rsyslog默认只可以传送系统的日志,比如DHCP,cron等,现在要传送一个服务的日志到远端的rsyslog服务器,该怎么实现呢?
解决方法:要使用rsyslog的imfile模块。
参考官方url:http://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html
参考网上url:http://www.tuicool.com/articles/Jv2eUvn
rsyslog的配置文件(过滤掉了注释的内容):
[root@pf ~]# cat /etc/rsyslog.conf | egrep -v "#|^$"
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$ModLoad imfile
$InputFileName /usr/local/pf/logs/packetfence.log
$InputFileTag packetfence:
$InputFileSeverity info
$InputFileStateFile stat-packetfence ##文件名变了,这个StateFile标志必须变,否则无法传输
$InputFileFacility local5
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
local5.* @10.64.41.223:514
[root@pf ~]#
修改完配置文件,重启服务
[root@pf ~]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@pf ~]#
红色字体是为了传送/usr/local/pf/logs/packetfence.log到10.64.41.223:514而新加的配置。
以上是imfile模块旧版本(rsyslog v5)的配置语法,下面是imfile模块新版本(rsyslog v8)配置的语法(仅供参考):
###bak wifi log to syslog-server,add by wuxiaoyu
#module(load="imfile" PollingInterval="5")
#input(type="imfile"
# File="/usr/local/pf/logs/packetfence.log"
# Tag="packetfence"
# Severity="error"
# Facility="local5")
rsylog遇到的问题:
1,报错:rhel6 rsyslogd-2177: imuxsock begins to drop messages from pid 24542 due to rate-limiting 怎么解决?
编辑/etc/rsyslog.conf,紧接着$ModLoad imuxsock这行后面,加入如下2行:
$IMUXSockRateLimitInterval 0
$SystemLogRateLimitInterval 0
保存退出,然后重启rsyslog:
service rsyslog restart
解决!
2,/var/log/message报错。rsyslog被自动重启
Oct 11 03:32:18 pf rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="16441" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
解决方法:
[root@cobber logrotate.d]# cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
[root@cobber logrotate.d]#
去掉红色的部分。
3,/usr/local/pf/logs/packetfence.log被logrotate自动切割后,imfile就无法将新生成的packetfence.log传送到远端的syslog server,google后发现问题的原因是packetfence.log相关的logrotate配置文件中的一个参数的问题,如下:
[root@pf logrotate.d]# cat packetfence
# logrotate file for packetfence
/usr/local/pf/logs/*log {
daily
rotate 52
missingok
compress
create 640 pf pf
#copytruncate ##要注释掉,否则切割后imfile无法传送新的文件
}
copytruncate的作用:参加转载的另一篇博文:http://tenderrain.blog.51cto.com/9202912/1704463
这样出现了一个问题,去掉了这个参数后,程序记录的日志不是正常的日志,需要重启服务才可以记录正常的认证日志。所以后来采取的是下面一种方法。
4,如果上面的方法去掉之后参数之后还是会传不过去,用下面的方法:
/etc/rsyslog.conf 的103行,如下:
103 $InputFileStateFile stat-packetfence24
脚步(作用是修改103行的最后一个数字):
[root@cobber scripts]# cat /etc/scripts/packetfence-rsyslog.sh
#!/bin/bash
n=`sed -n '103 s#$.*fence\([0-9]\)#\1#gp' /etc/rsyslog.conf`
m=$(($n+1))
eval sed -i '/stat-packetfence/s/$n/$m/' /etc/rsyslog.conf
[root@cobber scripts]#
日志切割后调用脚步修改最后一个数字,然后重启rsyslog服务(正常情况是重启应用程序的服务,但是这个服务不能随便重启,所以改成重启rsyslog)。
[root@cobber logrotate.d]# cat /etc/logrotate.d/test
/usr/local/pf/logs/packetfence.log {
daily
rotate 52
missingok
compress
create 640 root root
copytruncate
postrotate
/bin/bash /etc/scripts/packetfence-rsyslog.sh > /dev/null 2&>1 && /etc/init.d/rsyslog restart
endscript
}
[root@cobber logrotate.d]#
强制切割做测试:
[root@cobber logrotate.d]# logrotate -f /etc/logrotate.d/test
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[root@cobber logrotate.d]#
Centos搭建rsyslog服务的方法:
服务端:
1,修改rsyslog.conf
[root@cobber ~]# cat /etc/rsyslog.conf | egrep -v "#|^$"
$ModLoad imudp
$UDPServerRun 514 ##----这两行去掉注释。
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local5.* /var/log/local5.log ##将远程传输过来的local5级别的日志保存到local5.log(自动创建)
[root@cobber ~]#
2,修改rsyslog
[root@cobber ~]# cat /etc/sysconfig/rsyslog
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS="-c 2 -r -m 0" ##-c指定的范围0-2,否则重启的时候会报错。
[root@cobber ~]#
3,重启服务并检查端口
[root@cobber ~]# /etc/init.d/rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]
[root@cobber ~]# netstat -nplu | grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:* 24799/rsyslogd
udp 0 0 :::514 :::* 24799/rsyslogd
[root@cobber ~]#
客户端:
1,修改rsyslog.conf
[root@pf logs]# egrep -v "#|^$" /etc/rsyslog.conf
$IMUXSockRateLimitInterval 0
$SystemLogRateLimitInterval 0
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$ModLoad imfile
$InputFileName /usr/local/pf/logs/packetfence.log
$InputFileTag packetfence2:
$InputFileSeverity info
$InputFileStateFile stat-packetfence2
$InputFileFacility local5
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
local5.* @10.64.41.223:514 #10.64.41.223是rsyslog服务端的ip
[root@pf logs]#
#备注:##文件名变了,这个StateFile标志必须变,否则无法传输
2,重启服务
[root@pf logs]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@pf logs]#
测试:
服务端:
tailf /var/log/local5.log
会看到/usr/local/pf/logs/packetfence.log的日志到/var/log/local5.log
手工测试:
echo 1111111111111 >> /usr/local/pf/logs/packetfence.log
在/var/log/local5.log 中可以看到1111111111111
没有指定-c 的时候,重启rsyslog服务,/var/log/syslog报错内容如下:
May 26 11:24:53 it-mail03 kernel: Kernel logging (proc) stopped.
May 26 11:24:53 it-mail03 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="97905" x-info="http://www.rsyslog.com"] exiting on signal 15.
May 26 11:24:53 it-mail03 kernel: imklog 5.8.10, log source = /proc/kmsg started.
May 26 11:24:53 it-mail03 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="98270" x-info="http://www.rsyslog.com"] start
May 26 11:24:53 it-mail03 rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option.
ubuntu中调整rsyslog启动进程用户的配置参数:
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$KLogPermitNonKernelFacility on
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser root
$PrivDropToGroup root
$WorkDirectory /var/log
$IncludeConfig /etc/rsyslog.d/*.conf
有的时候使用如下配置:
cat /etc/rsyslog.d/70-zimbra-auth.conf
$ModLoad imfile
$InputFileName /opt/zimbra/log/audit.log
$InputFileTag authforzimbra:
$InputFileStateFile auth-zimbra-mail12
$InputFileSeverity info
$InputFileFacility local3
$InputFilePollInterval 1
$InputRunFileMonitor
local3.* @it-mail03.lf.sankuai.com:514
测试的时候/opt/zimbra/log/audit.log 文件的内容打不到it-mail03的指定文件,但是使用命令
root@dx-it-mail10:/etc/rsyslog.d# logger -p local3.info "1234"
却可以打过去,说明了是rsyslog对/opt/zimbra/log/audit.log这个文件的读取权限有问题,所以要修改进程的运行用户。
rsyslog配置文件说明:
http://my.oschina.net/0757/blog/198329