部署 服务器 配置rsyslog

1、安装，导入数据库结构，及配置mysql帐号

cd /etc/yum.repos.d/

wget http://rpms.adiscon.com/v8-stable/rsyslog.repo

yum install rsyslog

yum install rsyslog-mysql -y

source /usr/share/doc/rsyslog-mysql-8.2004.0/createDB.sql

grant all privileges on syslog_db.* to Syslog@'localhost' identified by 'passowrd';

flush privileges;

rsyslog.conf底部增加

$template Remote,"insert into SystemEvents (Message, Facility, FromHost, FromIP, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', '%fromhost-ip%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL

$ModLoad ommysql

*.*:ommysql:localhost,Syslog,syslog,passowrd

$ModLoad immark

$ModLoad imudp

$UDPServerRun 514

$ModLoad imtcp

$InputTCPServerRun 514

2、配置需要记录的服务器【客户端】

配置记录命令

/etc/profile 底部添加

export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "

export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,logintime=$(who am i |awk "{print \$3\" \"\$4}"),from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'

source /etc/profile 执行使上面增加的配置生效

rsyslog.conf 接收数据的服务端的ip及端口信息

local5.* @10.13.1.91:514

修改完需要重启rsyslog

配置过渡不需要的参数

vi /etc/rsyslog.d/ignore-systemd-session-slice.conf

#cron定时任务，会生成，很多无用数据

if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of") then stop

#aws的会有这个垃圾数据

if $programname == "dhclient" and ($msg contains "XMT: Solicit on eth0") then stop

#cron 定时任务

if $programname == "crond" and ($msg contains "sendmail: fatal: parameter inet_interfaces: no local interface found for ::1") then stop