(a) Rsyslog profile
Ryslog is a fast-track process for collecting system logs, providing high performance, security features, and modular design. Rsyslog is an upgraded version of Syslog that converts multiple source input and output conversions to destinations.
Rsyslog is an open source tool that is widely used in Linux systems to forward or receive log messages through the TCP/UDP protocol. The Rsyslog daemon can be configured into two environments, one configured as a log collection server, and the Rsyslog process can collect log data from other hosts on the network, which configures the logs to be sent to another remote server. Another usage of rsyslog is that it can be configured as a client to filter and send internal log messages to a local folder (such as/var/log) or to a remote Rsyslog server that can be routed to.
Logrotate is a log file management tool. Used to rotate, compress, delete, and create new log files for old files. We can be based on the size of log files, days, etc. to dump, easy to log file management, usually through Cron scheduled tasks to complete.
Serial Number |
IP Address |
type |
Notes |
1 |
192.168.99.99 |
Server Side |
|
2 |
192.168.99.98 |
Client Side |
|
(ii) RSYSLOG Server service-side configuration
1,rsyslog is installed by default, if not installed by
[[email protected] samba]# yum install rsyslog -y
2, modify the/etc/rsyslog.conf configuration file, enable the UDP and TCP modules $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp
$InputTCPServerRun 514
[[email protected] samba]# vim/etc/rsyslog.conf$modload Imuxsock # provides support for local system logging (e.g. v IA logger command) $ModLoad imjournal # provides access to the SYSTEMD journal # # # #开启udp接收日志 $ModLoad Imudp$udpserverrun 51 4$template remotehost, "/data/syslog/% $YEAR%-% $MONTH%-% $DAY%/%fromhost-ip%.log" * *? remotehost& ~### #开启tcp协议接受日志 $ModLoad imtcp$inputtcpserverrun 514$workdirectory/var/lib/rsyslog$ Actionfiledefaulttemplate rsyslog_traditionalfileformat###### #启用 All configuration files ending with. conf in the/etc/rsyslog.d/*.conf directory $ includeconfig/etc/rsyslog.d/*.conf $OmitLocalLogging on$imjournalstatefile Imjournal.state*.info;mail.none; authpriv.none;cron.none/var/log/messagesauthpriv.*/var/log/s Ecuremail.*-/var/log/maillogcron.* /var/log/cron*.emerg:omusrmsg:*uucp,news.crit /var/log/spoolerlocal7.*/var/log/bo ot.loglocal0.*/etc/keepalived/keepalived.log
3, restart Rsyslog service
[[email protected] 2018-05-23]# systemctl restart rsyslog[[email protected] 2018-05-23]# systemctl status rsyslog[[email protected] samba]# netstat -anp|grep 514tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 1445/rsyslogd tcp6 0 0 :::514 :::* LISTEN 1445/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 1445/rsyslogd udp6 0 0 :::514 :::* 1445/rsyslogd
(iii) configuration of the Rsyslog client
1. Edit the configuration file for the Rsylog client:
[[email protected] log]# grep-v "^$"/etc/rsyslog.conf | Grep-v "^#" $ModLoad Imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # PR Ovides access to the SYSTEMD journal$workdirectory/var/lib/rsyslog$actionfiledefaulttemplate Rsyslog_ Traditionalfileformat$template MyFormat, "%timestamp%%fromhost-ip%%msg%\n" ###### #自定义模板的相关信息 $IncludeConfig/etc/ Rsyslog.d/*.conf$omitlocallogging on$imjournalstatefile imjournal.state*.* @192.168.99.99:514 ####### #该声明告诉rsyslog守护进程 to route all messages for various logs of each device on the system to UDP port 514 on the remote Rsyslog Server (192.168.99.99). @@ 是 transmitted over TCP, and an @ is transmitted over UDP. *.info;mail.none;authpriv.none;cron.none/var/log/messagesauthpriv.* /var/log/securemail.*-/var/log/maillogcron.* /var/log/cron*.emerg:omusrmsg:*uucp,news.cri T /var/log/spoolerlocal7.*/var/log/ boot.loglocal0.*/etc/keepalived/keepalived.log
2, restart the client Rsyslog service
[[email protected] log]# systemctl restart rsyslog[[email protected] log]# systemctl status rsyslog● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since 四 2018-05-24 16:57:04 CST; 4s ago Main PID: 44765 (rsyslogd) CGroup: /system.slice/rsyslog.service └─44765 /usr/sbin/rsyslogd -n5月 24 16:57:04 server98 systemd[1]: Starting System Logging Service...5月 24 16:57:04 server98 systemd[1]: Started System Logging Service.
(d) Check whether the logs on the client and server are generated properly.
(1) Check whether the server is/ip.log normal generation on/data/date.
[[email protected] 2018-05-24]# tail-f/data/2018-05-24/192.168.99.98.log 2018-05-24t17:02:52+08:00 server98 POSTFIX/PICKUP[41198]: aac764acb03:uid=0 from=<[email protected]>2018-05-24t17:02:52+08:00 server98 POSTFIX/CLEANUP[45967]: aac764acb03:message-id=<[email protected]>2018-05-24t17:02:52+08:00 server98 POSTFIX/QMGR[2356]: aac764acb03:from=<[email protected]>, size=851, nrcpt=1 (queue active) 2018-05-24T17 : 02:52+08:00 server98 postfix/smtp[39596]: aac764acb03:to=<[email protected]>, Relay=none, Delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name Service error for Name=address.somewhere type=aaaa:host not found) 2018-05-24t17:02:52+08:00 server98 postfix/ CLEANUP[45967]: ab6804acb0b:message-id=<[email protected]>2018-05-24t17:02:52+08:00 server98 postfix/ bounce[45968]: Aac764acb03:sender non-delivery notification:ab6804acb0b2018-05-24t17:02:52+08:00 server98 postfix/ QMGR[2356]: AB6804acb0b:from=<>, size=2811, nrcpt=1 (queue active) 2018-05-24t17:02:52+08:00 server98 postfix/qmgr[2356]: aac764acb03:removed2018-05-24t17:02:52+08:00 server98 postfix/smtp[39597]: ab6804acb0b:to=<[email Protected]>, Relay=none, Delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name Service error for Name=company.xy type=aaaa:host not found) 2018-05-24t17:02:52+08:00 server98 postfix/qmgr[2356]: A b6804acb0b:removed2018-05-24t17:14:33+08:00 server98 Root:hello World
(2) In the client generated log, whether the log synchronization, there are
[Email protected] ~]# tail-f/var/log/messages
May 17:11:40 server98 keepalived_vrrp[49377]: Vrrp_script (Chk_http_port) succeeded
May 17:11:52 server98 smokeping[38532]: Alert Someloss was active for Other.hefei.hefei-office2
May 17:11:52 server98 smokeping[38532]: Alert Someloss was active for Other.wuxi.wuxi-office2
May 17:12:52 server98 smokeping[38532]: Alert Someloss was active for Other.hefei.hefei-office2
May 17:12:52 server98 smokeping[38532]: Alert Someloss was active for Other.wuxi.wuxi-office2
May 17:13:52 server98 smokeping[38532]: Alert Someloss was active for Other.hefei.hefei-office2
May 17:13:52 server98 smokeping[38532]: Alert Someloss was active for Other.wuxi.wuxi-office2
17:14:33 server98 Root:hello World
At this point, the log service side and client log synchronization are complete.
Note:
1,facility is a syslog module: Rsyslog uses the facility concept to define the source of log messages to facilitate the classification of logs. Facility: There are 0-23 devices to choose from, some missing in Python's syslog library
0 Kernel messages
1 User-level messages
2 mail system
3 System Daemons
4 security/authorization messages
5 messages generated internally by SYSLOGD
6 Line Printer Subsystem
7 Network News Subsystem
8 UUCP Subsystem
9 Clock Daemon
Ten security/authorization messages
FTP Daemon
NTP Subsystem
Log Audit
Log alert
Clock daemon
16-23 LOCAL0-LOCAL7
Commonly used are:
2,severity: Log Level
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug
Important Configuration files:
Configuration of the 1,rsyslog Server service side:
[[email protected] 2018-05-23]# grep-v "^$"/etc/rsyslog.conf | Grep-v "^#" $ModLoad Imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # PR Ovides access to the Systemd journal$modload imudp$udpserverrun 514$template remotehost,/data/% $YEAR%-% $MONTH%-% $DAY %/%fromhost-ip%.log "* *? remotehost& ~ $ModLoad Imtcp$inputtcpserverrun 514$workdirectory/var/lib/rsyslog$actionfiledefaulttemplate Rsyslog_traditionalfileformat$includeconfig/etc/rsyslog.d/*.conf$omitlocallogging On$IMJournalStateFile imjournal.state*.info;mail.none;authpriv.none;cron.none/var/log/messagesauthpriv.* /var/log/securemail.*-/var/log/maillogcron.* /var/log/cron*.emerg:omusrmsg :* uucp,news.crit/var/log/spoolerlocal7.* /var/log/boot.loglocal0.*/E Tc/keepalived/keepalived.log
2,rsyslog Client Configuration
[[email protected] log]# grep-v "^$"/etc/rsyslog.conf | Grep-v "^#" $ModLoad Imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # PR Ovides access to the SYSTEMD journal$workdirectory/var/lib/rsyslog$actionfiledefaulttemplate Rsyslog_ Traditionalfileformat$template MyFormat, "%timestamp%%fromhost-ip%%msg%\n" $IncludeConfig/etc/rsyslog.d/*.conf$ Omitlocallogging on$imjournalstatefile Imjournal.state*.info;mail.none;authpriv.none;cron.none @192.168.99.99:514 *.info;mail.none;authpriv.none;cron.none/var/log/messagesauthpriv.* /var/log/securemail.*-/var/log/maillogcron.* /var/log/cron*.emerg:omusrmsg:*uucp,news.cri t/var/log/spoolerlocal7.* /var/log/boot.loglocal0.*/etc/keepalived/keepalived.log
Linux builds a centralized log server through Rsyslog