Log Analysis -1.rsyslog basic configuration (server/client)

Source: Internet
Author: User
Tags syslog rsyslog

Log Analysis -1.rsyslog basic configuration (server/client)
CENTOS6 up/etc/syslog.conf no longer have! But/etc/rsyslog.conf instead!
Rsyslog is a multi-threaded enhanced version of Syslog, and now the default log system for Fedora, Ubuntu, Rhel6, CENTOS6 is Rsyslog.
Rsyslog is mainly used to collect various logs generated by the system, and the log is placed in the/var/log/directory by default.
The Log Collection tool not only collects logs from this machine, but also collects logs from other machines.

Under the configuration of the client/server architecture, Rsyslog also plays two roles:
1. As a server, Rsyslog can collect log information from other facilities;
2. As a client, Rsyslog can transfer its internal log information to a remote syslog server.

Rsyslog is a Log collection tool, and many Linux now have their own rsyslog, replacing the syslog with it.

I. Configuration on server-side
1. Turn on udp,tcp
# provides UDP syslog reception
$ModLoad imudp #开启, get rid of #
$UDPServerRun 514 #开启, get rid of #

# provides TCP syslog reception
$ModLoad imtcp #开启, get rid of #
$InputTCPServerRun 514 #开启, get rid of #

Cancels the above 4-line Comment
There are 2 modes of delivery, UDP and TCP "UDP,TCP follow-up instructions"
UDP is a faster than TCP, but does not have the same reliability as TCP traffic. So if you need to use a reliable delivery mechanism, you get rid of the TCP part number.

It is important to note that TCP and UDP can be simultaneously active to listen for TCP/UDP connections.
If you are monitoring a private IP address, turning on UDP is sufficient

If you turn on TCP, you need to add a configuration
$InputTCPMaxSessions #tcp接收连接数为500个

2. Other parts by default

3. Check that the configuration file is correct
Check that the configuration is correct
Error will be reported if there are errors

4. Restart the Rsyslog log
/etc/init.d/rsyslog restart

5. (If there is a firewall to open UDP 514 port, 161 is for SNMP)
Shield open port, log collection server must be turned on
-A input-s xxxxx/24-i bond1-p udp-m UDP--dport 514-j ACCEPT
-A input-s xxxxx/24-i bond1-p udp-m UDP--dport 161-j ACCEPT

two. Configuration of 2 clients
1. Modify the configuration vim/etc/rsyslog.conf
# First some standard log files. Log by facility.
*.*;auth,authpriv.none,cron.! *-/var/log/syslog
*.*;auth,authpriv.none,cron.! * @添加这一条, IP addresses the IP address of the server IP address to add this, IP for the server IP address "Note @ip Direct no space"

2. Other parts by default

3. Check that the configuration file is correct
Check that the configuration is correct
Error will be reported if there are errors

4. Restart the Rsyslog log
/etc/init.d/rsyslog restart

4. Send a test log
Use Netcat to send a test log using Rsyslog to verify that you can receive UDP messages: "NC command Follow-up instructions"
echo ": Hello" | nc-u-W 1 server IP address 514

On the server side
Run separately on the client
[Email protected]:~# echo ": Test-hello" | Nc-u-W 1 514
[Email protected]:~# echo ":D Ebian-hello" | Nc-u-W 1 514

Can see
May 12:00:09
May 12:01:01

The following sections are described in follow-up content
Rsyslog's rotation, filtering, and advanced usage, as well as the current popular elk, as well as logging of network devices such as switches

The above is a personal point of summary and understanding, the level is not high, the level of writing is very bad, please greatly forgive me.
Can exchange learning together.

My qq:610851588.
Can join my build group (now very few people, hope slowly more up)
Linux Clusters: 183932302
Python, Shell AC Group: 469094734

This article from the "Go to the Origin dimension" blog, reproduced please contact the author!

Log Analysis -1.rsyslog basic configuration (server/client)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.