一、 配置/etc/rsyslog.conf
$> vim /etc/rsyslog.conf
#### RULES ####
$template WESTOS,"%$now% %$hour%:%$minute% %timegenerated% %fromhost% %fromhost-ip% %syslogtag% %msg%\n"
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
*.* /var/log/alllog;WESTOS
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages;WESTOS
# The authpriv file has restricted access.
authpriv.* /var/log/secure;WESTOS
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
重启服务:$> systemctl restart rsyslog
二、rpm方式安装splunkforwarder
$> sudo rpm -ivh --prefix=/YourPath/splunk splunkforwarder-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm
$> cd /YourPath/splunk
- 找到真实地址
find / -name splunk
- 做个软链接
ln -s /opt/splunkforwarder/bin/splunk /usr/bin/splunk
$> cd /opt/splunkforwarder/bin
$> ./splunk start --accept-license
- 配置远程接收服务器
./splunk add forward-server ForwardHost:port
- 配置远程管理端,输入账号密码
./splunk set deploy-poll ManagerHost:port
- 查看接收服务器
./splunk list forward-server
- 查看收集项目
./splunk list monitor
- 添加收集项目 xxxx
./splunk add monitor /var/log/xxxx
/var/log/nginx/\*.log
- 移除项目 xxxx
./splunk remove monitor /xxxx
- 重启服务
service splunk restart