应用程序的日志使用rsyslog传送 |
您所在的位置:网站首页 › rsyslog转发配置 › 应用程序的日志使用rsyslog传送 |
rsyslog默认只可以传送系统的日志,比如DHCP,cron等,现在要传送一个服务的日志到远端的rsyslog服务器,该怎么实现呢? 解决方法:要使用rsyslog的imfile模块。 参考官方url:http://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html 参考网上url:http://www.tuicool.com/articles/Jv2eUvn rsyslog的配置文件(过滤掉了注释的内容): [root@pf ~]# cat /etc/rsyslog.conf | egrep -v "#|^$"$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf*.info;mail.none;authpriv.none;cron.none /var/log/messagesauthpriv.* /var/log/securemail.* -/var/log/maillogcron.* /var/log/cron*.emerg *uucp,news.crit /var/log/spoolerlocal7.* /var/log/boot.log$ModLoad imfile$InputFileName /usr/local/pf/logs/packetfence.log$InputFileTag packetfence:$InputFileSeverity info $InputFileStateFile stat-packetfence ##文件名变了,这个StateFile标志必须变,否则无法传输$InputFileFacility local5$InputFilePollInterval 1$InputFilePersistStateInterval 1$InputRunFileMonitorlocal5.* @10.64.41.223:514[root@pf ~]# 修改完配置文件,重启服务 [root@pf ~]# /etc/init.d/rsyslog restartShutting down system logger: [ OK ]Starting system logger: [ OK ][root@pf ~]# 红色字体是为了传送/usr/local/pf/logs/packetfence.log到10.64.41.223:514而新加的配置。 以上是imfile模块旧版本(rsyslog v5)的配置语法,下面是imfile模块新版本(rsyslog v8)配置的语法(仅供参考): ###bak wifi log to syslog-server,add by wuxiaoyu#module(load="imfile" PollingInterval="5") #input(type="imfile"# File="/usr/local/pf/logs/packetfence.log"# Tag="packetfence"# Severity="error"# Facility="local5") rsylog遇到的问题: 1,报错:rhel6 rsyslogd-2177: imuxsock begins to drop messages from pid 24542 due to rate-limiting 怎么解决? 编辑/etc/rsyslog.conf,紧接着$ModLoad imuxsock这行后面,加入如下2行:$IMUXSockRateLimitInterval 0$SystemLogRateLimitInterval 0保存退出,然后重启rsyslog:service rsyslog restart解决! 2,/var/log/message报错。rsyslog被自动重启 Oct 11 03:32:18 pf rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="16441" x-info="http://www.rsyslog.com"] rsyslogd was HUPed 解决方法: [root@cobber logrotate.d]# cat /etc/logrotate.d/syslog /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } [root@cobber logrotate.d]# 去掉红色的部分。 3,/usr/local/pf/logs/packetfence.log被logrotate自动切割后,imfile就无法将新生成的packetfence.log传送到远端的syslog server,google后发现问题的原因是packetfence.log相关的logrotate配置文件中的一个参数的问题,如下: [root@pf logrotate.d]# cat packetfence # logrotate file for packetfence /usr/local/pf/logs/*log { daily rotate 52 missingok compress create 640 pf pf #copytruncate ##要注释掉,否则切割后imfile无法传送新的文件 } copytruncate的作用:参加转载的另一篇博文:http://tenderrain.blog.51cto.com/9202912/1704463 这样出现了一个问题,去掉了这个参数后,程序记录的日志不是正常的日志,需要重启服务才可以记录正常的认证日志。所以后来采取的是下面一种方法。 4,如果上面的方法去掉之后参数之后还是会传不过去,用下面的方法: /etc/rsyslog.conf 的103行,如下: 103 $InputFileStateFile stat-packetfence24 脚步(作用是修改103行的最后一个数字): [root@cobber scripts]# cat /etc/scripts/packetfence-rsyslog.sh #!/bin/bashn=`sed -n '103 s#$.*fence\([0-9]\)#\1#gp' /etc/rsyslog.conf`m=$(($n+1))eval sed -i '/stat-packetfence/s/$n/$m/' /etc/rsyslog.conf[root@cobber scripts]# 日志切割后调用脚步修改最后一个数字,然后重启rsyslog服务(正常情况是重启应用程序的服务,但是这个服务不能随便重启,所以改成重启rsyslog)。 [root@cobber logrotate.d]# cat /etc/logrotate.d/test /usr/local/pf/logs/packetfence.log { daily rotate 52 missingok compress create 640 root root copytruncate postrotate /bin/bash /etc/scripts/packetfence-rsyslog.sh > /dev/null 2&>1 && /etc/init.d/rsyslog restart endscript}[root@cobber logrotate.d]# 强制切割做测试: [root@cobber logrotate.d]# logrotate -f /etc/logrotate.d/test关闭系统日志记录器: [确定]启动系统日志记录器: [确定][root@cobber logrotate.d]# Centos搭建rsyslog服务的方法: 服务端: 1,修改rsyslog.conf [root@cobber ~]# cat /etc/rsyslog.conf | egrep -v "#|^$" $ModLoad imudp $UDPServerRun 514 ##----这两行去掉注释。 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log local5.* /var/log/local5.log ##将远程传输过来的local5级别的日志保存到local5.log(自动创建) [root@cobber ~]# 2,修改rsyslog [root@cobber ~]# cat /etc/sysconfig/rsyslog # Options for rsyslogd # Syslogd options are deprecated since rsyslog v3. # If you want to use them, switch to compatibility mode 2 by "-c 2" # See rsyslogd(8) for more details SYSLOGD_OPTIONS="-c 2 -r -m 0" ##-c指定的范围0-2,否则重启的时候会报错。 [root@cobber ~]# 3,重启服务并检查端口 [root@cobber ~]# /etc/init.d/rsyslog restart 关闭系统日志记录器: [确定] 启动系统日志记录器: [确定] [root@cobber ~]# netstat -nplu | grep 514 udp 0 0 0.0.0.0:514 0.0.0.0:* 24799/rsyslogd udp 0 0 :::514 :::* 24799/rsyslogd [root@cobber ~]# 客户端: 1,修改rsyslog.conf [root@pf logs]# egrep -v "#|^$" /etc/rsyslog.conf $IMUXSockRateLimitInterval 0 $SystemLogRateLimitInterval 0 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log $ModLoad imfile $InputFileName /usr/local/pf/logs/packetfence.log $InputFileTag packetfence2: $InputFileSeverity info $InputFileStateFile stat-packetfence2 $InputFileFacility local5 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor local5.* @10.64.41.223:514 #10.64.41.223是rsyslog服务端的ip [root@pf logs]# #备注:##文件名变了,这个StateFile标志必须变,否则无法传输 2,重启服务 [root@pf logs]# /etc/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] [root@pf logs]# 测试: 服务端: tailf /var/log/local5.log 会看到/usr/local/pf/logs/packetfence.log的日志到/var/log/local5.log 手工测试: echo 1111111111111 >> /usr/local/pf/logs/packetfence.log 在/var/log/local5.log 中可以看到1111111111111 没有指定-c 的时候,重启rsyslog服务,/var/log/syslog报错内容如下: May 26 11:24:53 it-mail03 kernel: Kernel logging (proc) stopped. May 26 11:24:53 it-mail03 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="97905" x-info="http://www.rsyslog.com"] exiting on signal 15. May 26 11:24:53 it-mail03 kernel: imklog 5.8.10, log source = /proc/kmsg started. May 26 11:24:53 it-mail03 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="98270" x-info="http://www.rsyslog.com"] start May 26 11:24:53 it-mail03 rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c5 as the first rsyslogd option. ubuntu中调整rsyslog启动进程用户的配置参数: $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514 $KLogPermitNonKernelFacility on $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $RepeatedMsgReduction on $FileOwner root $FileGroup root $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser root $PrivDropToGroup root $WorkDirectory /var/log $IncludeConfig /etc/rsyslog.d/*.conf 有的时候使用如下配置: cat /etc/rsyslog.d/70-zimbra-auth.conf $ModLoad imfile $InputFileName /opt/zimbra/log/audit.log $InputFileTag authforzimbra: $InputFileStateFile auth-zimbra-mail12 $InputFileSeverity info $InputFileFacility local3 $InputFilePollInterval 1 $InputRunFileMonitor local3.* @it-mail03.lf.sankuai.com:514 测试的时候/opt/zimbra/log/audit.log 文件的内容打不到it-mail03的指定文件,但是使用命令 root@dx-it-mail10:/etc/rsyslog.d# logger -p local3.info "1234" 却可以打过去,说明了是rsyslog对/opt/zimbra/log/audit.log这个文件的读取权限有问题,所以要修改进程的运行用户。 rsyslog配置文件说明: http://my.oschina.net/0757/blog/198329 |
今日新闻 |
推荐新闻 |
CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |