一、基本原理
1、syslog的发展
- rhel5中使用守护进程syslogd进行日志管理,配置文件为/etc/syslog.congf
- rhel6+使用守护进程rsyslogd进行日志管理,配置文件为/etc/rsyslog.conf
2、配置文件的编写
- 通过观察配置文件/etc/rsyslog.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
总结规则如下
facility.level action
- 通过man 3 syslog,了解faciliy和level的分类分级。
facility
The facility argument is used to specify what type of program is logging the message.
This lets the configuration file specify that messages from different facilities will be handled differently.
LOG_AUTH security/authorization messages
LOG_AUTHPRIV security/authorization messages (private)
LOG_CRON clock daemon (cron and at)
LOG_DAEMON system daemons without separate facility value
LOG_FTP ftp daemon
LOG_KERN kernel messages (these can't be generated from user processes)
LOG_LOCAL0 through LOG_LOCAL7
reserved for local use
LOG_LPR line printer subsystem
LOG_MAIL mail subsystem
LOG_NEWS USENET news subsystem
LOG_SYSLOG messages generated internally by syslogd(8)
LOG_USER (default)
generic user-level messages
LOG_UUCP UUCP subsystem
level
This determines the importance of the message. The levels are, in order of decreasing importance:
LOG_EMERG system is unusable
LOG_ALERT action must be taken immediately
LOG_CRIT critical conditions
LOG_ERR error conditions
LOG_WARNING warning conditions
LOG_NOTICE normal, but significant, condition
LOG_INFO informational message
LOG_DEBUG debug-level message
- 举例
cron.none 对cron类型日志不记录
cron.=err 对cron类型日志只记录err级别信息
cron.err 对cron类型日志记录大于err级别信息
cron.!err 对cron类型日志不记录err级别,其他级别都记录 - action
action(动作)日志记录的位置
系统上的绝对路径 # 普通文件 如: /var/log/xxx
| # 管道 通过管道送给其他的命令处理
终端 # 终端 如:/dev/console
@HOST # 远程主机 如: @10.0.0.1
用户 # 系统用户 如: root
* # 登录到系统上的所有用户,一般emerg级别的日志是这样定义的
二、远程日志服务器开启
- 服务端修改配置文件/etc/rsyslog.conf开服务端口,开防火墙端口。
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
- 服务端添加配置文件/etc/rsyslog.d/15.conf
:fromhost-ip,isequal,"192.168.0.15" /var/log/15.log #指定日志文件位置
:fromhost-ip,isequal,"192.168.0.15" ~ #不将日志文件写在本地日志路径中
- 客户端修改配置文件/etc/rsyslog.conf,加入一条记录
*.* @@192.168.0.18:514 #一个@为udp协议,两个@为tcp协议
三、logrotate与logger
- logrotate通过配置文件/etc/logrotate.conf配置日志回滚规则
- logger命令制造日志消息,并发送到指定位置。