Linux搭建syslog日志服务器

1、syslog服务端搭建

修改/etc/rsyslog.conf文件，本次采集目标为UDP修改下面的配置

输入Linux命令：sudo  vim /etc/rsyslog.conf

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

找到以上两个模块，去掉前面注释, :wq 保存退出。

额外配置：在配置文件开头定义内容输出格式作为模板myFormat

$template myFormat,"%PRI-TEXT% %HOSTNAME%n"

template(name="remote_syslog" type="string" string="/opt/rsyslog_center/%HOSTNAME%/%HOSTNAME%.log")

若想使用模板则需要配置为*.* ?remote_syslog;myFormat，前面？remote_syslog表示将内容输出到remote_syslog模板指定要求一般是将日志输出到指定文件。后面的myFormat则是控制输出的日志文件中的格式。

格式分为：

①消息配置

msg     匹配message中的msg部分 rawmsg     从socket收到的信息，一般用来debug rawmsg-after-pri     和rawmsg类似，但是syslog PRI被移除了 hostname     message的主机名 source     HOSTNAME的别名 fromhost     message来源的主机名，一般是用在relay chain中 fromhost-ip     同fromhost，不过获取的是ip syslogtag     message的tag programname     是tag的静态部分，例如tag是named[123456]，则programname是named pri     message的PRI，undecoded格式 pri-text     text格式的PRI syslogfacility the facility from the message - in numerical form syslogfacility-text the facility from the message - in text form syslogseverity severity from the message - in numerical form syslogseverity-text severity from the message - in text form timegenerated timestamp when the message was RECEIVED. message被本地syslog接收到的时间 timereported timestamp from the message，包含message被创建的时间 timestamp     alias for timereported

②系统配置

$bom The UTF-8 encoded Unicode byte-order mask (BOM)$myhostname The name of the current host as it knows itself

③与时间相关的系统配置

$now 当前日期，格式YYYY-MM-DD,now是指当前message被处理的时间 $year        当前年份(4-digit) $month 当前月份(2-digit) $day 当前日期(2-digit) $hour 当前小时(24 hour) time (2-digit) $hhour From minute 0 to 29, this is always 0 while from 30 to 59 it is always $minute 当前分钟(2-digit)

服务端具体配置文件如下：

# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html $template myFormat,"%PRI-TEXT% %HOSTNAME%n" #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark  # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.drsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark  # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.*                                                 /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none                /var/log/messages # The authpriv file has restricted access. authpriv.*                                              /var/log/secure # Log all the mail messages in one place. mail.*                                                  -/var/log/maillog # Log cron stuff cron.*                                                  /var/log/cron # Everybody gets emergency messages *.emerg                                                 :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit                                          /var/log/spooler # Save boot messages also to boot.log local7.*                                                /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType linkedList   # run asynchronously #$ActionResumeRetryCount -1    # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### # 配置日志服务器接收地址 *.* @192.168.30.201:514

在服务端的/opt/rsyslog_center/下查看是否有新的日志产生。若获取到信息，则表明服务端可以接收到客户端发送的日志，表示日志采集服务器搭建成功！