网上很多rsyslog日志搜集服务器的教程都很乱!自己来写一篇。
资源有限,在一台机器上做实验。
centos7默认已经安装:
[root@QFQLDl155405 2018-07-31]# rpm -qa | grep rsys
rsyslog-8.24.0-12.el7.x86_64
配置主配置文件/etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imtcp #开启tcp
$InputTCPServerRun 514 #端口
$FileCreateMode 0644 #文件创建权限
$DirCreateMode 0755 #目录权限
$Umask 0022
$EscapeControlCharactersOnReceive off #字符集调整
$template LogFormat,"%msg%\n" #定义模板
$template DayPerProgram_AccessLogs,"/opt/logs/%programname:1:320%/%fromhost-ip%/%$year%-%$month%-%$day%/%programname%.%$year%-%$month%-%$day%-%$hour%.log" #定义日志位置模板
if ($programname contains 'nginx' ) then -?DayPerProgram_AccessLogs;LogFormat #设置触发条件
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none;local3.none;local4.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
配置客户端文件:/etc/rsyslog.d/nginx.conf
$ModLoad imfile
$InputFileName /alidata/nginx/logs/default.log #日志路径
$InputFileTag nginx_skynet #日志标签
$InputFileStateFile nginx_log
$InputFileFacility local4
$InputFileSeverity notice
$InputFilePersistStateInterval 1
$InputRunFileMonitor
$InputFilePollInterval 1
if ($programname contains 'nginx') then @@127.0.0.1:514 #@@是tcp,@是UDP
启动:systemctl start rsyslog
你会发现nginx的日志同步到了:/opt/logs/nginx_skynet/2018-07-31/nginx_skynet.2018-07-31-09.log