rsyslog服务测试

rsyslog

###severity

<pre> Numerical Code Severity Description 0 emerg system is unusable 1 alert action must be taken immediately 2 crit critical conditions 3 error error conditions 4 warning warning conditions 5 notice normal but significant condition 6 info informational messages 7 debug debug-level messages </pre>

###facility

<pre> Numerical Code Facility Description 0 kern kernel messages 1 user user-level messages 2 mail mail system 3 daemon system daemons 4 auth security/authorization messages 5 syslog messages generated internally by syslogd 6 lpr line printer subsystem 7 news network news subsystem 8 uucp UUCP subsystem 9 cron clock daemon 10 security security/authorization messages 11 ftp FTP daemon 12 ntp NTP subsystem 13 logaudit log audit 14 logalert log alert 15 clock clock daemon (note 2) 16 local0 local use 0 (local0) 17 local1 local use 1 (local1) 18 local2 local use 2 (local2) 19 local3 local use 3 (local3) 20 local4 local use 4 (local4) 21 local5 local use 5 (local5) 22 local6 local use 6 (local6) 23 local7 local use 7 (local7) </pre>

<pre> . ：代表『比后面还要高的等级 (含该等级) 都被记录下来』的意思 .=：代表所需要的等级就是后面接的等级而已， 其他的不要！ .!：代表不等於， 亦即是除了该等级外的其他等级都记录。 </pre>

例如：

<pre> mail.info　　　/var/log/maillog </pre>

当我们的等级使用 info 时，那么『任何大于 info 等级(含 info 这个等级)之上的信息， 都会被写入到后面接的文件之中！

<pre> mail.!info　　　/var/log/maillog </pre>

这样任何除了info 等级以外的信息， 都会被写入到后面接的文件之中！

rsyslog.conf

####$Modload imuxsock

imuxsock能够使rsyslog从/dev/log中获取日志,获得的日志是本地系统日志

<pre> [root@aliyun-duke ~]# netstat -anp | grep /dev unix 3 [ ] DGRAM 246496 5969/rsyslogd /dev/log </pre>

$ModLoad imklog

klogd has (finally) been replaced by a loadable input module. To enable klogd functionality, do $ModLoad imklog imklog使rsyslog获得kernel的日志，和demsg获得日志是一样的，根据在配置文件中设定的规则输出到指定的地方中去，例如

<pre> kern.* /var/log/kern.log </pre>

####$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat 传统格式，例子如下：

<pre> Dec 18 17:16:58 aliyun-duke logdemo[16898]: This is a logdemo test for syslog </pre>

00-config.conf

$ModLoad immark # provides --MARK-- message capability

This specifies when mark messages are to be written to output modules

####$MarkMessagePeriod 60 设置为60，每分钟产生一个mark

<pre> 2013-12-18T17:20:56.050207+08:00 aliyun-duke rsyslogd: -- MARK -- 2013-12-18T17:21:56.109412+08:00 aliyun-duke rsyslogd: -- MARK -- 2013-12-18T17:22:56.169502+08:00 aliyun-duke rsyslogd: -- MARK -- </pre>

$FileOwner root

$FileGroup adm

$FileCreateMode 0641

DirCreateMode 0755

Umask 0062

<pre> [root@aliyun-duke ~]# ll /var/log/everything.log -rw------x 1 root adm 301 Dec 15 11:27 /var/log/everything.log </pre>

如果没有umask，文件的权限应该是0641，现在是0601 文件是默认没有可运行(x)权限，也就是最大为666分，umask的分数是“该默认值减去的权限”，所以umask是0062时，创建的文件的权限为0604

创建文件的公式为：(666-umask)&FileCreateMode = (666-062) & (641) = 601 ，即为rw------x这样的权限

umask 起决定性作用，所以一般可以吧umask设置成 0000，再设置FileCreateMode和DirCreateMode

<pre> $umask 0000 # make sure nothing interferes with the following definitions *.* /var/log/file-with-0644-default $FileCreateMode 0600 *.* /var/log/file-with-0600 $FileCreateMode 0644 *.* /var/log/file-with-0644 </pre>

####$ActionFileDefaultTemplate RSYSLOG_FileFormat rsyslog的新的格式，例子如下:

<pre> 2013-12-14T22:29:50.926770+08:00 aliyun-duke a.out[7757]: test message nbr 196, severity=6 2013-12-14T22:29:50.926796+08:00 aliyun-duke a.out[7757]: test message nbr 197, severity=6 2013-12-14T22:29:50.926849+08:00 aliyun-duke a.out[7757]: test message nbr 198, severity=6 2013-12-14T22:29:50.926902+08:00 aliyun-duke a.out[7757]: test message nbr 199, severity=6 </pre>

01-mysql.conf

<pre> $WorkDirectory /var/spool/rsyslog $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName dbq # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure </pre>

必须要设置workdirectory，存放队列文件

FixedArray mode和LinkedList mode两种是内存队列，区别是前者是预分配队列长度，后者是动态分配，如果你的系统日志流量比较平稳，可以使用预分配队列，如果日志属于突发型，可以使用动态队列

如果数据库不可用时，日志会从新尝试直到数据库可以使用时。 数据库不可用或者内存不够用时，产生队列文件。写进数据库后/var/spool/rsyslog中的队列文件消失

下面是写入数据库的配置：

新的格式：

<pre> $ModLoad ommysql *.* action(type="ommysql" server="mysqlserver.example.com" serverport="1234" db="syslog_db" uid="user" pwd="pwd") </pre>

老的格式：

<pre> $ModLoad ommysql $ActionOmmysqlServerPort 1234 # use non-standard port *.*      :ommysql:mysqlserver.example.com,syslog_db,user,pwd </pre>

可以参考 http://wiki.rsyslog.com/index.php/Rsyslog_v7_configuration_example_(with_mysql_or_mongodb)

10-jsl.conf

RepeatedMsgReduction on

This directive specifies whether or not repeated messages should be reduced (this is the "Last line repeated n times" feature). If set to on, repeated messages are reduced. If set to off, every message is logged.

发送200条同样的日志，例子如下：

<pre> 2013-12-14T22:50:48.063767+08:00 aliyun-duke syslog_call_repeat: test message nbr 0, severity=6 2013-12-14T22:50:48.071436+08:00 syslog_call_repeat: last message repeated 199 times </pre>

template

<pre> $template log_template,"%timereported:::date-rfc3339% %hostname%(%fromhost-ip%) %syslogfacility-text%.%syslogseverity-text% %syslogtag% %msg:::drop-last-lf%\n" </pre>

Syslog message properties are used inside templates.The full syntax is as follows:

%propname:fromChar:toChar:options:fieldname%

• propname

<pre> msg the MSG part of the message (aka "the message" ;) hostname hostname from the message fromhost-ip The same as fromhost, but alsways as an IP address. Local inputs (like imklog) use 127.0.0.1 in this property syslogtag TAG from the message syslogfacility-text the facility from the message - in text form syslogseverity-text severity from the message - in text form timereported timestamp from the message. Resolution depends on what was provided in the message (in most cases, only seconds) $year The current year (4-digit) $month The current month (2-digit) </pre>

• options

<pre> date-rfc3339 format as RFC 3339 date drop-last-lf The last LF in the message (if any), is dropped. Especially useful for PIX. </pre>

drop-last-lf

在咱们的系统中加与不加没有影响

Filter模块

Rsyslog可以使用syslog标准的过滤规则，同时自己添加了一些扩展。比如可以在输出中指定rsyslog自己的处理方式，可以指定输出template,方法是在规则后面添加template的名字，用分号隔开。

例如我们可以编写一个规则

<pre> Local3.* -/data0/logs/local3.log;t_msg #在这个输出中使用t_msg的模板 Local4.* -?f_local3_test;t_msg #问号表示要使用模板定义的动态路径 </pre>

除了syslog标准的规则，rsyslog的作者还自己开发了一个叫做rainerscript的脚本语言，来定义更复杂的过滤过则，rainerscript可以对属性进行startwith、contains、%（取余）等过滤规则，例如

<pre> If $pri-txt == local3.* and $msg contains “abc” then{ #pri为local3，且在消息中包含子串‘abc’ *.* -/data0/logs/local3.log;t_msg } </pre>

还有第三种方式是使用属性的表示方式，例如

<pre> :msg, regex, "^ [g-z]" /root/rsyslog_worker_dir/2000.log #以字母g到z开头的消息，注意msg开头有个空格 </pre>

$SystemLogRateLimitInterval 0 $SystemLogRateLimitBurst 0

<pre> $SystemLogRateLimitInterval 2 $SystemLogRateLimitBurst 50 This means in plain words, that rate limiting will take effect if more than 50 messages occur in 2 seconds. </pre>

<pre> Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 44, severity=6 Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 45, severity=6 Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 46, severity=6 Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 47, severity=6 Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 48, severity=6 Dec 14 22:02:36 aliyun-duke a.out[6927]: test message nbr 49, severity=6 Dec 14 22:02:36 aliyun-duke rsyslogd-2177: imuxsock begins to drop messages from pid 6927 due to rate-limiting Dec 14 22:02:39 aliyun-duke rsyslogd-2177: imuxsock lost 133250 messages from pid 6927 due to rate-limiting Dec 14 22:02:39 aliyun-duke a.out[6927]: test message nbr 133300, severity=6 Dec 14 22:02:39 aliyun-duke a.out[6927]: test message nbr 133301, severity=6 </pre>

$IMUXSockRateLimitInterval 0 $IMUXSockRateLimitBurst 0

试了，设置这个没有起任何作用？？

<pre> $IMUXSockRateLimitInterval eq RateLimit.Interval [number] - specifies the rate-limiting interval in seconds. Default value is 0, which turns off rate limiting IMUXSockRateLimitBurst eq RateLimit.Burst [number] - specifies the rate-limiting burst in number of messages. Default is 200. </pre>

$ModLoad imrelp # needs to be done just once $InputRELPServerRun 514

Provides the ability to receive syslog messages via the reliable RELP protocol RELP 是 reliable event logging protocol的缩写，RELP是应用层的协议，使用command和response的机制保证日志不会丢失

协议具体内容请参考： http://www.rsyslog.com/doc/relp.html

服务端配置：

<pre> $ModLoad imrelp # Load the input module ('im') 'relp' $InputRELPServerRun 20514 # Set the port to 20514 </pre>

可以/etc/init.d/rsyslog restart后，再netstat -nlp | grep 20514看一下

<pre> [root@aliyun-duke ~]# netstat -nlp | grep 20514 tcp 0 0 0.0.0.0:20514 0.0.0.0:* LISTEN 1795/rsyslogd tcp 0 0 :::20514 :::* LISTEN 1795/rsyslogd </pre>

客户端配置：

<pre> $ModLoad omrelp *.* :omrelp:loghost.example.com:20514 </pre>

也可以使用

<pre> $ModLoad omrelp $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName srvrfwd # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down *.* :omrelp:169.254.1.1:20514 </pre>

使用logger -t TEST "This is a test message"就可以进行测试

~

Using negation can be useful if you would like to do some generic processing but exclude some specific events. You can use the discard action in conjunction with that. A sample would be:

<pre> *.* /var/log/allmsgs-including-informational.log :msg, contains, "informational" ~ *.* /var/log/allmsgs-but-informational.log </pre>

omusrmsg

The omusrmsg plug-in provides the core functionality for logging output to a logged on user. It is a built-in module that does not need to be loaded.

<pre> *.=crit :omusrmsg:exampleuser & root </pre>

<pre> [root@aliyun-duke mysql]# /root/work/a.out -s 0 -m 2 Message from syslogd@aliyun-duke at Dec 16 18:19:08 ... a.out: test message nbr 0, severity=0 Message from syslogd@aliyun-duke at Dec 16 18:19:08 ... a.out: test message nbr 1, severity=0 </pre>

interprets and check the configuration file

<pre> /path/to/rsyslogd -f /path/to/config-file -N 1 </pre>

###参考

All configuration directives need to be specified on a line by their own and must start with a dollar-sign. Note that those starting with the word "Action" modify the next action and should be specified in front of it.

转载于:https://my.oschina.net/u/1432936/blog/189520