Use rsyslog in Linux to deploy the log server & amp; record history and send it to the rsyslog server, linuxrsyslog

Deploy the log server with rsyslog in Linux & record history and send it to rsyslog server, linuxrsyslog
1. syslog service Introduction

Rsyslog is a multi-thread enhanced version of syslogd. Rsyslog is responsible for writing logs, logrotate is responsible for backing up and deleting old logs, and updating log files

Logger command

To write custom information to the local log system, use the: logger command.

Logger is a shell command interface that can be used to use the Syslog System Log Module and write a line of information directly to the system log file from the command line.

logger -it error  -p local5.info "hello world"

-I. Process IDs are recorded on each line.
-T add an error label to each line in the log
-P specifies the custom log device and log level. For more information, see the appendix.

Log Type

Log Type	Description
Auth	Logs generated by pam
Authpriv	Authentication Information for logon information such as ssh and ftp
Cron	Time task Problems
Kern	Kernel
Lpr	Print
Mail	Email
Mark (syslog)	Rsyslog service internal information, time ID
News	Newsgroup
User	Information generated by user programs
Uucp	Unix to unix copy: communication between unix hosts
Local1 ~ 7	Custom Log Device

Log Level 

Level	Description
Debug	If there is mode information, the maximum number of logs is displayed.
Info	General information logs, the most common
Notice	Information of the most important common condition
Warning	Warning Level
Err	Error level to prevent a function or module from working properly
Crit	Severe information that prevents the entire system or the entire software from working properly
Alert	Information to be modified immediately
Emerg	Critical information such as kernel crash
None	Nothing is recorded

Ii. syslog service configuration

[root@localhost]# yum install rsyslog rsyslog-mysql  logrotate[root@localhost]# service rsyslog  statusrsyslogd (pid  24331) is running...[root@localhost]# ps -ef | grep rsyslogd | grep -v greproot     24331     1  0 20:26 ?        00:00:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 2 -r -x -m 180

Server:

Configure rsyslog

[root@localhost]# vim /etc/sysconfig/rsyslog  1 # Options for rsyslogd  2 # Syslogd options are deprecated since rsyslog v3.  3 # If you want to use them, switch to compatibility mode 2 by "-c 2"  4 # See rsyslogd(8) for more details  5 # SYSLOGD_OPTIONS="-c 5"                                                                                                                                                                   6 SYSLOGD_OPTIONS="-c 2 -r -x -m 180"  7 KLOGD_OPTIONS="-x"

Functions of parameters:

-C indicates the running compatibility mode.

-R specifies the listening port. The default value is 514.

-X disables DNS lookup when receiving client messages. It must be used with the-r parameter.

-M indicates the timestamp. The Unit is minute. If it is 0, this function is disabled.

 

Edit rsyslog. conf to enable relevant properties

$ ModLoad immark

$ ModLoad imudp

$ UDPServerRun 514

Check whether startup is enabled

[root@localhost]# netstat -nultp | grep 514udp        0      0 0.0.0.0:514                 0.0.0.0:*                               24331/rsyslogd      udp        0      0 :::514                      :::*                                    24331/rsyslogd     

Client:

Edit rsyslog. conf and add the following:

*. * @ 192.168.1.10

Note:

• Why does the first * number field provide services such as mail, kernel, and ftpd? The * number here represents all services

• The second "*" field is used to record the log levels of the corresponding service, such as info, warn, and err. Here "*" indicates a level, that is to say, all services will send logs to the host 192.168.1.10.

NOTE: If port 514 of tcp is enabled on the server side, write as follows :*. * @ rsyslog-server-ip record log (there is a very useful function to record the history executed by the server)

There are multiple methods

First

Modify the bash source code and recompile it.

# wget http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz# tar zxvf bash-4.2.tar.gz -C /usr/local/bash-4.2# cd /usr/local/bash-4.2。。。

See http://levichen.logdown.com/posts/2013/11/04/syslog-record-history

Second, use trap (Just add the following lines in your /Etc/profile)

function log2syslog{   declare command   command=$(fc -ln -0)   logger -p local1.notice -t bash -i — $USER : $command}trap log2syslog DEBUG

Third (Just add the following lines in your /Etc/profile)

export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):[`pwd`]"$msg"; }'export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local1.notice -t bash -i "user=$USER,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'alias precmd "history 1 | /bin/logger -p local1.notice -t `echo $SHELL`:`whoami`:`pwd`:`ip r l |cut -d' ' -f12` -i "PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'export PROMPT_COMMAND='if [ "$(id -u)" -ne 0 ]; then echo "$(date "+%Y-%m-%d.%H:%M:%S") $(pwd) $(history 1)" >> ~/.logs/bash-history-$(date "+%Y-%m-%d").log; fi'

There are many ways to record, I use the second command

Iii. rsyslog server File Configuration

Modify configuration file

vim /etc/rsyslog.d/50-default.conf

Add content

*.* /var/log/remotehost.log

Create and save a log file

touch /var/log/remotehost.log

Restart rsyslog server and use tail to dynamically View

tail -f /var/log/remotehost.log　

 

References

Http://levichen.logdown.com/posts/2013/11/04/syslog-record-history