Manual configuration
If you are unable to generate a configuration file from a script, this guide will help you to complete the configuration manually by simply copying and pasting.
Assuming that you already have root or sudo permissions, the 5.8.0 or later version of Rsyslog,rsyslog on a common Linux platform can receive local system logs and connect to the outside world via port 5140.
1 Configuring the system environment
Paste the following script and run it, and make sure the/var/spool/rsyslog directory already exists, and if it is an Ubuntu system, you also need to set permissions on the directory.
sudo mkdir-v/var/spool/rsyslog
If ["$ (grep ubuntu/etc/issue)"! = ""]; Then
sudo chown-r syslog:adm/var/spool/rsyslog
Fi2 Update the Rsyslog configuration file.
Open the Rsyslog configuration file, which is typically in the/etc/directory
sudo vim/etc/rsyslog.d/rizhiyi.conf
Paste the following in this configuration file
#Real Tran Log$ModLoad imfile #装载imfile模块 $InputFilePollInterval3#检查日志文件间隔 (seconds) $WorkDirectory/var/spool/Rsyslog #定义工作目录. For example, a queue file stores a storage folder. $InputFileName FILEPATH #读取日志文件 $inputfiletag APPNAME #日志写入日志附加标签字符串 do not add special symbols $inputfilestatef Ile Stat_appname #定义记录偏移量数据文件名 do not add special symbols $inputfileseverity info #日志等级 $InputFilePersistStateInterval20000#回写偏移量数据到文件间隔时间 (seconds) $RepeatedMsgReduction off #关闭重复消息控制 $InputRunFileMonitor #This activates the C urrent Monitor. It has no parameters. If You forget this directive, no file monitoring would take place. $template Rizhiyiformat_appname,"<%pri%>%protocol-version%%timestamp:::d ate-rfc3339%%hostname%%app-name%%procid%%msgid% [email Protected] tag=\ "tag\"]%msg%\n" if$programname = ='APPNAME'Then @ @log. rizhiyi.com:5140; Rizhiyiformat_appnameif$programname = ='APPNAME'Then ~
and replace
- FILEPATH: The absolute path of the log file that needs to be uploaded, must contain the log filename.
Example:/var/log/nginx/access.log
- APPNAME: The only source of application used to identify uploads, which can be used to define log groupings, which will help you effectively divide the logs and narrow your search. The correct setting of the appname directly affects the retrieval of log fields in the background. If you are a VIP user, the log is easy for you to customize the log parsing rules, please fill in the log easy to provide appname for the log, so that the custom log resolution rules take effect.
Example: nginx_access
- Tag: Tag, which identifies the extended information of the log, can define multiple identities, which are replaced by your own defined tags, which can be used to define the log groupings, which will help you to effectively divide the log and narrow your search.
Example: Rizhiyi_search
Attention:
- In the Rsyslog configuration file under/etc/rsyslog.d/:
- $InputFileTag defined appname must be unique, different applications on the same host should use different appname, otherwise the new defined token and tag will not take effect;
- The template name defined by the $template must be unique, otherwise it will cause the newly defined token and tag to not take effect;
- $InputFileStateFile defined statefile must be unique, it is rsyslog used to record file upload progress, otherwise it will cause confusion;
- Note: @ @log. rizhiyi.com:5140 The value is the server domain name or hostname of the receiving log. Default is log.rizhiyi.com:5140
3 Restart Rsyslog$ sudo service rsyslog restart4 Verification
For example, the tag field in the configuration file has been modified to "Rizhiyi_search", and you can use "Tag:rizhiyi_search" to search for events in the past hour, check if the log is easy to receive and correctly identify the log, and it may take up to 10 seconds for the index to be indexed. It takes a few 10 seconds to wait.
#参考:
Http://www.voidcn.com/blog/anghlq/article/p-4958086.html
Http://www.wnqzw.com/article/10798.html
Report:
Log Output Template
Through the template can be more necessary to control the type of log output. The format is as follows:
$template <template_name>, "text%<property>% more Text", [<options>]
$template as a template directive. <TEMPLATE_NAME> is the template name. The text of "" is in template format. The percentage of the text that is contained by%. <options> specifies some options for modifying the functionality of the template, such as SQL or STDSQL formatted text for SQL enquiries.
Dynamic file output
Output file name through log and/or system.
$template dynamicfile, "/var/log/test_logs/%timegenerated%-test.log"
*.* ? Dynamicfile
Use the timegenerated to generate the file name, using the template to add the above?.
Other examples are as follows:
$template dailyperhostlogs, "/var/log/syslog/% $YEAR%/% $MONTH%/% $DAY%/%hostname%/messages.log"
Root control Log Output format
Use the following format to make various modifications to the template's nature from the custom log format:
%<propname>[:<fromchar>:<tochar>:<options>]%
The name of the <propname>, the name of the use of a reference to enter the text.
<fromChar> and <toChar> represent the operating range of the value string for the character. Setup <fromChar> r,<tochar> for the normal form, you can pass the normal form definition range.
<options> represents a sexual option. A complete list of the property Options is available here.
Some examples are as follows:
%msg% # Full message text for log
%msg:1:2% # The first two characters of the log message text
%msg:::d The full message text of the rop-last-lf% # log, remove the last line break
%timegenerated:1:10:date-rfc3339% # The head of the time stamp 10 characters and press RFC3999 standard format
Here are some examples of templates.
The level of the output log, category, when the log time is wrong, the host name, message sign, message text, plus the line break:
$template verbose, "%syslogseverity%,%syslogfacility%,%timegenerated%,%hostname%,%syslogtag%,%msg%\n"
The source of the log, the time and the log sign, the text, and also the Bee Resonance Voice (\7):
$template wallmsg, "\r\n\7message from [e-mail protected]%hostname% at%timegenerated% ... \ r \ n%syslogtag%%msg%\n\r"
Format the log for direct SQL operations:
$template Dbformat, "insert into SystemEvents (Message, Facility,fromhost, priority, Devicereportedtime, Receivedat, Infounitid, Syslogtag) VALUES ('%msg% ',%syslogfacility%, '%hostname% ',%syslogpriority%, '%timereported:::d ate-mysql % ', '%timegenerated:::d ate-mysql% ',%iut%, '%syslogtag% ') ", SQL
Output in JSON format for easy program parsing:
$template Jsonformat, "{\" message\ ": \"%msg:::json%\ ", \" fromhost\ ": \"%hostname:::json%\ ", \" facility\ ": \"% Syslogfacility-text%\ ", \" priority\ ": \"%syslogpriority-text%\ ", \" timereported\ ": \"%timereported:::d ate-rfc3339 %\ ", \" timegenerated\ ": \"%timegenerated:::d ate-rfc3339%\ "}\n"
Note that the contents of the message will be preceded by one more space, and the explanation please refer to this.
Rsyslog also provides a number of pre-defining templates (with Rsyslog_ as the former able), which defines the Reserved template Names, as follows:
Rsyslog_fileformat
"%timestamp:::d ate-rfc3339%%hostname%%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::d rop-last-lf%\n\"
Rsyslog_traditionalfileformat
"%timestamp%%hostname%%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::d rop-last-lf%\n\"
Rsyslog_forwardformat
"<%pri%>%timestamp:::d ate-rfc3339%%hostname%%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\"
Rsyslog_traditionalforwardformat
"<%pri%>%timestamp%%hostname%%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\"
Using these templates, you can add "; Template_name" after the motion, for example:
:p rogramname,startswith, "cron"-/var/log/cron; Rsyslog_traditionalfileformat
Manual configuration Rsyslog configuration file detailed