Linux Rsyslog System Log forwarding

I. Introduction of Rsyslog

Ryslog is a fast-track system log program that provides high performance, security features, and modular design. The Rsyslog is an upgraded version of the syslog, which converts multiple sources of input and output to destinations, and is now able to process 1 million of messages, according to the official website.

Features: 1. Multithreading

2. Support Encryption protocol: SSL,TLS,RELP

3.mysql, Oracle, PostgreSQL

4. etc...

Ii. Practical Deployment ()

2.1 Environment diagram

　　

Deploy operations on 2.2.rsyslog server

Install the Rsyslog program (Rsyslog is already installed in each release version, if not in the system, you can install it with Yum, as follows:)

Yum Install rsyslog-y

Edit Rsyslog configuration file, path/etc/rsyslog.conf, it is best to back up a copy before the modified file content as follows

[Email protected] log]#grep-V"^#"/etc/rsyslog.conf |grep-V"^$"$ModLoad Imuxsock # provides support forLocal System logging (e.g. via logger command) $ModLoad imjournal # provides access to the SYSTEMD journal$modload IMM Ark # provides--mark--message capability$modload Imudp$udpserverrun514$ModLoad Imtcp$inputtcpserverrun514$WorkDirectory/var/lib/Rsyslog$allowedsender TCP,192.168.30.0/ -$ActionFileDefaultTemplate rsyslog_traditionalfileformat$template Remote,"/data/log/%fromhost-ip%/%fromhost-ip%_% $YEAR%-% $MONTH%-% $DAY%.log": Fromhost-ip,!isequal,"127.0.0.1"?Remote$includeconfig/etc/rsyslog.d/*. conf$omitlocallogging On$imjournalstatefile imjournal.state*.info;mail.none;authpriv.none;cron.none/d                                                  ata/log/messagesauthpriv.*/var/log/securemail.*                                                 -/var/log/maillogcron.*/var/log/cron*.emerg : Omusrmsg:*uucp,news.crit/var/log/spool erlocal7.*/var/log/boot.log

View Code

A. $AllowedSender TCP, 192.168.30.0/24 allows hosts within a 30.0 network segment to be transmitted using the TCP protocol

B. $template Remote, "/data/log/%fromhost-ip%/%fromhost-ip%_% $YEAR%-% $MONTH%-% $DAY%.log" define templates, accept log file paths, differentiate logs from different hosts

C.:fromhost-ip,!isequal, "127.0.0.1"? Remote filters the log for server native.

D. $InputTCPServerRun 514 Open tcp,tcp and UDP can coexist

Create a log directory and try to choose a larger area of the system to create, considering the log files to hold many servers.

mkdir -pv/data/log

After the modification is complete, restart the Rsyslog service and view the listening port, 514 is the TCP protocol

[[Email protected] ~]# systemctl Restart Rsyslog[[email protected]~]# NETSTAT-AULNTP |greprsyslogtcp0      0 0.0.0.0:514             0.0.0.0:* LISTEN20228/rsyslogd TCP60      0:::514:::* LISTEN20228/rsyslogd UDP0      0 0.0.0.0:514             0.0.0.0:*20228/rsyslogd UDP60      0:::514:::*20228/rsyslogd

2.3 Actions on the client:

Configuration on the Node1

Open the configuration file, the old look, the first backup under the changes in the/etc/rsyslog.conf, after the change remember to restart the program

[Email protected] ~]#grep-V"^$"/etc/rsyslog.conf |grep-V"^#"$ModLoad Imuxsock # provides support forLocal System logging (e.g. via logger command) $ModLoad imjournal # provides access to the SYSTEMD Journal$workdirecto Ry/var/lib/rsyslog$actionfiledefaulttemplate rsyslog_traditionalfileformat$template MyFormat,"%timestamp%%fromhost-ip%%msg%\n"$ActionFileDefaultTemplate Myformat$includeconfig/etc/rsyslog.d/*. conf$omitlocallogging on$imjournalstatefile Imjournal.state*.info;mail.none;authpriv.none;cron.none @@                                                  192.168.30.55authpriv.*/var/log/securemail.*                                                 -/var/log/maillogcron.*/var/log/cron*.emerg : Omusrmsg:*uucp,news.crit/var/log/spoolerl ocal7.*/var/log/boot.log

View Code

CEPH1 on the configuration, restart the Rsyslog program

Open configuration file/etc/rsyslog.conf

[Email protected] ~]#grep-V"^$"/etc/rsyslog.conf |grep-V"^#"$ModLoad Imuxsock # provides support forLocal System logging (e.g. via logger command) $ModLoad imjournal # provides access to the SYSTEMD Journal$workdirect Ory/var/lib/rsyslog$actionfiledefaulttemplate Rsyslog_traditionalfileformat$includeconfig/etc/rsyslog.d/*. conf$omitlocallogging on$imjournalstatefile Imjournal.state*.info;mail.none;authpriv.none;cron.none @@                                                  192.168.30.55authpriv.*/var/log/securemail.*                                                 -/var/log/maillogcron.*/var/log/cron*.emerg : Omusrmsg:*uucp,news.crit/var/log/spoolerl ocal7.*/var/log/boot.log$template MyFormat, "%timestamp%%fromhost-ip%%msg% \ n "$ActionFileDefaultTemplate myformat

View Code

Finally restart the Rsyslog program on the client

2.4 Verification, in the server up to the/data/log directory, to view, you will find the following similar file structure

[Email protected] ~]# tree/data/log//data/log/192.168. 30.56 │ 192.168. 56_2016--192.168. 30.57 │ 192.168. 57_2016--log└──messages23 files

Messages:server End of System log
Folder 192.168.30.56:node1 log for client
Folder 192.168.30.57:CEPH1 log for client

We only look at Node1 's system log here. Operations on the server

[Email protected] ~]#Tail-f/data/log/192.168.30.56/192.168. -.56_2016- to- to. Log May5  -: -: $Node1 rsyslogd: [Origin software="RSYSLOGD"swversion="7.4.7"X-pid="9296"X-Info="http://www.rsyslog.com"] Exiting on signal the. May5  -: -: $Node1 rsyslogd: [Origin software="RSYSLOGD"swversion="7.4.7"X-pid="9334"X-Info="http://www.rsyslog.com"] Startmay5  -: -: $node1 systemd:stopping System Logging Service ... May5  -: -: $node1 systemd:starting System Logging Service ... May5  -: -: $Node1 systemd:started System Logging Service.

It is also possible to send a message on the Node1 on the command line logger "This is test" on the server to view the next

tail -1f/data/log/192.168. 30.56/192.168. 56_2016-.log  may5::  node1 Root:this is test

Iii. Summary

Don't know before, always thought difficult, now feel rsyslog is quite simple. But simply because we only use the simplest method, and the function is only used for forwarding, subsequent attempts will be made to log the forwarding of other services, such as MySQL, Zabbix, and the Nova service log. These are the ultimate goals.

This article belongs to original, please specify the source when reproduced

Linux Rsyslog System Log forwarding