rsyslog配置

Posted 2020-09-23 Mr.Bobby

 

# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####  模块信息

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception  允许接收通过514端口发送过来的UDP日志
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception  允许接收通过514端口发送过来的TCP日志
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format      默认模板格式
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don‘t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

格式：

　　日志类型.日志级别             日志处理方式（action）

日志类型:

auth	pam产生的日志
authpriv	ssh,ftp等登录信息的验证信息
cron	时间任务相关
kern	内核日志
lpr	打印
mail	邮件
news	新闻组
user	用户程序产生的相关日志
uucp	unix to unix copy, unix主机之间相关的通讯
local 1~7	用户自定义的日志设备

 

 

 

 

 

 

 

 

 

日志级别（man  3 syslog）：

debug	调试级别
info	一般信息
notice
warning	unix to unix copy, unix主机之间相关的通讯
err	用户自定义的日志设备
crit
alert
emerg
none

 

 

 

 

 

 

 

 

 

连接符号：

　　.xxx     等于或大于xxx级别的信息

　　.=xxx   等于xxx级别的信息

　　.!xxx    除了xxx之外的信息

 

日志处理方式：

　　1. 记录到文件或设备文件

　　　　*.*     /var/log/sysfile.log
　　　　*.*     /dev/pts/0

　　2. 发送到远程

　　　　*.* @192.168.0.1                    # 使用UDP协议转发到192.168.0.1的514端口
　　　　*.* @@192.168.0.1:9514       # 使用TCP协议转发到192.168.0.1的9514端口

　　3. 发送给用户

　　4. 丢弃

　　　　local3.*   ~                       # 忽略所有local3类型的所有级别的日志

　　5. 执行脚本

　　　　local3.*    ^/tmp/a.sh       # ^号后跟可执行脚本或程序的绝对路径