Deploy the log server with rsyslog in Linux & record history and send it to rsyslog server, linuxrsyslog
1. syslog service Introduction
Rsyslog is a multi-thread enhanced version of syslogd. Rsyslog is responsible for writing logs, logrotate is responsible for backing up and deleting old logs, and updating log files
Logger command
To write custom information to the local log system, use the: logger command.
Logger is a shell command interface that can be used to use the Syslog System Log Module and write a line of information directly to the system log file from the command line.
logger -it error -p local5.info "hello world"
-I. Process IDs are recorded on each line.
-T add an error label to each line in the log
-P specifies the custom log device and log level. For more information, see the appendix.
Log Type
Log Type |
Description |
Auth |
Logs generated by pam |
Authpriv |
Authentication Information for logon information such as ssh and ftp |
Cron |
Time task Problems |
Kern |
Kernel |
Lpr |
Print |
Mail |
Email |
Mark (syslog) |
Rsyslog service internal information, time ID |
News |
Newsgroup |
User |
Information generated by user programs |
Uucp |
Unix to unix copy: communication between unix hosts |
Local1 ~ 7 |
Custom Log Device |
Log Level
Level |
Description |
Debug |
If there is mode information, the maximum number of logs is displayed. |
Info |
General information logs, the most common |
Notice |
Information of the most important common condition |
Warning |
Warning Level |
Err |
Error level to prevent a function or module from working properly |
Crit |
Severe information that prevents the entire system or the entire software from working properly |
Alert |
Information to be modified immediately |
Emerg |
Critical information such as kernel crash |
None |
Nothing is recorded |
Ii. syslog service configuration
[root@localhost]# yum install rsyslog rsyslog-mysql logrotate[root@localhost]# service rsyslog statusrsyslogd (pid 24331) is running...[root@localhost]# ps -ef | grep rsyslogd | grep -v greproot 24331 1 0 20:26 ? 00:00:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 2 -r -x -m 180
Server:
Configure rsyslog
[root@localhost]# vim /etc/sysconfig/rsyslog 1 # Options for rsyslogd 2 # Syslogd options are deprecated since rsyslog v3. 3 # If you want to use them, switch to compatibility mode 2 by "-c 2" 4 # See rsyslogd(8) for more details 5 # SYSLOGD_OPTIONS="-c 5" 6 SYSLOGD_OPTIONS="-c 2 -r -x -m 180" 7 KLOGD_OPTIONS="-x"
Functions of parameters:
-C indicates the running compatibility mode.
-R specifies the listening port. The default value is 514.
-X disables DNS lookup when receiving client messages. It must be used with the-r parameter.
-M indicates the timestamp. The Unit is minute. If it is 0, this function is disabled.
Edit rsyslog. conf to enable relevant properties
$ ModLoad immark
$ ModLoad imudp
$ UDPServerRun 514
Check whether startup is enabled
[root@localhost]# netstat -nultp | grep 514udp 0 0 0.0.0.0:514 0.0.0.0:* 24331/rsyslogd udp 0 0 :::514 :::* 24331/rsyslogd
Client:
Edit rsyslog. conf and add the following:
*. * @ 192.168.1.10
Note:
Why does the first * number field provide services such as mail, kernel, and ftpd? The * number here represents all services
The second "*" field is used to record the log levels of the corresponding service, such as info, warn, and err. Here "*" indicates a level, that is to say, all services will send logs to the host 192.168.1.10.
NOTE: If port 514 of tcp is enabled on the server side, write as follows :*. * @ rsyslog-server-ip record log (there is a very useful function to record the history executed by the server)
There are multiple methods
First
Modify the bash source code and recompile it.
# wget http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz# tar zxvf bash-4.2.tar.gz -C /usr/local/bash-4.2# cd /usr/local/bash-4.2。。。
See http://levichen.logdown.com/posts/2013/11/04/syslog-record-history
Second, use trap (Just add the following lines in your
/Etc/profile)
function log2syslog{ declare command command=$(fc -ln -0) logger -p local1.notice -t bash -i — $USER : $command}trap log2syslog DEBUG
Third (Just add the following lines in your
/Etc/profile)
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):[`pwd`]"$msg"; }'export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local1.notice -t bash -i "user=$USER,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'alias precmd "history 1 | /bin/logger -p local1.notice -t `echo $SHELL`:`whoami`:`pwd`:`ip r l |cut -d' ' -f12` -i "PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t "$USER[$$] $SSH_CONNECTION")'export PROMPT_COMMAND='if [ "$(id -u)" -ne 0 ]; then echo "$(date "+%Y-%m-%d.%H:%M:%S") $(pwd) $(history 1)" >> ~/.logs/bash-history-$(date "+%Y-%m-%d").log; fi'
There are many ways to record, I use the second command
Iii. rsyslog server File Configuration
Modify configuration file
vim /etc/rsyslog.d/50-default.conf
Add content
*.* /var/log/remotehost.log
Create and save a log file
touch /var/log/remotehost.log
Restart rsyslog server and use tail to dynamically View
tail -f /var/log/remotehost.log
References
Http://levichen.logdown.com/posts/2013/11/04/syslog-record-history