Syslog-ng+rsyslog Collection log: relp reliable transmission, replacing UDP, TCP (v)

Although TCP is more reliable than UDP during transmission, but is clear text transmission, Rsyslog provides a more reliable transmission than TCP, Relp. RELP transmission, no loss of information, but only available in Rsyslogd 3.15.0 and later.

Use RELP requires two, open the Omrelp module, in the transmission of TCP @, replaced by ": Omrelp:" (Yellow color section)

Usage:

*. *: Omrelp:server:port

Example:

*. *: omrelp:192.168.0.1:514

Vi/etc/rsyslog.d/ssh-log.conf

# rsyslog v5 configuration file# for more information see /usr/ share/doc/rsyslog-*/rsyslog_conf.html# if you experience problems, see http:// www.rsyslog.com/doc/troubleshoot.html#### modules #######  Note that the  ### #配置文件中的中文注释为方便初学者, and unofficially provided, Chinese comments can cause strange problems. #建议: Delete all the Chinese comments in use, if you want to comment can be in English (not really pinyin) #装载imfile模块 $ModLoad  imfile# Reliable relp Protocol output module (to prevent information loss) $ModLoad  omrelp# Check log file interval (seconds) $InputFilePollInterval  1# Specify the owner of the log file $fileowner root#  use the custom format $ The actionfiledefaulttemplate myformat# state file saves the path, and the file is used to record information such as the scan log location. #在测试中服务器收集不到日志, because the scanned document is not uploaded again, you can empty the directory cache $workdirectory /var/spool/rsyslog#  define the queue file name #$ actionqueuefilename relpact#  Retry count, -1  means infinite retry  # $ActionResumeRetryCount  -1#  Rsyslog the queue contents to disk when closed, preventing data loss  # $ActionQueueSaveOnShutdown  on$privdroptogroup root# #日志格式模板: $template  biglogformattomcat, "%msg%\n" ## tomcat catalina.out path, modified according to the actual situation: #读取日志文件 $INPutfilename /var/log/ssh.log# Write log append tag string $inputfiletag ssh-log# log type, LOCAL5 must and log collection Server filter facility ( LOCAL5) LOCAL5 in the same name. $InputFileFacility  local5  #定义记录偏移量数据文件名 $InputFileStateFile  stat-ssh-log# log Level $inputfileseverity  info# write-back offset data to file interval (seconds) $InputFilePersistStateInterval  1# Active read, you can set up multiple sets of log reads, set this parameter at the end of each group. To take effect. $InputRunFileMonitor # When submitting logs to a different server, specify the server Ip:port here separately, #如都提交在同一服务器只需在rsyslog. conf specify one time to # local5.*   : omrelp:192.168.1.251:514

Restart Rsyslog service in effect

#service Rsyslog Restart

Reference article:

http://blog.163.com/bull_linux/blog/static/2138811422013101494729839/

This article is from the "Enlightened Grocery store" blog, please be sure to keep this source http://wutou.blog.51cto.com/615096/1766224

Syslog-ng+rsyslog Collection log: relp reliable transmission, replacing UDP, TCP (v)