Apache日志配置远程Syslog采集

最新推荐文章于 2023-07-20 12:17:48 发布

程裕强

最新推荐文章于 2023-07-20 12:17:48 发布

阅读量1.9k

点赞数 1

分类专栏： ElasticSearch学习笔记文章标签： apache httpd syslog 远程采集

本文链接：https://blog.csdn.net/chengyuqiang/article/details/80095701

版权

ElasticSearch学习笔记专栏收录该内容

59 篇文章 11 订阅

订阅专栏

参考：http://www.biglog.cn

1、安装Apache（httpd）

[root@node2 ~]# yum install -y httpd
[root@node2 ~]# systemctl start httpd

查看httpd日志

[root@node2 ~]# cd /var/log/httpd
[root@node2 httpd]# ll
total 8
-rw-r--r-- 1 root root 1334 Apr 26 16:03 access_log
-rw-r--r-- 1 root root 1976 Apr 26 16:03 error_log
[root@node2 httpd]#

2、初始化日志采集环境

[root@bigdata05-test ~]# mkdir -v /var/spool/rsyslog
mkdir: created directory ‘/var/spool/rsyslog’
[root@bigdata05-test ~]#

3、创建Apahce日志文件采集配置

（1）/etc/rsyslog.conf配置文件默认已经开启包含 /etc/rsyslog.d/目录下所有conf类型的文件

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

（2）新建Rsyslog的子配置文件

[root@node2 ~]# vim /etc/rsyslog.d/apache-biglog.conf
[root@node2 ~]# cat /etc/rsyslog.d/apache-biglog.conf
$ModLoad imfile
$InputFilePollInterval 10
$WorkDirectory /var/spool/rsyslog
$PrivDropToGroup adm

## Apache访问日志文件路径，根据实际情况修改:
$InputFileName /var/log/httpd/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 25000
$InputRunFileMonitor

## Apache错误日志文件路径，根据实际情况修改:
$InputFileName /var/log/httpd/error.log
$InputFileTag apache-error:
$InputFileStateFile stat-apache-error
$InputFileSeverity error
$InputFilePersistStateInterval 25000
$InputRunFileMonitor

## 指定日志格式模板：
$template BiglogFormatApache,"%msg%\n"

## 注意syslog日志服务器接收地址，根据实际情况修改：
if $programname == 'apache-access' then @node1:514;BiglogFormatApache
if $programname == 'apache-access' then ~
if $programname == 'apache-error' then @node1:514;BiglogFormatApache
if $programname == 'apache-error' then ~
[root@node2 ~]#

4、重启Rsyslog服务，日志采集开始工作

[root@node2 ~]# systemctl restart rsyslog

发现logstash端node1输出如下信息：

{
           "message" => "Registered Authentication Agent for unix-process:7455:60321456 (system bus name :1.2588 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.utf8)\n",
          "severity" => 5,
          "@version" => "1",
    "facility_label" => "security/authorization",
        "@timestamp" => 2018-04-26T08:12:46.000Z,
    "severity_label" => "Notice",
           "program" => "polkitd",
          "priority" => 85,
         "timestamp" => "Apr 26 16:12:46",
         "logsource" => "node2",
              "host" => "10.17.12.157",
               "pid" => "762",
              "type" => "rsyslog",
          "facility" => 10
}
{
           "message" => "Stopping The Apache HTTP Server...\n",
          "severity" => 6,
          "@version" => "1",
    "facility_label" => "system",
        "@timestamp" => 2018-04-26T08:12:46.000Z,
    "severity_label" => "Informational",
           "program" => "systemd",
          "priority" => 30,
         "timestamp" => "Apr 26 16:12:46",
         "logsource" => "node2",
              "host" => "10.17.12.157",
              "type" => "rsyslog",
          "facility" => 3
}
{
           "message" => "Starting The Apache HTTP Server...\n",
          "severity" => 6,
          "@version" => "1",
    "facility_label" => "system",
        "@timestamp" => 2018-04-26T08:12:47.000Z,
    "severity_label" => "Informational",
           "program" => "systemd",
          "priority" => 30,
         "timestamp" => "Apr 26 16:12:47",
         "logsource" => "node2",
              "host" => "10.17.12.157",
              "type" => "rsyslog",
          "facility" => 3
}
{
           "message" => "AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.17.12.157. Set the 'ServerName' directive globally to suppress this message\n",
          "severity" => 6,
          "@version" => "1",
    "facility_label" => "system",
        "@timestamp" => 2018-04-26T08:12:47.000Z,
    "severity_label" => "Informational",
           "program" => "httpd",
          "priority" => 30,
         "timestamp" => "Apr 26 16:12:47",
         "logsource" => "node2",
              "host" => "10.17.12.157",
              "type" => "rsyslog",
          "facility" => 3
}
{
           "message" => "Started The Apache HTTP Server.\n",
          "severity" => 6,
          "@version" => "1",
    "facility_label" => "system",
        "@timestamp" => 2018-04-26T08:12:47.000Z,
    "severity_label" => "Informational",
           "program" => "systemd",
          "priority" => 30,
         "timestamp" => "Apr 26 16:12:47",
         "logsource" => "node2",
              "host" => "10.17.12.157",
              "type" => "rsyslog",
          "facility" => 3
}
{
           "message" => "Unregistered Authentication Agent for unix-process:7455:60321456 (system bus name :1.2588, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.utf8) (disconnected from bus)\n",
          "severity" => 5,
          "@version" => "1",
    "facility_label" => "security/authorization",
        "@timestamp" => 2018-04-26T08:12:47.000Z,
    "severity_label" => "Notice",
           "program" => "polkitd",
          "priority" => 85,
         "timestamp" => "Apr 26 16:12:47",
         "logsource" => "node2",
              "host" => "10.17.12.157",
               "pid" => "762",
              "type" => "rsyslog",
          "facility" => 10
}