Linux搭建syslog日志服务器

Linux搭建syslog日志服务器

1、syslog服务端搭建

修改/etc/rsyslog.conf文件，本次采集目标为UDP修改下面的配置

输入Linux命令：sudo  vim /etc/rsyslog.conf

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

找到以上两个模块，去掉前面注释, :wq 保存退出。

额外配置：在配置文件开头定义内容输出格式作为模板myFormat

$template myFormat,"%PRI-TEXT% %HOSTNAME%\n"

template(name="remote_syslog" type="string" string="/opt/rsyslog_center/%HOSTNAME%/%HOSTNAME%.log")

若想使用模板则需要配置为*.* ?remote_syslog;myFormat，前面？remote_syslog表示将内容输出到remote_syslog模板指定要求一般是将日志输出到指定文件。后面的myFormat则是控制输出的日志文件中的格式。

格式分为：

①消息配置

msg     匹配message中的msg部分 rawmsg     从socket收到的信息，一般用来debug rawmsg-after-pri     和rawmsg类似，但是syslog PRI被移除了 hostname     message的主机名 source     HOSTNAME的别名 fromhost     message来源的主机名，一般是用在relay chain中 fromhost-ip     同fromhost，不过获取的是ip syslogtag     message的tag programname     是tag的静态部分，例如tag是named[123456]，则programname是named pri     message的PRI，undecoded格式 pri-text     text格式的PRI syslogfacility the facility from the message - in numerical form syslogfacility-text the facility from the message - in text form syslogseverity severity from the message - in numerical form syslogseverity-text severity from the message - in text form timegenerated timestamp when the message was RECEIVED. message被本地syslog接收到的时间 timereported timestamp from the message，包含message被创建的时间 timestamp     alias for timereported

②系统配置

$bom The UTF-8 encoded Unicode byte-order mask (BOM)$myhostname The name of the current host as it knows itself

③与时间相关的系统配置

$now 当前日期，格式YYYY-MM-DD,now是指当前message被处理的时间 $year        当前年份(4-digit) $month 当前月份(2-digit) $day 当前日期(2-digit) $hour 当前小时(24 hour) time (2-digit) $hhour From minute 0 to 29, this is always 0 while from 30 to 59 it is always $minute 当前分钟(2-digit)

服务端具体配置文件如下：

# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html $template myFormat,"%PRI-TEXT% %HOSTNAME%\n" #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark  # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf template(name="remote_syslog" type="string" string="/opt/rsyslog_center/%HOSTNAME%/%HOSTNAME%.log") # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.*                                                 /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none                /var/log/messages # The authpriv file has restricted access. authpriv.*                                              /var/log/secure # Log all the mail messages in one place. mail.*                                                  -/var/log/maillog # Log cron stuff cron.*                                                  /var/log/cron # Everybody gets emergency messages *.emerg                                                 :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit                                          /var/log/spooler # Save boot messages also to boot.log local7.*                                                /var/log/boot.log *.* ?remote_syslog;myFormat # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList   # run asynchronously #$ActionResumeRetryCount -1    # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ###

需要配置/etc/sysconfig/rsyslog

输入Linux命令：vim /etc/sysconfig/rsyslog 配置下面参数

SYSLOGD_OPTIONS="-r514 -m 0"

 -r：表示允许接收外来日志消息，后面可以加接受端口号

  -m **：将默认的时间戳标记信息出现频率变为自己指定的值【eg： -m240，表示每240分钟在日志文件中增加一行时间戳消息】；

  -x：表示不希望让中央日志服务器解析其他机器的FQDN（完全合格域名，指的是主机名+全路径）；

2、重启rsyslog服务

输入Linux命令：sudo  systemctl restart rsyslog.service

3、关闭防火墙（iptables）

编辑防火墙配置文件

systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动

4、禁用SELinux

要永久禁用SELinux，请使用您最喜欢的文本编辑器打开/etc/sysconfig/selinux文件，如下所示：

输入Linux命令：sudo vim /etc/sysconfig/selinux

然后将配置SELinux=enforcing改为SELinux=disabled，如下所示。

SELINUX=disabled

然后，保存并退出文件，为了使配置生效。需要重新启动系统，然后使用sestatus命令检查SELinux的状态，如下所示：

输入指令查看：sestatus

5、查看服务启动是否成功

输入Linux命令：netstat -antup |grep 514

udp        0      0 0.0.0.0:514             0.0.0.0:*                           17527/rsyslogd      

udp6       0      0 :::514                  :::*                                17527/rsyslogd

6、syslog客户端搭建

修改/etc/rsyslog.conf文件。

在客户端输入Linux命令：sudo vim /etc/rsyslog.conf（一个@表示UDP，二个@@表示TCP）

*.* @服务器主机IP:514

在配置文件末尾插入一行，添加以上内容，:wq 保存退出

7、重启rsyslog服务

在客户端输入Linux命令：sudo systemctl restart rsyslog.service

8、客户端重启sshd服务

在客户端输入Linux命令：sudo systemctl restart sshd

9、服务端开启日志查询

输入Linux命令：tailf /var/log/messages

客户端配置如下：

# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark  # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.*                                                 /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none                /var/log/messages # The authpriv file has restricted access. authpriv.*                                              /var/log/secure # Log all the mail messages in one place. mail.*                                                  -/var/log/maillog # Log cron stuff cron.*                                                  /var/log/cron # Everybody gets emergency messages *.emerg                                                 :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit                                          /var/log/spooler # Save boot messages also to boot.log local7.*                                                /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList   # run asynchronously #$ActionResumeRetryCount -1    # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### # 配置日志服务器接收地址 *.* @192.168.30.201:514

在服务端的/opt/rsyslog_center/下查看是否有新的日志产生。若获取到信息，则表明服务端可以接收到客户端发送的日志，表示日志采集服务器搭建成功！

致语：SYSLOG、syslog、Syslog、sYslog、sySlog、sysLog、syslOg、sysloG