rsyslog机制很强大,可以汇聚分散的日志到一台日志服务器上,方便查看和调试。安装起来非常简单:
shell> cd /etc/yum.repos.d/ shell> wget http://rpms.adiscon.com/v8-stable/rsyslog.repo shell> yum install rsyslog
centos6.5默认还是rsyslog7.x的版本,这里给出的是安装官方最新的版本。
在此记录下rsyslog配置imrelp/omrelp时的诡异问题,期间走了不少弯路,给大家参考。关于rsyslog的中文文档大多大同小异,且很多都过时了,请大家注意下,最好还是直接看英文的,虽然很多,但是能省去很多麻烦。中文的就大概看看原理就好了。
但是,按照官方给出的omrelp的转发机制,配置后无法收到日志:
cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@publisher-14 rsyslog]# ll /etc/yum.repos.d/
总用量 52
-rw-r--r--. 1 root root 833 6月 16 17:23 atomic.repo
-rw-r--r--. 1 root root 833 6月 16 16:53 atomic.repo.rpmsave
-rw-r--r--. 1 root root 1926 12月 1 2013 CentOS-Base.repo
-rw-r--r--. 1 root root 638 12月 1 2013 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root 630 12月 1 2013 CentOS-Media.repo
-rw-r--r--. 1 root root 4528 12月 1 2013 CentOS-Vault.repo
-rw-r--r--. 1 root root 4528 6月 16 16:53 CentOS-Vault.repo.rpmsave
-rw-r--r--. 1 root root 165 6月 16 16:53 haodf.repo
-rw-r--r--. 1 root root 1250 1月 23 06:03 puppetlabs.repo
-rw-r--r--. 1 root root 397 6月 16 16:53 puppet.repo
-rw-r--r--. 1 root root 227 6月 25 18:36 rsyslog.repo
yum upgrade后,发现rsyslog无法进行relp转发。
module(load="imuxsock") # provides support for local system logging (e.g. via logger command) module(load="imklog") # provides kernel logging support (previously done by rklogd) $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* /var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log $WorkDirectory /var/lib/rsyslog # where to place spool files $ActionQueueFileName fwdRule1 # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down $ModLoad omrelp local1.* :omrelp:192.168.1.104:40888
module(load="imuxsock") # provides support for local system logging (e.g. via logger command) module(load="imklog") # provides kernel logging support (previously done by rklogd) module(load="imrelp") input(type="imrelp" port=“40888") $umask 0000 $DirCreateMode 0750 $FileCreateMode 0750 $template MySelf, "%fromhost-ip% %$now% %timereported:12:23:date-rfc3339% %pri-text% %msg%\n" $template DynaFile, "/home/avatar/logs/remote/%syslogtag:F,58:1%/%$YEAR%-%$MONTH%-%$DAY%.log" $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf local1.* -?DynaFile;MySelf *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* /var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log
另外关于rsyslog的安全问题,可以参考:http://wiki.rsyslog.com/index.php/Security
简单原理介绍:http://huoding.com/2014/05/09/347
参考级别:http://wiki.gentoo.org/wiki/Rsyslog
rsyslog的relp转发及自定义端口号问题,布布扣,bubuko.com
原文:http://blog.csdn.net/yangshiqi1089/article/details/37565515