rsyslog svr配置和syslog-ng客户端配置

Rsyslogd is configured via the rsyslog.conf file, typically found in /etc. By default, rsyslogd reads the file /etc/rsyslog.conf. This can be changed by a command line option.

Note that configurations can be built interactively via the online rsyslog configuration builder tool.

• Basic Structure
  • Quick overview of message flow and objects
  • Processing Principles
  • Configuration File
  • Statement Types
  • Comments
  • Processing Order
  • Inputs
  • Outputs
  • Rulesets and Rules
• Templates
  • The template() statement
  • legacy format
  • Reserved Template Names
  • See Also
• rsyslog Properties
  • Message Properties
  • System Properties
• The Property Replacer
  • Accessing Properties
  • Further Links
• Filter Conditions
  • Selectors
  • Property-Based Filters
  • Expression-Based Filters
  • BSD-style Blocks
  • Examples
• RainerScript
  • Data Types
  • Expressions
  • Functions
  • Control Structures
  • configuration objects
  • Constant Strings
  • Variable (Property) types
  • Lookup Tables
  • General Queue Parameters
  • The rsyslog “call” statement
  • global() configuration object
• Actions
  • General Action Parameters
  • Useful Links
  • Legacy Format
• Input
  • General Input Parameters
• Parser
  • General Parser Parameters
  • Sample
• timezone
  • Parameters
  • Sample
• Examples
  • Templates
  • Selector lines
• Legacy Configuration Directives
  • Configuration Parameter Types
  • Legacy Global Configuration Statements
  • Legacy Directives affecting Input Modules
  • Legacy Action-Specific Configuration Statements
  • Ruleset-Specific Legacy Configuration Statements
• Modules
  • Output Modules
  • Input Modules
  • Parser Modules
  • Message Modification Modules
  • String Generator Modules
  • Library Modules
  • Where are the modules integrated into the Message Flow?
• Output Channels
• Dropping privileges in rsyslog
• Notes on IPv6 Handling in Rsyslog
• libgcrypt Log Crypto Provider (gcry)
• Dynamic Stats
  • Dyn-stats configuration
  • Reporting
• Lookup Tables
  • Types
  • Lookup Table File Format
  • Lookup-table configuration
  • Implementation Details

Configuration file examples can be found in the rsyslog wiki. Also keep the rsyslog config snippets on your mind. These are ready-to-use real building blocks for rsyslog configuration.

There is also one sample file provided together with the documentation set. If you do not like to read, be sure to have at least a quick look at rsyslog-example.conf.

While rsyslogd contains enhancements over standard syslogd, efforts have been made to keep the configuration file as compatible as possible. While, for obvious reasons,enhanced features require a different config file syntax, rsyslogd should be able to work with a standard syslog.conf file. This is especially useful while you are migrating from syslogd to rsyslogd.

3.1. Procedure – Compiling syslog-ng from source

Purpose: 

To compile syslog-ng Open Source Edition (OSE) from the source code, complete the following steps. Alternatively, you can use precompiled binary packages on several platforms. For a list of third-party packages available for various Linux, UNIX, and other platforms, see the syslog-ng OSE third-party binaries page.

Steps: 

1. Download the latest version of syslog-ng OSE from GitHub. The source code is available as a tar.gz archive file.

2. Download the latest version of the EventLog library here or from GitHub.

3. Install the following packages that are required to compile syslog-ng. These packages are available for most UNIX/Linux systems. Alternatively, you can also download the sources and compile them.

   • A version of the gcc C compiler that properly supports Thread Local Storage (TLS), for example, version 4.5 (at least version.

   • The GNU flex lexical analyser generator, available here.

   • The bison parser generator, available here.

   • The development files of the glib library, available here.

   • The syslog-ng OSE application now uses PCRE-type regular expressions by default. It requires the libpcre library package, available here.

   • If you want to use the Java-based modules of syslog-ng OSE (for example, the Elasticsearch, HDFS, or Kafka destinations), you must compile syslog-ng OSEwith Java support.

     • Download and install the Java Runtime Environment (JRE), 1.7 (or newer). You can use OpenJDK or Oracle JDK, other implementations are not tested.

     • Install gradle version 2.2.1 or newer.

     • Set LD_LIBRARY_PATH to include the libjvm.so file, for example:LD_LIBRARY_PATH=/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/server:$LD_LIBRARY_PATH

       Note that many platforms have a simplified links for Java libraries. Use the simplified path if available. If you use a startup script to start syslog-ng OSE set LD_LIBRARY_PATH in the script as well.

     • If you are behind an HTTP proxy, create a gradle.properties under the modules/java-modules/ directory. Set the proxy parameters in the file. For details, see The Gradle User Guide.

4. If you want to use the spoof-source function of syslog-ng, install the development files of the libnet library, available here.

5. If you want to send e-mails using the smtp() destination, install the development files of the libesmtp library. This library is not needed if you use the --disable-smtp compile option.

6. If you want to use the /etc/hosts.deny and /etc/hosts.allow for TCP access, install the development files of the libwrap (also called TCP-wrappers) library, available here.

7. Uncompress the eventlog archive using the

   $ tar xvfz eventlog-x.x.x.x.tar.gz

   or the

   $ gunzip -c eventlog-x.x.x.x.tar.gz | tar xvf -

   command. A new directory containing the source code of eventlog will be created.

8. By default, eventlog creates a file used by the syslog-ng configure script in the/usr/local/lib/pkgconfig directory. Issue the following command to add this directory to your PKG_CONFIG_PATH:

   PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH

9. Enter the new directory and issue the following commands. (If the ./configurefile does not exist, for example, because you cloned the repository from GitHub instead of using a release tarball, execute the ./autogen.sh command.)

   $ ./configure
   $ make
   $ make install

10. Uncompress the syslog-ng archive using the

    tar xvfz syslog-ng-x.xx.tar.gz

    or the

    unzip -c syslog-ng-x.xx.tar.gz | tar xvf -

    command. A new directory containing the source code of syslog-ng will be created.

11. Enter the new directory and issue the following commands:

    $ ./configure
    $ make
    $ make install

    These commands will build syslog-ng using its default options.

    Note
    On Solaris, use gmake (GNU make) instead of make. To build syslog-ng OSE with less verbose output, use the make V=0 command. This results in shorter, less verbose output, making warnings and other anomalies easier to notice. Note that silent-rules support is only available in recent automake versions.

12. If needed, use the following options to change how syslog-ng is compiled using the following command syntax:

    $ ./configure --compile-time-option-name

    Note
    You can also use --disable options, to explicitly disable a feature and override autodetection. For example, to disable the TCP-wrapper support, use the --disable-tcp-wrapper option. For the list of available compiling options, see Section 3.2, Compiling options of syslog-ng OSE.

    Warning
    The default linking mode of syslog-ng is dynamic. This means that syslog-ng might not be able to start up if the /usr directory is on NFS. On platforms where syslog-ng is used as a system logger, the --enable-mixed-linking is preferred.