#rsyslog软件定义:
rsyslog是多线程、高并发、模块化的日志系统,rsyslog的消息流是从输入模块->预处理模块->主队列->过滤模块->执行队列->输出模块,软件架构如下:
#模块的介绍:
Input模块包括imklg、imsock、imfile、imtcp、imudp 等,是消息来源;
Queue模块负责消息的存储,从Input传入的未经过滤的消息放在主队列中;
Filetr模块处理消息的分析和过滤,rsyslog可以根据消息的任何部分进行过滤;
action queue 过滤后的消息放入到不同action queue中,然后送到各个输出模块;
Output模块包括omfile、omprog、omtcp、ommysql等,是消息的目的地。
#属性:
rsyslog 预定义了一些属性,来代表消息中的信息,我们可以在定义输出格式、动态文件名的时候使用到这些属性。这里面比较重要的属性比如:msg(消息体)、hostname、pri(消息等级和类别)、time(时间有关),属性的名称中以$开头的是从本地系统获得的变量、不带$是从消息中获得变量。
属性替代的语法格式:
%propname:fromChar:toChar:options:fieldname%
#模板:
template类型有4种书写格式:List、Subtree、String、Plugin,不同类型就可以使用不同的方法来定义template的内容,类型不会影响插件工作,合适的template类型会很好的匹配需求。
常用的template string写法格式如下:
$template name,param[,options]
在rsyslog7 和更高版本使用以下格式:
template(name = "scalaLogFormat" type = "list" ) {
property (name = "timestamp" dateFormat = "rfc3339" )
constant(value = " host=" )
property (name = "hostname" )
constant(value = ", relayHost=" )
property (name = "fromhost" )
constant(value = ", tag=" )
property (name = "syslogtag" )
constant(value = ", programName=" )
property (name = "programname" )
constant(value = ", procid=" )
property (name = "procid" )
constant(value = ", facility=" )
property (name = "syslogfacility-text" )
constant(value = ", sev=" )
property (name = "syslogseverity-text" )
constant(value = ", appName=" )
property (name = "app-name" )
constant(value = ", msg=" )
property (name = "msg" )
constant(value = "\n" )
}
例:$template uvpformat,"%TIMESTAMP:::date-rfc3339%|%syslogseverity-text%|%programname%[%PROCID%]|%msg%\n"
#参数:
日志定义格式: facility.priority Target
facility: 设施,从功能或程序上对日志进行分类,并由专门的工具负责记录日志;
常用的facility:
lpr: 打印相关的日志
auth:认证相关的日志,pam产生的日志
user:用户相关的日志
cron:计划任务相关的日志
kern:内核相关的日志
mail:邮件相关的日志
mark:标记相关的日志,rsyslog服务内部的信息,时间标识
news:新闻相关的日志
uucp:文件copy相关的日志,unix to unix copy, unix主机之间相关的通讯
daemon:系统服务相关的日志
authpriv: 授权相关的日志,ssh,ftp等登录信息的验证信息
security:安全相关的日志
local0-local7:自定义相关的日志信息(自定义时可以使用通配符)
通配符:
*:所有
f1,f2,f3......:列表
!:取反
priority:指定日志级别,常用的日志级别,从上到下,级别从低到高,记录的信息越来越少:
debug: 调试
info: 消息
notice: 注意
warn,warning: 警告
err,error: 错误
crit: 严重级别
alert: 需要立即修改该的信息
emerg,panic: 内核崩溃,内核恐慌等严重的信息
none: 什么都不记录
通配符:
*:所有日志级别
none:没有任何级别,也就是不记录日志信息
Target:文件路径
可以使用的有:
/var/log/messages
用户:* 当前登录系统的所有用户
日志服务器:@SERAVER_IP
管道:| COMMAND
#配置文件结构:
MODULES #定义模块
GLOBAL DIRECTIVES #定义全局的环境
RULES #定义记录日志的设施以及等级等信息
#rsyslog配置文件案例:/etc/rsyslog.conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
$outchannel sysmonitor,/var/log/sysmonitor.log,1048576,/opt/esyslog/esyslog_log_rsyslog_dump.sh /var/log/sysmonitor.log logdump
$outchannel sysalarm,/var/log/sysalarm.log,1048576,/opt/esyslog/esyslog_log_rsyslog_dump.sh /var/log/sysalarm.log logdump
$outchannel yum,/var/log/yum.log.tmp,2097152,/opt/esyslog/esyslog_log_rsyslog_dump.sh /var/log/yum.log logdump /etc/logrotate.d/yum
$outchannel tuned,/var/log/tuned/tuned.log.tmp,2097152,/opt/esyslog/esyslog_log_rsyslog_dump.sh /var/log/tuned/tuned.log tuned /etc/logrotate.d/tuned
$outchannel audit,/var/log/audit/audit.log.tmp,2097152,/opt/esyslog/esyslog_log_rsyslog_dump.sh /var/log/audit/audit.log audit /etc/logrotate.d/audit
$outchannel aide,/var/log/aide/aide.log.tmp,2097152,/opt/esyslog/esyslog_log_rsyslog_dump.sh /var/log/aide/aide.log aide /etc/logrotate.d/aide
#### MODULES ####定义模块
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
$imjournalRatelimitInterval 0
#### GLOBAL DIRECTIVES ####定义全局的环境
# Replace control characters during reception of the message
$EscapeControlCharactersOnReceive off
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#Use self defined template
$template uvpformat,"%TIMESTAMP:::date-rfc3339%|%syslogseverity-text%|%programname%[%PROCID%]|%msg%\n"
$ActionFileDefaultTemplate uvpformat
$umask 0000
$FileCreateMode 0600
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
module(load="imfile" PollingInterval="1")
input(type="imfile"
File="/var/log/yum.log"
Tag="yum"
Severity="error"
reopenOnTruncate="on"
Facility="local5")
if ($syslogfacility-text == 'local5' and $syslogtag == 'yum')then {
:omfile:$yum
stop
}
input(type="imfile"
File="/var/log/tuned/tuned.log"
Tag="tuned"
Severity="error"
reopenOnTruncate="on"
Facility="local5")
if ($syslogfacility-text == 'local5' and $syslogtag == 'tuned')then {
:omfile:$tuned
stop
}
input(type="imfile"
File="/var/log/audit/audit.log"
Tag="audit"
Severity="error"
reopenOnTruncate="on"
Facility="local5")
if ($syslogfacility-text == 'local5' and $syslogtag == 'audit')then {
:omfile:$audit
stop
}
input(type="imfile"
File="/var/log/aide/aide.log"
Tag="aide"
Severity="error"
reopenOnTruncate="on"
Facility="local5")
if ($syslogfacility-text == 'local5' and $syslogtag == 'aide')then {
:omfile:$aide
stop
}
if ($programname == 'kube-apiserver') then {
action(type="omfile" fileOwner="zhongcongling" fileGroup="zhongcongling" file="/var/log/kubernetes/kube-apiserver.log")
stop
} else if ($programname == 'kube-scheduler') then {
action(type="omfile" fileOwner="zhongcongling" fileGroup="zhongcongling" file="/var/log/kubernetes/kube-scheduler.log")
stop
} else if ($programname == 'kube-controller-manager') then {
action(type="omfile" fileOwner="zhongcongling" fileGroup="zhongcongling" file="/var/log/kubernetes/kube-controller-manager.log")
stop
} else if ($programname == 'etcd') then {
action(type="omfile" fileOwner="zhongcongling" fileGroup="zhongcongling" file="/var/log/kubernetes/etcd.log")
stop
}else if ($programname == 'kube-proxy') then {
action(type="omfile" fileOwner="zhongcongling" fileGroup="zhongcongling" file="/var/log/kubernetes/kube-proxy.log")
stop
}else if ($programname == 'kubelet') then {
action(type="omfile" fileOwner="zhongcongling" fileGroup="zhongcongling" file="/var/log/kubernetes/kubelet.log")
stop
}
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile /run/log/journal/imjournal.state
#### RULES ####定义记录日志的设施以及等级等信息
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;kube-apiserver.none;kube-scheduler.none;kube-controller-manager.none;etcd.none;kube--proxy.none;kubelet.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
#*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#把包含sdns_log的信息通过tcp发到192.168.1.2 @@表示tcp @表示udp
:rawmsg, contains, “sdns_log” @@192.168.1.2 # 默认514端口
#这个 ~ 表示丢弃包含sdns_log标志的信息,防止这个信息写到本机的/var/log/message
:rawmsg, contains, “sdns_log” ~
$RepeatedMsgReduction on
参考:
595
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
