rsyslog接收远程日志_rsyslog接收远程日志

在另外一种环境中，让我们假定你已经在机器上安装了一个名为“foobar”的应用程序，它会在/var/log下生成foobar.log日志文件。现在，你想要将它的日志定向到rsyslog服务器，这可以通过像下面这样在rsyslog配置文

件中加载imfile模块来实现。

首先，加载imfile模块，这只需做一次。

module(load=”imfile” PollingInterval=”5″)

然后，指定日志文件的路径以便imfile模块可以检测到：

mysql rsyslog配置:

uat-db01:/data01/mysql# cat /etc/rsyslog.conf | grep -v “^#” | grep -v “^$”

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imklog # provides kernel logging support (previously done by rklogd)

module(load=”imfile” PollingInterval=”5″)

$ModLoad imtcp

$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$IncludeConfig /etc/rsyslog.d/*.conf

*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages

authpriv.* /var/log/secure

mail.* -/var/log/maillog

cron.* /var/log/cron

uucp,news.crit /var/log/spooler

local7.* /var/log/boot.log

input(type=”imfile”

File=”/data01/mysql/uat-db01-slow.log”

Tag=”uat-mysql01″

Severity=”info”

Facility=”local5″)

local5.* @@115.236.xx.xx:514

需要升级rsyslog 版本:

rhdpt01:/root# tail -100 /var/log/messages

Aug 7 03:38:01 jrhdpt01 rsyslogd: [origin software=”rsyslogd” swVersion=”5.8.10″ x-pid=”951″ x-info=”http://www.rsyslog.com”] rsyslogd was HUPed

Aug 12 13:43:02 jrhdpt01 kernel: Kernel logging (proc) stopped.

Aug 12 13:43:02 jrhdpt01 rsyslogd: [origin software=”rsyslogd” swVersion=”5.8.10″ x-pid=”951″ x-info=”http://www.rsyslog.com”] exiting on signal 15.

Aug 12 13:43:03 jrhdpt01 kernel: imklog 5.8.10, log source = /proc/kmsg started.

Aug 12 13:43:03 jrhdpt01 rsyslogd: [origin software=”rsyslogd” swVersion=”5.8.10″ x-pid=”24817″ x-info=”http://www.rsyslog.com”] start

Aug 12 13:43:03 jrhdpt01 rsyslogd-3000: unknown priority name “” [try http://www.rsyslog.com/e/3000 ]

Aug 12 13:43:03 jrhdpt01 rsyslogd: the last error occured in /etc/rsyslog.conf, line 11:”module(load=”imfile” PollingInterval=”5″)”

Aug 12 13:43:03 jrhdpt01 rsyslogd: warning: selector line without actions will be discarded

Aug 12 13:43:03 jrhdpt01 rsyslogd-3000: unknown priority name “” [try http://www.rsyslog.com/e/3000 ]

Aug 12 13:43:03 jrhdpt01 rsyslogd: the last error occured in /etc/rsyslog.conf, line 84:”input(type=”imfile””

Aug 12 13:43:03 jrhdpt01 rsyslogd: warning: selector line without actions will be discarded

Aug 12 13:43:03 jrhdpt01 rsyslogd-3000: unknown priority name “log”” [try http://www.rsyslog.com/e/3000 ]

Aug 12 13:43:03 jrhdpt01 rsyslogd: the last error occured in /etc/rsyslog.conf, line 85:”File=”/data01/mysql/jrhdpt01-slow.log””

Aug 12 13:43:03 jrhdpt01 rsyslogd: warning: selector line without actions will be discarded

Aug 12 13:43:03 jrhdpt01 rsyslogd-3000: unknown priority name “” [try http://www.rsyslog.com/e/3000 ]

Aug 12 13:43:03 jrhdpt01 rsyslogd: the last error occured in /etc/rsyslog.conf, line 86:”Tag=”zjzc-mysql01″”

Aug 12 13:43:03 jrhdpt01 rsyslogd: warning: selector line without actions will be discarded

Aug 12 13:43:03 jrhdpt01 rsyslogd-3000: unknown priority name “” [try http://www.rsyslog.com/e/3000 ]

Aug 12 13:43:03 jrhdpt01 rsyslogd: the last error occured in /etc/rsyslog.conf, line 87:”Severity=”info””

Aug 12 13:43:03 jrhdpt01 rsyslogd: warning: selector line without actions will be discarded

Aug 12 13:43:03 jrhdpt01 rsyslogd-3000: unknown priority name “” [try http://www.rsyslog.com/e/3000 ]

Aug 12 13:43:03 jrhdpt01 rsyslogd: the last error occured in /etc/rsyslog.conf, line 88:”Facility=”local5″)”

Aug 12 13:43:03 jrhdpt01 rsyslogd: warning: selector line without actions will be discarded

Aug 12 13:43:03 jrhdpt01 rsyslogd-2124: CONFIG ERROR: could not interpret master config file ‘/etc/rsyslog.conf’. [try http://www.rsyslog.com/e/2124 ]

下载下列软件

json-c-0.12-20140410.tar.gz———————https://github.com/json-c/json-c/archive/json-c-0.12-20140410.tar.gz

libestr-0.1.10.tar.gz——————-http://libestr.adiscon.com/files/download/libestr-0.1.10.tar.gz

liblogging-1.0.5.tar.gz —————-http://download.rsyslog.com/liblogging/liblogging-1.0.5.tar.gz

librdkafka-0.8.6.tar.gz ———————–https://github.com/edenhill/librdkafka/archive/0.8.6.tar.gz

libuuid-1.0.3.tar.gz ——————–http://jaist.dl.sourceforge.net/project/libuuid/libuuid-1.0.3.tar.gz

zlib-1.2.8.tar.gz——————-http://zlib.net/zlib-1.2.8.tar.gz

curl-7.44.0.tar.gz————–http://curl.haxx.se/download/curl-7.44.0.tar.gz

rsyslog-8.15.0.tar.gz——————-http://www.rsyslog.com/download/files/download/rsyslog/rsyslog-8.15.0.tar.gz

一：安装rsyslog

(1) json-c 安装

tar -xzvf json-c-0.12-20140410.tar.gz

cd json-c-0.12-20140410

./configure CC=”gcc -m64″ –prefix=/usr –libdir=/usr/lib64 && make && make install

(2) libestr安装

tar -xzvf libestr-0.1.10.tar.gz

cd libestr-0.1.10

./configure CC=”gcc -m64″ –prefix=/usr –libdir=/usr/lib64

&& make && make install

(3) libuuid 安装

tar -xzvflibuuid-1.0.3.tar.gz

cdlibuuid-1.0.3

./configure CC=”gcc -m64″ –prefix=/usr –libdir=/usr/lib64 && make && make install

(4)zlib

安装

tar

-xzvf zlib-1.2.8.tar.gz

cdzlib-1.2.8

./configure –prefix=/usr –libdir=/usr/lib64 && make && make install

(5)liblogging

安装

tar

-xzvf liblogging-1.0.5.tar.gz

cdliblogging-1.0.5

./configure CC=”gcc -m64″ –prefix=/usr –libdir=/usr/lib64 –disable-journal && make && make install

(6)librdkafka ###可以不安装

安装

tar

-xzvf librdkafka-0.8.6.tar.gz

cd librdkafka-0.8.6

./configure –prefix=/usr –libdir=/usr/lib64 && make && make install

(7) 安装rsyslogd

checking for library containing sched_get_priority_max… none required

checking for sched_get_priority_max… yes

checking for LIBUUID… yes

checking for CURL… no

configure: error: Package requirements (libcurl) were not met:

No package ‘libcurl’ found

Consider adjusting the PKG_CONFIG_PATH environment variable if you

installed software in a non-standard prefix.

原因没有安装curl:

uat-db01:/root/curl-7.44.0# ./configure CC=”gcc -m64″ –prefix=/usr –libdir=/usr/lib64 && make && make install

uat-db01:/root/rsyslog-8.15.0# cat make.sh

./configure CC=”gcc -m64″ PKG_CONFIG_PATH=/usr/lib64/pkgconfig LIBESTR_LIBS=/usr/lib64/libestr.a JSON_C_LIBS=/usr/lib64/libjson-c.a ZLIB_LIBS=/usr/lib64/libz.a LIBUUID_LIBS=/usr/lib64/libuuid.a

CURL_LIBS=/usr/lib64/libcurl.a LIBLOGGING_STDLOG_LIBS=/usr/lib64/liblogging-stdlog.a LIBRDKAFKA_CFLAGS=/usr/include LIBRDKAFKA_LIBS=/usr/lib64/librdkafka.a –prefix=/usr –libdir=/usr/lib64 —

enable-static –enable-debug –enable-elasticsearch –enable-elasticsearch-tests –enable-liblogging-stdlog –enable-imfile –enable-imptcp –enable-omstdout –enable-omruleset –enable-omuxsock

–disable-libgcrypt

make && make install

uat-db01:/root/rsyslog-8.15.0/tools# cp rsyslogd /sbin/

uat-db01:/root/rsyslog-8.15.0/tools# service rsyslog start

Starting system logger: usage: rsyslogd [options]

use “man rsyslogd” for details. To run rsyslog interactively, use “rsyslogd -n”to run it in debug mode use “rsyslogd -dn”

For further information see http://www.rsyslog.com/doc

[FAILED]

uat-db01:/root/rsyslog-8.15.0/tools# rsyslogd -f /etc/rsyslog.conf

uat-db01:/root/rsyslog-8.15.0/tools# ps -ef | grep rsyslog

root 9244 1 12 14:32 ? 00:00:00 rsyslogd -f /etc/rsyslog.conf

root 9259 26662 0 14:32 pts/0 00:00:00 grep rsyslog

uat-db01:/root/rsyslog-8.15.0/tools#

客户端rsyslog 配置:

uat-db01:/data01/mysql# cat /etc/rsyslog.conf | grep -v “^#” | grep -v “^$”

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)

$ModLoad imklog # provides kernel logging support (previously done by rklogd)

module(load=”imfile” PollingInterval=”5″)

$ModLoad imtcp

$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$IncludeConfig /etc/rsyslog.d/*.conf

*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages

authpriv.* /var/log/secure

mail.* -/var/log/maillog

cron.* /var/log/cron

uucp,news.crit /var/log/spooler

local7.* /var/log/boot.log

input(type=”imfile”

File=”/data01/mysql/uat-db01-slow.log”

Tag=”uat-mysql01″

Severity=”info”

Facility=”local5″)

local5.* @@115.236.xx.xx:514

服务器rsyslog 配置:

$EscapeControlCharactersOnReceive off #关闭rsyslog默认转译ASCII<32的所有怪异字符，包括换行符等

$template nginx-zjzc01,”/rsyslog/data/nginx/zjzc/nginx_access01_log.%$year%-%$month%-%$day%” #定义TC：日志存放路径

$template nginx-zjzc02,”/rsyslog/data/nginx/zjzc/nginx_access02_log.%$year%-%$month%-%$day%” #定义TCBeta：日志存放路径

$template nginx-uat01,”/rsyslog/data/nginx/uat/nginx_access01_log.%$year%-%$month%-%$day%” #定义TCBeta：日志存放路径

$template tocFormat,”‘%syslogtag%’,’%FROMHOST-IP%’,’%msg%’\n” #定义toc日志format

$template uat-zjzc01,”/rsyslog/data/mysql/uat/mysql01_slow_log.%$year%-%$month%-%$day%” #定义TCBeta：日志存放路径

:rawmsg,contains,”nginx-zjzc01″ -?nginx-zjzc01;tocFormat #接受TC：日志，并应用tocFormat格式

:rawmsg,contains,”nginx-zjzc02″ -?nginx-zjzc02;tocFormat #接受TCBeta：日志，并应用tocFormat格式

:rawmsg,contains,”uat-nginx” -?nginx-uat01;tocFormat #接受TCBeta：日志，并应用tocFormat格式

:rawmsg,contains,”uat-mysql01″ -?uat-zjzc01;tocFormat