Rsyslog
Posted 芒果牛奶
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Rsyslog相关的知识,希望对你有一定的参考价值。
开放snmp协议端口
信息等级:
1 info 2 notice 3 warning(warn) 4 err(error) 5 crit 6 alert 7 emerg(panic) 越到后面,越严重
两个特殊等级,debug(错误检测等级)与 none (不需要登录等级),需要做错误检测或者忽略掉某些服务信息时使用
“.” 代表比符号后面更高的等级(含该等级)都被记录。如:mail.info 代表只要是mail的信息,而且改信息等级高于info(含info),都会被记录下来。
“.=“ 代表所需要的等级就是后面接的等级,其它不要
“.!” 代表不等于,即除该等级外的其他等级都记录
syslog的日志文件只要被编辑过,就无法记录,需要重新启动rsyslog服务
/etc/logrotate.conf 针对文件进行轮替操作
agent
/etc/rsyslog.conf
<code>
$MaxMessageSize 128k
$ModLoad imuxsock
$ModLoad imklog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ModLoad imudp
$UDPServerRun 514
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
:msg,contains,"GET /daemon.php?tableid" ~
*.* @@10.1.100.11
</code>
log server
/etc/rsyslog.conf
<code>
$MaxMessageSize 128k
$ModLoad imuxsock.so
$ModLoad imklog.so
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$ModLoad imtcp
$InputTCPServerRun 514
:msg,contains,"GET /daemon.php?tableid" ~
:rawmsg,contains,"ASKMQ-WORKER 29" ~
# Standard System Services
$template DYNmessages,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages"
$template DYNsecure,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure"
$template DYNmaillog,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/maillog"
$template DYNcron,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron"
$template DYNspooler,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/spooler"
$template DYNboot,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/boot.log"
$template DYNiptables,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/iptables.log"
$template DYNaudit,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/audit.log"
$template DYNapache-access,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-access.log"
$template DYNapache-error,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-error.log"
$template DYNphp,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/php.log"
$template DYNredis,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/redis.log"
$template DYNnodejs,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/nodejs.log"
if $programname == \'apache-access\' then ?DYNapache-access
&~
if $programname == \'apache-error\' then ?DYNapache-error
&~
if $programname == \'audispd\' then ?DYNaudit
&~
if $programname == \'php\' then ?DYNphp
&~
if $programname == \'redis\' then ?DYNredis
&~
if $programname == \'NodeJS\' then ?DYNnodejs
&~
if $msg contains \'iptables:\' then ?DYNiptables
&~
if $syslogseverity <= \'6\' and ( $syslogfacility-text != \'mail\' and $syslogfacility-text != \'authpriv\' and $syslogfacility-text != \'cron\') then ?DYNmessages
if $syslogfacility-text == \'authpriv\' then ?DYNsecure
if $syslogfacility-text == \'mail\' then -?DYNmaillog
if $syslogfacility-text == \'cron\' then ?DYNcron
if ( $syslogfacility-text == \'uucp\' or $syslogfacility-text == \'news\' ) and $syslogseverity-text == \'crit\' then ?DYNspooler
if $syslogfacility-text == \'local7\' then ?DYNboot
</code>以上是关于Rsyslog的主要内容,如果未能解决你的问题,请参考以下文章