Apache Log configuration Remote Syslog acquisition

Reference: http://www.biglog.cn 1, installing Apache (httpd)

[Root@node2 ~]# yum install-y httpd
[root@node2 ~]# systemctl start httpd

View HTTPD Logs

[Root@node2 ~]# cd/var/log/httpd
[root@node2 httpd]# ll Total
8
-rw-r--r--1 root root 1334 Apr 16:03 acce Ss_log
-rw-r--r--1 root root 1976 APR 16:03 Error_log

2. Initialize the Log collection environment

[Root@bigdata05-test ~]# mkdir-v/var/spool/rsyslog
mkdir:created directory '/var/spool/rsyslog '
[ Root@bigdata05-test ~]#

3. Create APAHCE log file collection configuration

(1) The/etc/rsyslog.conf profile has been opened by default for all conf types of files that contain the/etc/rsyslog.d/directory

# Include all config files in/etc/rsyslog.d/
$IncludeConfig/etc/rsyslog.d/*.conf

(2) Create a new rsyslog child configuration file

[root@node2 ~]# vim/etc/rsyslog.d/apache-biglog.conf [Root@node2 ~]# cat/etc/rsyslog.d/ apache-biglog.conf $ModLoad imfile $InputFilePollInterval $WorkDirectory/var/spool/rsyslog $PrivDropToGroup ADM # # A Pache Access log file path, modified according to the actual situation: $InputFileName/var/log/httpd/access.log $InputFileTag apache-access: $InputFileStateFile Stat-apache-access $InputFileSeverity Info $InputFilePersistStateInterval 25000 $InputRunFileMonitor # # Apache error log file path, modified according to the actual situation: $InputFileName/var/log/httpd/error.log $InputFileTag apache-error: $InputFileStateFile Stat-apache-error $InputFileSeverity Error $InputFilePersistStateInterval 25000 $InputRunFileMonitor # # Specifies the log format template: $ Template Biglogformatapache, "%msg%\n" # # Note the Syslog log server receive address, modified according to the actual situation: if $programname = = ' Apache-access ' then @node1:514 ; Biglogformatapache if $programname = = ' Apache-access ' then ~ if $programname = = ' Apache-error ' then @node1:514; Biglogformatapache if $programname = = ' Apache-error ' then ~ [Root@node2 ~]# 

4, restart Rsyslog Service, log collection began to work

[Root@node2 ~]# systemctl Restart Rsyslog

Find the Logstash end Node1 output The following information:

{"Message" = "Registered authentication Agent for unix-process:7455:60321456 (System bus name:1.2588 [/US R/bin/pkttyagent--NOTIFY-FD 5--fallback], object path/org/freedesktop/policykit1/authenticationagent, Locale En_ Us.utf8) \ n "," severity "= 5," @version "and" 1 "," Facility_label "and" Security/authorizat "  Ion "," @timestamp "= 2018-04-26t08:12:46.000z," Severity_label "=" Notice "," program " "POLKITD", "priority" and "timestamp" = "APR-16:12:46", "Logsource" and "Node2"
          "," "host" = "10.17.12.157", "pid" = "762", "type" = "Rsyslog", "Facility" = "" message "=" Stopping the Apache HTTP server...\n "," Severity "=&gt ; 6, "@version" = "1", "Facility_label" and "system", "@timestamp" and "2018-04-26t08:12:46.000" Z, "Severity_label" = "Informational", "program" and "Systemd", "priority", "timestamp" and "26" APR 16:12:46 "," logsource "=" Node2 "," host "=" 10.17.12.157 "," type "=" Rsys " Log "," facility "= 3} {" Message "=" Starting the Apache HTTP server...\n "," Sever ity "+ 6," "@version" and "1", "Facility_label" and "system", "@timestamp" and "= 2018-04-26t0"  8:12:47.000z, "Severity_label" = "Informational", "program" = "systemd", "priority" "Timestamp" = "APR-16:12:47", "Logsource" and "Node2", "host" = "10.17.1"  2.157 "," "type" = "Rsyslog", "facility" = 3} {"Message" = "AH00558:HTTPD: Could not reliably determine the server ' s fully qualified domain name, using 10.17.12.157. Set the ' ServerName ' directive globally to suppress thIs message\n "," severity "= 6," @version "and" 1 "," Facility_label "and" system ", "@timestamp" = 2018-04-26t08:12:47.000z, "Severity_label" and "Informational", "program" = "httpd
              "Priority" = "timestamp" = "APR-16:12:47", "Logsource" and "Node2", "Host" = "10.17.12.157", "type" = "Rsyslog", "facility" = 3} {"Me" Ssage "+" Started the Apache HTTP server.\n "," severity "= 6," @version "and" 1 "," Facil Ity_label "=" System "," @timestamp "and" 2018-04-26t08:12:47.000z "," Severity_label "and" informational "
         , "program" = "systemd", "priority", "timestamp" = "APR 26 16:12:47",
          "Logsource" = "Node2", "host" = "10.17.12.157", "type" and "Rsyslog",
 "Facility" = 3} {          "Message" = "Unregistered authentication Agent for unix-process:7455:60321456 (System bus name:1.2588, Obje CT path/org/freedesktop/policykit1/authenticationagent, Locale En_us.utf8) (disconnected from bus) \ n "," Severit Y "= 5," @version "and" 1 "," Facility_label "and" Security/authorization "," @timestamp "=&gt ; 2018-04-26t08:12:47.000z, "Severity_label" = "Notice", "program" = "POLKITD", "priority" = "Timestamp" = "APR-16:12:47", "Logsource" and "Node2", "host" and "10" .17.12.157 "," pid "=" 762 "," type "=" Rsyslog "," facility "= 10}