器系统版本 二.在master节点上配置 1.修改/etc/rsyslog.conf 2.开启日志服务 3.查看日志服务状态 4.关闭防火墙 ...
- centos rsyslog mysql_centos7+rsyslog+loganalyzer+mysql 搭建rsyslog日志服务器
一.简介 在centos7系统中,默认的日志系统是rsyslog,它是一类unix系统上使用的开源工具,用于在ip网络中转发日志信息,rsyslog采用模块化设计,是syslog的替代品. 1.rsy ...
- 搭建rsyslog日志服务器记录RouterOS路由器日志
1.搭建原因: 需要收集RouterOS路由的日志信息到mysql中,以便于后续查看 2.所需环境: RouterOS,centos7.6,mysql5.7.28 3.RouterOS路由器的日志设置 ...
- centos7 修改连接数_centos7+rsyslog+loganalyzer+mysql 搭建rsyslog日志服务器 - 夜空守望者2020...
在centos7系统中,默认的日志系统是rsyslog,它是一类unix系统上使用的开源工具,用于在ip网络中转发日志信息,rsyslog采用模块化设计,是syslog的替代品. 1.rsyslog特 ...
- rsyslog日志服务器的日志文件路径,使用rsyslog收集日志
为什么使用rsyslog? 1.他是POSIX-like系统中标准的logging,有些软件,比如haproxy,只使用syslog.所以你不能完全消除它 2.通过网络硬件被使用 3.它有更复杂的设置 ...
- CentOS7.9安装rsyslog+loganalyzer日志服务器详细配置
一.简介: 随着机房内的服务器和网络设备增加,日志管理和查询就成了让系统管理员头疼的事. 系统管理员遇到的常见问题如下: 1.日常维护过程中不可能登录到每一台服务器和设备上去查看日志: 2.网络设备上 ...
- mysql+enable+sql+log_CentOS7下利用rsyslog+loganalyzer配置日志服务器及Linux和windows客户端配置...
随着机房内的服务器和网络设备增加,日志管理和查询就成了让系统管理员头疼的事. 系统管理员遇到的常见问题如下: 1.日常维护过程中不可能登录到每一台服务器和设备上去查看日志: 2.网络设备上的存储空间有 ...
- nginx日志通过rsyslog传入到日志服务器指定目录
V5配置语法: 推送端设置 [root@nginx01 ~]# cat /etc/rsyslog.conf # rsyslog v5 configuration file # For more inf ...
- Centos6.3下利用rsyslog+loganalyzer+mysql部署日志服务器
作为一名系统运维工程师,平时查看分析LINUX系统日志我觉得是我们每天必做的功课,但时间长了会发现每次查看站点日志都得挨个进后台,几台服务器还可以这么对付,但如果管理成百上千台线上服务器,这种方法就捉 ...
最新文章
- 几个阿里, 美团,腾讯大佬的公众号!超级变态!
- android widget 研究 (转载)
- SpringBoot系列: RestTemplate 快速入门
- mysql数据库对象关系映射
- 笔记1-3: 从标准输入读取命令并执行
- 【数据结构】八大数据结构分类
- 2020蓝桥杯省赛---java---B---2(寻找 2020)+测试txt
- 【需求工程】需求应用域理解
- 2015-12-02 计划任务维护数据库
- SpringBoot 接收 单个String入参之解决方案
- 通用无线公共接口cpri_11/30
- spline曲线使用
- 无人机视觉检测算法研究及数据集汇总
- JDBC API 学习
- html文件怎么在wps打开是乱码,wps上打开Excel文件是乱码
- SpringBoot Whitelabel Error Page 错误
- Android--ImageView读取本地路径图片
- java 矩形类的作用_java中关于矩形类
- 小议SEO做网站关键字优化
- AutoIt3(AU3)开发的分辨率快速设置工具