Linux Rsyslog System log Forwarding (reprint)

I. Introduction of Rsyslog

Ryslog is a fast-track process for collecting system logs, providing high performance, security features, and modular design. The Rsyslog is an upgraded version of the syslog, which converts multiple sources of input and output to destinations, and is now able to process 1 million of messages, according to the official website.

Features: 1. Multithreading

2. Support Encryption protocol: SSL,TLS,RELP

3.mysql, Oracle, PostgreSQL

4. etc...

Ii. Practical Deployment ()

2.1 Environment diagram

　　

Deploy operations on 2.2.rsyslog server

Install the Rsyslog program (Rsyslog is already installed in each release version, if not in the system, you can install it with Yum, as follows:)

Install Rsyslog-y

Edit the Rsyslog configuration file, path/etc/rsyslog.conf, the best before you make a backup copy, the modified file content as follows:

[[email protected] log]# grep-v "^#"/etc/rsyslog.conf | Grep-v "^$" $ModLoad Imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # PR Ovides access to the SYSTEMD journal$modload Immark # provides--mark--message capability$modload Imudp$udpserverrun 514 $ModLoad imtcp$inputtcpserverrun 514$workdirectory/var/lib/rsyslog$allowedsender TCP, 192.168.30.0/24$ Actionfiledefaulttemplate rsyslog_traditionalfileformat$template Remote, "/data/log/%fromhost-ip%/%fromhost-ip%_% $YEAR%-% $MONTH%-% $DAY%.log ": Fromhost-ip,!isequal," 127.0.0.1 "? Remote$includeconfig/etc/rsyslog.d/*.conf$omitlocallogging On$imjournalstatefile Imjournal.state*.info;mail.none ; authpriv.none;cron.none/data/log/messagesauthpriv.*/var/log                                                  /securemail.*-/var/log/maillogcron.*                       /var/log/cron*.emerg                          : omusrmsg:*uucp,news.crit/var/log/spoolerlocal7.* /var/log/boot.log

A. $AllowedSender TCP, 192.168.30.0/24 allows hosts within a 30.0 network segment to be transmitted using the TCP protocol

B. $template Remote, "/data/log/%fromhost-ip%/%fromhost-ip%_% $YEAR%-% $MONTH%-% $DAY%.log" define templates, accept log file paths, differentiate logs from different hosts

C.:fromhost-ip,!isequal, "127.0.0.1"? Remote filters the log for server native.

D. $InputTCPServerRun 514 Open tcp,tcp and UDP can coexist

Create a log directory and try to choose a larger area of the system to create, considering the log files to hold many servers.

Mkdir-pv/data/log

After the modification is complete, restart the Rsyslog service and view the listening port, 514 is the TCP protocol

[[Email protected] ~]# systemctl restart Rsyslog[[email protected] ~]# NETSTAT-AULNTP |GrepRsyslogtcp000.0.0.0:514 0.0. 0.0:* LISTEN 20228/rsyslogd tcp6 0 0::: 514:::* LISTEN 20228/rsyslogd UDP 0 0 0.0. 0.0:514 0.0. 0.0:* 20228/rsyslogd udp6  0 0::: 514:::* 20228/ RSYSLOGD                

2.3 Actions on the client:

Configuration on the Node1

Open the configuration file, the old look, the first backup under the changes in the/etc/rsyslog.conf, after the change remember to restart the program

[Email protected] ~]#Grep-v"^$"/etc/rsyslog.conf |Grep-v"^#" $ModLoad Imuxsock # provides support for Local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the SYSTEMD journal$work Directory/var/lib/rsyslog$actionfiledefaulttemplate rsyslog_traditionalfileformat$ Template Myformat, "%timestamp%%fromhost-ip%%msg%\n< Span style= "COLOR: #800000" > " $ActionFileDefaultTemplate myformat$includeconfig/etc/ Rsyslog.d/*.conf$omitlocallogging on$ Imjournalstatefile Imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.55authpriv.*/var/log/ securemail.*-/var/log/maillogcron.*/var/log/cron*.emerg:omusrmsg:*uucp,news.crit/var/log/spoolerlocal7.*/var/ Log/boot.log          

CEPH1 on the configuration, restart the Rsyslog program

Open configuration file/etc/rsyslog.conf

[Email protected] ~]#Grep-v"^$"/etc/rsyslog.conf |grep-v  "^#"  $ModLoad Imuxsock # provides support for< Span style= "COLOR: #000000" > Local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the SYS TEMD journal$workdirectory/var/lib/rsyslog$actionfiledefaulttemplate RSYSLOG_ Traditionalfileformat$includeconfig/etc/rsyslog.d/*         

Finally restart the Rsyslog program on the client

2.4 Verification, in the server up to the/data/log directory, to view, you will find the following similar file structure

[Email protected] ~]# tree/data/log//data/log/192.168.  30.56192.168.  30.56_2016-05-192.168.  30.57192.168.  30.57_2016-05-log└──messages3 files         

Messages:server End of System log
Folder 192.168.30.56:node1 log for client
Folder 192.168.30.57:CEPH1 log for client

We only look at Node1 's system log here. Operations on the server

[Email protected] ~]#Tail-f/data/log/192.168.30.56/192.168.30.56_2016-05-05. Log May520:30|Node1 rsyslogd: [Origin software="Rsyslogd"Swversion="7.4.7"X-pid="9296"X-info="Http://www.rsyslog.com"] Exiting on signal15. May520:30|Node1 rsyslogd: [Origin software="Rsyslogd"Swversion="7.4.7"X-pid="9334 "X-info= "http://www.rsyslog.com" " Startmay 5  20: 50:45 Node1 systemd: Stopping System Logging Service ... May 5 20:50:45 Node1 systemd:starting System Logging Service ... May 5 20:50:45 node1 systemd:started System Logging Service.         

It is also possible to send a message on the Node1 on the command line logger "This is test" on the server to view the next

tail-1f/data/log/192.168.  30.56/192.168.  30.56_2016-05-:node1 root:this is test        

2.5. If verification fails, first check if SELinux is off. The UDP 514 port and TCP 514 Port allow 30 segment access, or turn off the iptables service. Also note that the default firewall on Centos7 is FIREWALLD. The operation is performed on each machine.

Third, the collection system other service log, operates on the client Node1, the example takes the log of the Openstack-nova service as an example:

3.1. First modify the configuration file/etc/rsyslog.conf, the complete contents are as follows:

[Email protected] ~]#Egrep-v‘^#|^$'/etc/Rsyslog.conf$modload Imuxsock # provides supportfor Local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the SYSTEMD Journal$modl Oad Immark # provides--mark-- message capability$workdirectory/var/lib/rsyslog$actionfiledefaulttemplate RSYSLOG_TRADITIONALFILEFORMAT$INCLUDECONFIG/ETC/RSYSLOG.D/*. conf$omitlocallogging on$IMJournalStateFile Imjournal.state*.info;mail.none;authpriv.none;cron.none @@192.168.30.67authpriv.*/var/log/securemail.*-/var/log /maillogcron.*/var/log/cron*.emerg:omusrmsg:*uucp,news.crit/var/log/spoolerlocal7.*/var/log/boot.logmodule ( Load= "Imfile" pollinginterval= "5") $InputFileName/var/log/nova/nova-compute.log$inputfiletag nova-info:$ Inputfilestatefile state-nova-info$inputrunfilemonitor     

In fact only added the next 5 lines of content, for each simple explanation under

Module (load= "Imfile" pollinginterval= "5") loads the Imfile module and refreshes it 5 seconds
$InputFileName/var/log/nova/nova-compute.log The log file path to monitor 　
$InputFileTag nova-info:   Define file tags, note the last colon:
$InputFileStateFile state-nova-info define state file
$InputRunFileMonitor Activate read, you can set multiple sets of log reads, set this parameter at the end of each set /span>

3.2. After the modification is complete, restart the client's Rsyslog service

[Email protected] ~]# systemctl restart Rsyslog

Linux Rsyslog System log Forwarding (reprint)