Linux搭建syslog日志服务器
1、syslog服务端搭建
修改/etc/rsyslog.conf文件,本次采集目标为UDP修改下面的配置
输入Linux命令:sudo vim /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
找到以上两个模块,去掉前面注释, :wq 保存退出。
额外配置:在配置文件开头定义内容输出格式作为模板myFormat
$template myFormat,"%PRI-TEXT% %HOSTNAME%\n"
template(name="remote_syslog" type="string" string="/opt/rsyslog_center/%HOSTNAME%/%HOSTNAME%.log")
若想使用模板则需要配置为*.* ?remote_syslog;myFormat,前面?remote_syslog表示将内容输出到remote_syslog模板指定要求一般是将日志输出到指定文件。后面的myFormat则是控制输出的日志文件中的格式。
格式分为:
①消息配置
msg 匹配message中的msg部分 rawmsg 从socket收到的信息,一般用来debug rawmsg-after-pri 和rawmsg类似,但是syslog PRI被移除了 hostname message的主机名 source HOSTNAME的别名 fromhost message来源的主机名,一般是用在relay chain中 fromhost-ip 同fromhost,不过获取的是ip syslogtag message的tag programname 是tag的静态部分,例如tag是named[123456],则programname是named pri message的PRI,undecoded格式 pri-text text格式的PRI syslogfacility the facility from the message - in numerical form syslogfacility-text the facility from the message - in text form syslogseverity severity from the message - in numerical form syslogseverity-text severity from the message - in text form timegenerated timestamp when the message was RECEIVED. message被本地syslog接收到的时间 timereported timestamp from the message,包含message被创建的时间 timestamp alias for timereported |
②系统配置
$bom The UTF-8 encoded Unicode byte-order mask (BOM)$myhostname The name of the current host as it knows itself |
③与时间相关的系统配置
$now 当前日期,格式YYYY-MM-DD,now是指当前message被处理的时间 $year 当前年份(4-digit) $month 当前月份(2-digit) $day 当前日期(2-digit) $hour 当前小时(24 hour) time (2-digit) $hhour From minute 0 to 29, this is always 0 while from 30 to 59 it is always $minute 当前分钟(2-digit) |
服务端具体配置文件如下:
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html $template myFormat,"%PRI-TEXT% %HOSTNAME%\n" #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf template(name="remote_syslog" type="string" string="/opt/rsyslog_center/%HOSTNAME%/%HOSTNAME%.log") # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log *.* ?remote_syslog;myFormat # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### |
需要配置/etc/sysconfig/rsyslog
输入Linux命令:vim /etc/sysconfig/rsyslog 配置下面参数
SYSLOGD_OPTIONS="-r514 -m 0"
-r:表示允许接收外来日志消息,后面可以加接受端口号
-m **:将默认的时间戳标记信息出现频率变为自己指定的值【eg: -m240,表示每240分钟在日志文件中增加一行时间戳消息】;
-x:表示不希望让中央日志服务器解析其他机器的FQDN(完全合格域名,指的是主机名+全路径);
2、重启rsyslog服务
输入Linux命令:sudo systemctl restart rsyslog.service
3、关闭防火墙(iptables)
编辑防火墙配置文件
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动
4、禁用SELinux
要永久禁用SELinux,请使用您最喜欢的文本编辑器打开/etc/sysconfig/selinux文件,如下所示:
输入Linux命令:sudo vim /etc/sysconfig/selinux
然后将配置SELinux=enforcing改为SELinux=disabled,如下所示。
SELINUX=disabled
然后,保存并退出文件,为了使配置生效。需要重新启动系统,然后使用sestatus命令检查SELinux的状态,如下所示:
输入指令查看:sestatus
5、查看服务启动是否成功
输入Linux命令:netstat -antup |grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:* 17527/rsyslogd
udp6 0 0 :::514 :::* 17527/rsyslogd
6、syslog客户端搭建
修改/etc/rsyslog.conf文件。
在客户端输入Linux命令:sudo vim /etc/rsyslog.conf(一个@表示UDP,二个@@表示TCP)
*.* @服务器主机IP:514
在配置文件末尾插入一行,添加以上内容,:wq 保存退出
7、重启rsyslog服务
在客户端输入Linux命令:sudo systemctl restart rsyslog.service
8、客户端重启sshd服务
在客户端输入Linux命令:sudo systemctl restart sshd
9、服务端开启日志查询
输入Linux命令:tailf /var/log/messages
客户端配置如下:
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### # 配置日志服务器接收地址 *.* @192.168.30.201:514 |
在服务端的/opt/rsyslog_center/下查看是否有新的日志产生。若获取到信息,则表明服务端可以接收到客户端发送的日志,表示日志采集服务器搭建成功!
致语:SYSLOG、syslog、Syslog、sYslog、sySlog、sysLog、syslOg、sysloG