应用程序的日志使用rsyslog传送

时间:2022-08-11 19:52:00

rsyslog默认只可以传送系统的日志,比如DHCP,cron等,现在要传送一个服务的日志到远端的rsyslog服务器,该怎么实现呢?

解决方法:要使用rsyslog的imfile模块。

参考官方url:http://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html

参考网上url:http://www.tuicool.com/articles/Jv2eUvn


rsyslog的配置文件(过滤掉了注释的内容):

[root@pf ~]# cat /etc/rsyslog.conf  | egrep -v  "#|^$"
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
$ModLoad imfile
$InputFileName /usr/local/pf/logs/packetfence.log
$InputFileTag packetfence:
$InputFileSeverity info
$InputFileStateFile stat-packetfence ##文件名变了,这个StateFile标志必须变,否则无法传输
$InputFileFacility local5
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
local5.*  @10.64.41.223:514

[root@pf ~]#

修改完配置文件,重启服务

[root@pf ~]# /etc/init.d/rsyslog  restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@pf ~]#

红色字体是为了传送/usr/local/pf/logs/packetfence.log到10.64.41.223:514而新加的配置。


以上是imfile模块旧版本(rsyslog v5)的配置语法,下面是imfile模块新版本(rsyslog v8)配置的语法(仅供参考):


###bak wifi log to syslog-server,add by wuxiaoyu
#module(load="imfile" PollingInterval="5")
#input(type="imfile"
#       File="/usr/local/pf/logs/packetfence.log"
#       Tag="packetfence"
#       Severity="error"
#       Facility="local5")


rsylog遇到的问题:

 1,报错:rhel6 rsyslogd-2177: imuxsock begins to drop messages from pid 24542 due to rate-limiting 怎么解决?

编辑/etc/rsyslog.conf,紧接着$ModLoad imuxsock这行后面,加入如下2行:
$IMUXSockRateLimitInterval 0
$SystemLogRateLimitInterval 0
保存退出,然后重启rsyslog:
service rsyslog restart
解决!

2,/var/log/message报错。rsyslog被自动重启

Oct 11 03:32:18 pf rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="16441" x-info="http://www.rsyslog.com"] rsyslogd was HUPed

解决方法:

[root@cobber logrotate.d]# cat /etc/logrotate.d/syslog 

/var/log/cron

/var/log/maillog

/var/log/messages

/var/log/secure

/var/log/spooler

{

    sharedscripts

    postrotate

        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true

    endscript

}

[root@cobber logrotate.d]# 

去掉红色的部分。

3,/usr/local/pf/logs/packetfence.log被logrotate自动切割后,imfile就无法将新生成的packetfence.log传送到远端的syslog server,google后发现问题的原因是packetfence.log相关的logrotate配置文件中的一个参数的问题,如下:

[root@pf logrotate.d]# cat packetfence

# logrotate file for packetfence

/usr/local/pf/logs/*log {

    daily

    rotate 52

    missingok

    compress

    create 640 pf pf

    #copytruncate   ##要注释掉,否则切割后imfile无法传送新的文件

}

copytruncate的作用:参加转载的另一篇博文:http://tenderrain.blog.51cto.com/9202912/1704463

这样出现了一个问题,去掉了这个参数后,程序记录的日志不是正常的日志,需要重启服务才可以记录正常的认证日志。所以后来采取的是下面一种方法。

4,如果上面的方法去掉之后参数之后还是会传不过去,用下面的方法:

/etc/rsyslog.conf 的103行,如下:

103 $InputFileStateFile stat-packetfence24

脚步(作用是修改103行的最后一个数字):

[root@cobber scripts]# cat /etc/scripts/packetfence-rsyslog.sh
#!/bin/bash
n=`sed -n '103 s#$.*fence\([0-9]\)#\1#gp' /etc/rsyslog.conf`
m=$(($n+1))
eval sed -i '/stat-packetfence/s/$n/$m/' /etc/rsyslog.conf
[root@cobber scripts]# 

日志切割后调用脚步修改最后一个数字,然后重启rsyslog服务(正常情况是重启应用程序的服务,但是这个服务不能随便重启,所以改成重启rsyslog)。

[root@cobber logrotate.d]# cat /etc/logrotate.d/test
/usr/local/pf/logs/packetfence.log {
    daily
    rotate 52
    missingok
    compress
    create 640 root root
    copytruncate

    postrotate
    /bin/bash /etc/scripts/packetfence-rsyslog.sh > /dev/null 2&>1 && /etc/init.d/rsyslog restart
    endscript

}
[root@cobber logrotate.d]# 

强制切割做测试:

[root@cobber logrotate.d]# logrotate  -f /etc/logrotate.d/test
关闭系统日志记录器:                                       [确定]
启动系统日志记录器:                                       [确定]
[root@cobber logrotate.d]#



Centos搭建rsyslog服务的方法:

服务端:

1,修改rsyslog.conf

[root@cobber ~]# cat /etc/rsyslog.conf  | egrep -v "#|^$"

$ModLoad imudp

$UDPServerRun 514   ##----这两行去掉注释。

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$IncludeConfig /etc/rsyslog.d/*.conf

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

local5.* /var/log/local5.log  ##将远程传输过来的local5级别的日志保存到local5.log(自动创建)

[root@cobber ~]# 

2,修改rsyslog

[root@cobber ~]# cat /etc/sysconfig/rsyslog 

# Options for rsyslogd

# Syslogd options are deprecated since rsyslog v3.

# If you want to use them, switch to compatibility mode 2 by "-c 2"

# See rsyslogd(8) for more details

SYSLOGD_OPTIONS="-c 2 -r -m 0"  ##-c指定的范围0-2,否则重启的时候会报错。

[root@cobber ~]# 

3,重启服务并检查端口

[root@cobber ~]# /etc/init.d/rsyslog  restart

关闭系统日志记录器:                                       [确定]

启动系统日志记录器:                                       [确定]

[root@cobber ~]# netstat  -nplu | grep 514

udp        0      0 0.0.0.0:514                 0.0.0.0:*                               24799/rsyslogd      

udp        0      0 :::514                      :::*                                    24799/rsyslogd      

[root@cobber ~]# 

客户端:

1,修改rsyslog.conf

[root@pf logs]# egrep -v "#|^$" /etc/rsyslog.conf 

$IMUXSockRateLimitInterval 0

$SystemLogRateLimitInterval 0

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$IncludeConfig /etc/rsyslog.d/*.conf

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

$ModLoad imfile

$InputFileName /usr/local/pf/logs/packetfence.log

$InputFileTag packetfence2:

$InputFileSeverity info 

$InputFileStateFile stat-packetfence2

$InputFileFacility local5

$InputFilePollInterval 1

$InputFilePersistStateInterval 1

$InputRunFileMonitor

local5.*  @10.64.41.223:514 #10.64.41.223是rsyslog服务端的ip

[root@pf logs]# 

#备注:##文件名变了,这个StateFile标志必须变,否则无法传输

2,重启服务

[root@pf logs]# /etc/init.d/rsyslog  restart

Shutting down system logger:                               [  OK  ]

Starting system logger:                                  [  OK  ]

[root@pf logs]# 


测试:

服务端:

tailf /var/log/local5.log

会看到/usr/local/pf/logs/packetfence.log的日志到/var/log/local5.log

手工测试:

echo 1111111111111  >> /usr/local/pf/logs/packetfence.log

在/var/log/local5.log 中可以看到1111111111111 



没有指定-c 的时候,重启rsyslog服务,/var/log/syslog报错内容如下:

May 26 11:24:53 it-mail03 kernel: Kernel logging (proc) stopped.

May 26 11:24:53 it-mail03 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="97905" x-info="http://www.rsyslog.com"] exiting on signal 15.

May 26 11:24:53 it-mail03 kernel: imklog 5.8.10, log source = /proc/kmsg started.

May 26 11:24:53 it-mail03 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="98270" x-info="http://www.rsyslog.com"] start

May 26 11:24:53 it-mail03 rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option.



ubuntu中调整rsyslog启动进程用户的配置参数:

$ModLoad imudp

$UDPServerRun 514

$ModLoad imtcp

$InputTCPServerRun 514

$KLogPermitNonKernelFacility on

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$RepeatedMsgReduction on

$FileOwner root

$FileGroup root

$FileCreateMode 0640

$DirCreateMode 0755

$Umask 0022

$PrivDropToUser root

$PrivDropToGroup root

$WorkDirectory /var/log

$IncludeConfig /etc/rsyslog.d/*.conf

有的时候使用如下配置:

cat /etc/rsyslog.d/70-zimbra-auth.conf  

$ModLoad imfile

$InputFileName /opt/zimbra/log/audit.log

$InputFileTag authforzimbra:

$InputFileStateFile auth-zimbra-mail12

$InputFileSeverity info

$InputFileFacility local3

$InputFilePollInterval 1

$InputRunFileMonitor

local3.*  @it-mail03.lf.sankuai.com:514

测试的时候/opt/zimbra/log/audit.log 文件的内容打不到it-mail03的指定文件,但是使用命令

root@dx-it-mail10:/etc/rsyslog.d# logger -p local3.info  "1234"

却可以打过去,说明了是rsyslog对/opt/zimbra/log/audit.log这个文件的读取权限有问题,所以要修改进程的运行用户。




rsyslog配置文件说明:

http://my.oschina.net/0757/blog/198329