Use rsyslog in Linux to deploy the log server & amp; record history and send it to the rsyslog server, linuxrsyslog

Source: Internet
Author: User
Tags rsyslog

Deploy the log server with rsyslog in Linux & record history and send it to rsyslog server, linuxrsyslog
1. syslog service Introduction

Rsyslog is a multi-thread enhanced version of syslogd. Rsyslog is responsible for writing logs, logrotate is responsible for backing up and deleting old logs, and updating log files

Logger command

To write custom information to the local log system, use the: logger command.

Logger is a shell command interface that can be used to use the Syslog System Log Module and write a line of information directly to the system log file from the command line.

logger -it error  -p local5.info "hello world"

-I. Process IDs are recorded on each line.
-T add an error label to each line in the log
-P specifies the custom log device and log level. For more information, see the appendix.

Log Type

Log Type Description
Auth Logs generated by pam
Authpriv Authentication Information for logon information such as ssh and ftp
Cron Time task Problems
Kern Kernel
Lpr Print
Mail Email
Mark (syslog) Rsyslog service internal information, time ID
News Newsgroup
User Information generated by user programs
Uucp Unix to unix copy: communication between unix hosts
Local1 ~ 7 Custom Log Device

Log Level 

Level Description
Debug If there is mode information, the maximum number of logs is displayed.
Info General information logs, the most common
Notice Information of the most important common condition
Warning Warning Level
Err Error level to prevent a function or module from working properly
Crit Severe information that prevents the entire system or the entire software from working properly
Alert Information to be modified immediately
Emerg Critical information such as kernel crash
None Nothing is recorded
Ii. syslog service configuration
[root@localhost]# yum install rsyslog rsyslog-mysql  logrotate[root@localhost]# service rsyslog  statusrsyslogd (pid  24331) is running...[root@localhost]# ps -ef | grep rsyslogd | grep -v greproot     24331     1  0 20:26 ?        00:00:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 2 -r -x -m 180
Server:

Configure rsyslog

[root@localhost]# vim /etc/sysconfig/rsyslog  1 # Options for rsyslogd  2 # Syslogd options are deprecated since rsyslog v3.  3 # If you want to use them, switch to compatibility mode 2 by "-c 2"  4 # See rsyslogd(8) for more details  5 # SYSLOGD_OPTIONS="-c 5"                                                                                                                                                                   6 SYSLOGD_OPTIONS="-c 2 -r -x -m 180"  7 KLOGD_OPTIONS="-x"

Functions of parameters:

-C indicates the running compatibility mode.

-R specifies the listening port. The default value is 514.

-X disables DNS lookup when receiving client messages. It must be used with the-r parameter.

-M indicates the timestamp. The Unit is minute. If it is 0, this function is disabled.

 

Edit rsyslog. conf to enable relevant properties

$ ModLoad immark

$ ModLoad imudp

$ UDPServerRun 514

Check whether startup is enabled

[root@localhost]# netstat -nultp | grep 514udp        0      0 0.0.0.0:514                 0.0.0.0:*                               24331/rsyslogd      udp        0      0 :::514                      :::*                                    24331/rsyslogd     
Client:

Edit rsyslog. conf and add the following:

*. * @ 192.168.1.10

Note:
  • Why does the first * number field provide services such as mail, kernel, and ftpd? The * number here represents all services

  • The second "*" field is used to record the log levels of the corresponding service, such as info, warn, and err. Here "*" indicates a level, that is to say, all services will send logs to the host 192.168.1.10.

NOTE: If port 514 of tcp is enabled on the server side, write as follows :*. * @ rsyslog-server-ip record log (there is a very useful function to record the history executed by the server)

There are multiple methods

First

Modify the bash source code and recompile it.

# wget http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz# tar zxvf bash-4.2.tar.gz -C /usr/local/bash-4.2# cd /usr/local/bash-4.2。。。

See http://levichen.logdown.com/posts/2013/11/04/syslog-record-history

Second, use trap (Just add the following lines in your /Etc/profile)
function log2syslog{   declare command   command=$(fc -ln -0)   logger -p local1.notice -t bash -i — $USER : $command}trap log2syslog DEBUG
Third (Just add the following lines in your /Etc/profile)
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):[`pwd`]"$msg"; }'export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local1.notice -t bash -i "user=$USER,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'alias precmd "history 1 | /bin/logger -p local1.notice -t `echo $SHELL`:`whoami`:`pwd`:`ip r l |cut -d' ' -f12` -i "PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'export PROMPT_COMMAND='if [ "$(id -u)" -ne 0 ]; then echo "$(date "+%Y-%m-%d.%H:%M:%S") $(pwd) $(history 1)" >> ~/.logs/bash-history-$(date "+%Y-%m-%d").log; fi'

There are many ways to record, I use the second command

Iii. rsyslog server File Configuration

Modify configuration file

vim /etc/rsyslog.d/50-default.conf

Add content

*.* /var/log/remotehost.log

Create and save a log file

touch /var/log/remotehost.log

Restart rsyslog server and use tail to dynamically View

tail -f /var/log/remotehost.log 

 

References

Http://levichen.logdown.com/posts/2013/11/04/syslog-record-history

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.