日志收集二:使用rsyslog (v5版本)进行日志汇总
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了日志收集二:使用rsyslog (v5版本)进行日志汇总相关的知识,希望对你有一定的参考价值。
rsyslog相关:
一般系统默认安装的都是旧版本,如果不升级,使用v5版本的配置语法
v5配置参照:https://www.rsyslog.com/doc/v5-stable/
监听端口:514(使用UDP协议,减少系统负载)
自定义设备号使用约定:local0 ~ local7
local0:代码直接发送syslog
local1:nginx使用
local6:文本收集使用
Nginx日志处理:
nginx支持将日志直接发送给rsyslog,文档链接:http://nginx.org/en/docs/syslog.html
使用tag约定:格式统一(站点名+分隔符+日志类型+分隔符)
tag中可使用的标点符号有限,这里使用"-"代替站点名中的".";tag标识中字符长度有限,珍惜每一位;每条日志只能定义一个tag,需要区别nginx类别,只能再想办法:将类别放入tag的特殊部分,写入文件时再处理(rsyslog提供字符串截断功能)
配置实例:
Nginx配置:
access_log syslog:server=127.0.0.1:514,facility=local1,tag=www_forver_comBaccessB,severity=info main;
error_log syslog:server=127.0.0.1:514,facility=local1,tag=www_forver_comBerrorB,severity=debug;
rsyslog本地转发配置:
if $syslogfacility-text == ‘local1‘ then @@(z5)10.10.10.10:514
汇总端配置:保存到本地文件
$template fileLnginx,"/ehr-log/rsyslogs/nginx/%syslogtag:F,66:1%/%$year%-%$month%-%$day%_%fromhost-ip%_%syslogtag:F,66:2%.log"
local1.* -?fileLnginx;msg
效果:
代码直接发送
本地收集(防止rsyslog汇总端问题造成日志丢失)与转发:
$template msgTime,"%timegenerated:8:15% %msg:2:$%
"
$template fileLprog,"/data/rsyslogs/%HOSTNAME%/%syslogtag%/%$year%-%$month%-%$day%.log"
local0.* -?fileLprog;msgTime
if $syslogfacility-text == ‘local0‘ then @@(z5)10.10.10.10:514
汇总端配置:
$template msgTime,"%timegenerated:8:15% %msg:2:$%
"
$template fileLprog,"/ehr-log/rsyslogs/%HOSTNAME%/%syslogtag%/%$year%-%$month%-%$day%_%fromhost-ip%.log"
local0.* -?fileLprog;msgTime
文本内容收集
也是使用tag区分项目和类型,接受端再通过匹配tag写入到目标文件
采集端配置:
$InputFileName /var/log/nginx/ehr-analysis-api/eebo-ehr-analysis-gunicorn-error.log
$InputFileTag G+eebo.ehr.analysis+PE
$InputFileSeverity debug
$InputFileStateFile G+eebo.ehr.analysis+PE
$InputFilePersistStateInterval 25000
$InputFileFacility local6
$InputRunFileMonitor
本地转发处理:
if $syslogfacility-text == ‘local6‘ then @@(z5)10.10.10.10:514
接受端汇总:
$template gunPacs,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/production/gunicorn/%$year%-%$month%-%$day%_%hostname%-access.log"
$template gunPerr,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/production/gunicorn/%$year%-%$month%-%$day%_%hostname%-error.log"
$template gunTacs,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/test/gunicorn/%$year%-%$month%-%$day%_%hostname%-access.log"
$template gunTerr,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/test/gunicorn/%$year%-%$month%-%$day%_%hostname%-error.log"
$template gunDacs,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/dev/gunicorn/%$year%-%$month%-%$day%_%hostname%-access.log"
$template gunDerr,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/dev/gunicorn/%$year%-%$month%-%$day%_%hostname%-error.log"
if $syslogfacility-text == ‘local6‘ and $syslogtag startswith ‘G+‘ and $syslogtag contains ‘+PA‘ then -?gunPacs;msg
if $syslogfacility-text == ‘local6‘ and $syslogtag startswith ‘G+‘ and $syslogtag contains ‘+PE‘ then -?gunPerr;msg
if $syslogfacility-text == ‘local6‘ and $syslogtag startswith ‘G+‘ and $syslogtag contains ‘+TA‘ then -?gunTacs;msg
if $syslogfacility-text == ‘local6‘ and $syslogtag startswith ‘G+‘ and $syslogtag contains ‘+TE‘ then -?gunTerr;msg
if $syslogfacility-text == ‘local6‘ and $syslogtag startswith ‘G+‘ and $syslogtag contains ‘+DA‘ then -?gunDacs;msg
if $syslogfacility-text == ‘local6‘ and $syslogtag startswith ‘G+‘ and $syslogtag contains ‘+DE‘ then -?gunDerr;msg
效果:
日志位置:
/data/log_ftp/rsyslogs/项目名/环境/代码日志
/data/log_ftp/rsyslogs/项目名/环境/celeryd/celery日志
/data/log_ftp/rsyslogs/项目名/环境/gunicorn/gunicorn日志
其他全局配置
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imfile
$ModLoad imudp
$UDPServerRun 514
$MaxMessageSize 256k
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$WorkDirectory /var/lib/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
$EscapeControlCharactersOnReceive off
$FileOwner root
$FileGroup root
$DirOwner root
$DirGroup root
$FileCreateMode 0644
$DirCreateMode 0755
$Umask 0022
以上是关于日志收集二:使用rsyslog (v5版本)进行日志汇总的主要内容,如果未能解决你的问题,请参考以下文章