rsyslog
###severity
<pre> Numerical Code Severity Description 0 emerg system is unusable 1 alert action must be taken immediately 2 crit critical conditions 3 error error conditions 4 warning warning conditions 5 notice normal but significant condition 6 info informational messages 7 debug debug-level messages </pre>
###facility
<pre> Numerical Code Facility Description 0 kern kernel messages 1 user user-level messages 2 mail mail system 3 daemon system daemons 4 auth security/authorization messages 5 syslog messages generated internally by syslogd 6 lpr line printer subsystem 7 news network news subsystem 8 uucp UUCP subsystem 9 cron clock daemon 10 security security/authorization messages 11 ftp FTP daemon 12 ntp NTP subsystem 13 logaudit log audit 14 logalert log alert 15 clock clock daemon (note 2) 16 local0 local use 0 (local0) 17 local1 local use 1 (local1) 18 local2 local use 2 (local2) 19 local3 local use 3 (local3) 20 local4 local use 4 (local4) 21 local5 local use 5 (local5) 22 local6 local use 6 (local6) 23 local7 local use 7 (local7) </pre>
<pre> . :代表『比后面还要高的等级 (含该等级) 都被记录下来』的意思 .=:代表所需要的等级就是后面接的等级而已, 其他的不要! .!:代表不等於, 亦即是除了该等级外的其他等级都记录。 </pre>
例如:
<pre> mail.info /var/log/maillog </pre>
当我们的等级使用 info 时,那么『任何大于 info 等级(含 info 这个等级)之上的信息, 都会被写入到后面接的文件之中!
<pre> mail.!info /var/log/maillog </pre>
这样任何除了info 等级以外的信息, 都会被写入到后面接的文件之中!
rsyslog.conf
####$Modload imuxsock
imuxsock能够使rsyslog从/dev/log中获取日志,获得的日志是本地系统日志
<pre> [root@aliyun-duke ~]# netstat -anp | grep /dev unix 3 [ ] DGRAM 246496 5969/rsyslogd /dev/log </pre>
$ModLoad imklog
klogd has (finally) been replaced by a loadable input module. To enable klogd functionality, do $ModLoad imklog imklog使rsyslog获得kernel的日志,和demsg获得日志是一样的,根据在配置文件中设定的规则输出到指定的地方中去,例如
<pre> kern.* /var/log/kern.log </pre>
####$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat 传统格式,例子如下:
<pre> Dec 18 17:16:58 aliyun-duke logdemo[16898]: This is a logdemo test for syslog </pre>
00-config.conf
$ModLoad immark # provides --MARK-- message capability
This specifies when mark messages are to be written to output modules
####$MarkMessagePeriod 60 设置为60,每分钟产生一个mark
<pre> 2013-12-18T17:20:56.050207+08:00 aliyun-duke rsyslogd: -- MARK -- 2013-12-18T17:21:56.109412+08:00 aliyun-duke rsyslogd: -- MARK -- 2013-12-18T17:22:56.169502+08:00 aliyun-duke rsyslogd: -- MARK -- </pre>
$FileOwner root
$FileGroup adm
$FileCreateMode 0641
DirCreateMode 0755
Umask 0062
<pre> [root@aliyun-duke ~]# ll /var/log/everything.log -rw------x 1 root adm 301 Dec 15 11:27 /var/log/everything.log </pre>
如果没有umask,文件的权限应该是0641,现在是0601 文件是默认没有可运行(x)权限,也就是最大为666分,umask的分数是“该默认值减去的权限”,所以umask是0062时,创建的文件的权限为0604
创建文件的公式为:(666-umask)&FileCreateMode = (666-062) & (641) = 601 ,即为rw------x这样的权限
umask 起决定性作用,所以一般可以吧umask设置成 0000,再设置FileCreateMode和DirCreateMode
<pre> $umask 0000 # make sure nothing interferes with the following definitions *.* /var/log/file-with-0644-default $FileCreateMode 0600 *.* /var/log/file-with-0600 $FileCreateMode 0644 *.* /var/log/file-with-0644 </pre>
####$ActionFileDefaultTemplate RSYSLOG_FileFormat rsyslog的新的格式,例子如下:
<pre> 2013-12-14T22:29:50.926770+08:00 aliyun-duke a.out[7757]: test message nbr 196, severity=6 2013-12-14T22:29:50.926796+08:00 aliyun-duke a.out[7757]: test message nbr 197, severity=6 2013-12-14T22:29:50.926849+08:00 aliyun-duke a.out[7757]: test message nbr 198, severity=6 2013-12-14T22:29:50.926902+08:00 aliyun-duke a.out[7757]: test message nbr 199, severity=6 </pre>
01-mysql.conf
<pre> $WorkDirectory /var/spool/rsyslog $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName dbq # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure </pre>
必须要设置workdirectory,存放队列文件
FixedArray mode和LinkedList mode两种是内存队列,区别是前者是预分配队列长度,后者是动态分配,如果你的系统日志流量比较平稳,可以使用预分配队列,如果日志属于突发型,可以使用动态队列
如果数据库不可用时,日志会从新尝试直到数据库可以使用时。 数据库不可用或者内存不够用时,产生队列文件。写进数据库后/var/spool/rsyslog中的队列文件消失
下面是写入数据库的配置:
新的格式:
<pre> $ModLoad ommysql *.* action(type="ommysql" server="mysqlserver.example.com" serverport="1234" db="syslog_db" uid="user" pwd="pwd") </pre>
老的格式:
<pre> $ModLoad ommysql $ActionOmmysqlServerPort 1234 # use non-standard port *.* :ommysql:mysqlserver.example.com,syslog_db,user,pwd </pre>
可以参考 http://wiki.rsyslog.com/index.php/Rsyslog_v7_configuration_example_(with_mysql_or_mongodb)
10-jsl.conf
RepeatedMsgReduction on
This directive specifies whether or not repeated messages should be reduced (this is the "Last line repeated n times" feature). If set to on, repeated messages are reduced. If set to off, every message is logged.
发送200条同样的日志,例子如下:
<pre> 2013-12-14T22:50:48.063767+08:00 aliyun-duke syslog_call_repeat: test message nbr 0, severity=6 2013-12-14T22:50:48.071436+08:00 syslog_call_repeat: last message repeated 199 times </pre>
template
<pre> $template log_template,"%timereported:::date-rfc3339% %hostname%(%fromhost-ip%) %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg:::drop-last-lf%\n" </pre>
Syslog message properties are used inside templates.The full syntax is as follows:
%propname:fromChar:toChar:options:fieldname%
- propname
<pre> msg the MSG part of the message (aka "the message" ;) hostname hostname from the message fromhost-ip The same as fromhost, but alsways as an IP address. Local inputs (like imklog) use 127.0.0.1 in this property syslogtag TAG from the message syslogfacility-text the facility from the message - in text form syslogseverity-text severity from the message - in text form timereported timestamp from the message. Resolution depends on what was provided in the message (in most cases, only seconds) $year The current year (4-digit) $month The current month (2-digit) </pre>
- options
<pre> date-rfc3339 format as RFC 3339 date drop-last-lf The last LF in the message (if any), is dropped. Especially useful for PIX. </pre>
drop-last-lf
在咱们的系统中加与不加没有影响
Filter模块
Rsyslog可以使用syslog标准的过滤规则,同时自己添加了一些扩展。比如可以在输出中指定rsyslog自己的处理方式,可以指定输出template,方法是在规则后面添加template的名字,用分号隔开。
例如我们可以编写一个规则
<pre> Local3.* -/data0/logs/local3.log;t_msg #在这个输出中使用t_msg的模板 Local4.* -?f_local3_test;t_msg #问号表示要使用模板定义的动态路径 </pre>
除了syslog标准的规则,rsyslog的作者还自己开发了一个叫做rainerscript的脚本语言,来定义更复杂的过滤过则,rainerscript可以对属性进行startwith、contains、%(取余)等过滤规则,例如
<pre> If $pri-txt == local3.* and $msg contains “abc” then{ #pri为local3,且在消息中包含子串‘abc’ *.* -/data0/logs/local3.log;t_msg } </pre>
还有第三种方式是使用属性的表示方式,例如
<pre> :msg, regex, "^ [g-z]" /root/rsyslog_worker_dir/2000.log #以字母g到z开头的消息,注意msg开头有个空格 </pre>
$SystemLogRateLimitInterval 0 $SystemLogRateLimitBurst 0
<pre> $SystemLogRateLimitInterval 2 $SystemLogRateLimitBurst 50 This means in plain words, that rate limiting will take effect if more than 50 messages occur in 2 seconds. </pre>
<pre> Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 44, severity=6 Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 45, severity=6 Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 46, severity=6 Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 47, severity=6 Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 48, severity=6 Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 49, severity=6 Dec 14 22:02:36 aliyun-duke rsyslogd-2177: imuxsock begins to drop messages from pid 6927 due to rate-limiting Dec 14 22:02:39 aliyun-duke rsyslogd-2177: imuxsock lost 133250 messages from pid 6927 due to rate-limiting Dec 14 22:02:39 aliyun-duke a.out[6927]: test message nbr 133300, severity=6 Dec 14 22:02:39 aliyun-duke a.out[6927]: test message nbr 133301, severity=6 </pre>
$IMUXSockRateLimitInterval 0 $IMUXSockRateLimitBurst 0
试了,设置这个没有起任何作用??
<pre> $IMUXSockRateLimitInterval eq RateLimit.Interval [number] - specifies the rate-limiting interval in seconds. Default value is 0, which turns off rate limiting IMUXSockRateLimitBurst eq RateLimit.Burst [number] - specifies the rate-limiting burst in number of messages. Default is 200. </pre>
$ModLoad imrelp # needs to be done just once $InputRELPServerRun 514
Provides the ability to receive syslog messages via the reliable RELP protocol RELP 是 reliable event logging protocol的缩写,RELP是应用层的协议,使用command和response的机制保证日志不会丢失
协议具体内容请参考: http://www.rsyslog.com/doc/relp.html
服务端配置:
<pre> $ModLoad imrelp # Load the input module ('im') 'relp' $InputRELPServerRun 20514 # Set the port to 20514 </pre>
可以/etc/init.d/rsyslog restart后,再netstat -nlp | grep 20514看一下
<pre> [root@aliyun-duke ~]# netstat -nlp | grep 20514 tcp 0 0 0.0.0.0:20514 0.0.0.0:* LISTEN 1795/rsyslogd tcp 0 0 :::20514 :::* LISTEN 1795/rsyslogd </pre>
客户端配置:
<pre> $ModLoad omrelp *.* :omrelp:loghost.example.com:20514 </pre>
也可以使用
<pre> $ModLoad omrelp $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName srvrfwd # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down *.* :omrelp:169.254.1.1:20514 </pre>
使用logger -t TEST "This is a test message"就可以进行测试
~
Using negation can be useful if you would like to do some generic processing but exclude some specific events. You can use the discard action in conjunction with that. A sample would be:
<pre> *.* /var/log/allmsgs-including-informational.log :msg, contains, "informational" ~ *.* /var/log/allmsgs-but-informational.log </pre>
omusrmsg
The omusrmsg plug-in provides the core functionality for logging output to a logged on user. It is a built-in module that does not need to be loaded.
<pre> *.=crit :omusrmsg:exampleuser & root </pre>
<pre> [root@aliyun-duke mysql]# /root/work/a.out -s 0 -m 2 Message from syslogd@aliyun-duke at Dec 16 18:19:08 ... a.out: test message nbr 0, severity=0 Message from syslogd@aliyun-duke at Dec 16 18:19:08 ... a.out: test message nbr 1, severity=0 </pre>
interprets and check the configuration file
<pre> /path/to/rsyslogd -f /path/to/config-file -N 1 </pre>
###参考
All configuration directives need to be specified on a line by their own and must start with a dollar-sign. Note that those starting with the word "Action" modify the next action and should be specified in front of it.