一条日志的处理流程大概是这样的,如下
首先是
"日志的来源
source s_name { ... };"
然后是
"过滤规则
filter f_name { ... };"
再然后是 "消息链
log { source(s_name); filter(f_name); destination(d_name) };"
最后是 "目标动作 destination d_name { ... };"
最后是 "目标动作 destination d_name { ... };"
这样以来一条日志就根据你的意思来处理了,需要注意的是一条日志消息过了之后,会匹配定义的所有配置,并不是匹配到以后就不再往下匹配了.
@version:3.2 options { flush_lines (0); time_reopen (10); log_fifo_size (2048); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); keep_hostname (yes); }; source s_sys { file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); }; source net { udp(ip(0.0.0.0),port(514)); }; destination net_log { file ("/mnt/logdata/net_log/net_log/${YEAR}.${MONTH}.${DAY}/${HOST}.log" ); }; destination d_mesg { file("/mnt/logdata/net_log/log/messages"); }; filter f_net_hill { match("item failed" value(MESSAGE)) or match("Backup to Master" value(MESSAGE)) or match("Master to Backup" value(MESSAGE)); }; filter f_iis_msg { match("OWA~false" value(MESSAGE)); }; filter f_sys_mail { message("正在离开群集"); }; destination mysql_net_hill { program("mysql -h10.2.178.20 -usyslog -pSysl0g2017@,./ itcc_zabbix < /opt/pipe/myhill.pipe"); pipe("/opt/pipe/myhill.pipe" template("INSERT INTO w_net_hill_logs (host, datetime, msg) VALUES ( '$HOST', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$MSG' );\n") template-escape(yes) ); }; log { source(mail_system);filter(f_iis_msg); destination(mysql_iis); }; 创建pipe目录 mkdir /opt/pipe 创建pipe文件 mkfifo /opt/pipe/myiis.pipe
pipe 文件参考以上
sql 方式写入,参考:
# MySQL define destination
destination d_mysql {
sql(
type
(mysql)
username(
"syslog"
)
password(
"Pass123!"
)
database(
"syslog"
)
host(
"172.16.1.20"
)
table(
"logs"
)
columns(
"host"
,
"facility"
,
"priority"
,
"level"
,
"tag"
,
"datetime"
,
"program"
,
"msg"
)
values(
"$HOST"
,
"$FACILITY"
,
"$PRIORITY"
,
"$LEVEL"
,
"$TAG"
,
"$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC"
,
"$PROGRAM"
,
"$MSG"
)
indexes(
"datetime"
,
"host"
)
);
};