These are the good times in your life,
so put on a smile and it'll be alright
友链
导航
将查日志的工作从运维部转至项目部
Rsyslog is an enhanced multi-threaded syslogd with a focus on security and reliability. Among others, it offers support for on-demand disk buffering, reliable syslog over TCP, SSL, TLS and RELP, writing to databases, email alerting. It is a drop-in replacement for syslogd.
Rsyslog has a modular architecture. It enables functionalities to be added dynamically through these modules. The modules are categorized as:
###################### MODULES ###################### $ModLoad imuxsock $ModLoad imklog ###################### Directives ###################### # Set the default permissions for all log files. $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 ###################### RULES ###################### mail.info /var/log/mail.info mail.warn /var/log/mail.warn mail.err /var/log/mail.err daemon.* /var/log/daemon.log
关于文件名前的横线 dash - 基本没区别, 可忽略:
What's that dash in front of the filename? It's not documented in the man page, but it turns out to mean “Don't sync after every write to the file”. Except that rsyslogd won't sync anyway, unless you add a special directive in the Global Directives section. So for most people, a dash makes no difference one way or the other – it will be ignored.
& ~
可以阻止最后符合一条规则的日志继续记录 2)
需要在配置最后的 $IncludeConfig 上面加, 否则 filter 还没加载全, & ~ 功能可能不正常
Every rule line consists of two fields, a ‘selector field’ and an ‘action field’. The selector field is divided into two, ‘facilities & priorities’. Action specifies what action must be taken for the matched rule.
syslog 基本的 selectors 说明如下:
auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0, … , local7
) and are assigned a severity (debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)
) by the sender of the message.LOCAL0 is used by postgresql LOCAL2 is used by sudo LOCAL3 is used by some versions of SpamAssassin LOCAL4 is used by default by slapd (OpenLDAP server) LOCAL5 is sometimes used by the Snort IDS LOCAL7 is used for boot messages on Fedora 12
rsyslog 对基本的 selectors 做了如下扩展:
rsyslog 还提供了 Property-Based Filters 和 Expression-Based Filters 两种更高级的条件筛选
Property-Based Filters 的表达式形如:
:property, [!]compare-operation, "value"
property
的完整列表见 The Property Replacercompare-operation
包括 contains, isempty, isequal, startswith, regex, ereregex. 需注意 startswith 测试总不符合期望, google 后发现反映此问题的 bug lauchpad Bug #479592, 还未解决 Basic Filters 和 Property-Based Filters 不能加到一起用!
local1.notice:msg,contains,“[MY_PROGRAM]”
c-like, 详见 RainerScript,
*.* /var/log/file.log # log to a file with RFC3339 timestamps
*.* @192.168.0.1 // via UDP *.* :omrelp:192.168.0.1:2514 // RELP will prevent message loss
*.emerg :omusrmsg:root,user1,user2 *.emerg :omusrmsg:*
*.* ~ # discards everything.
更多见 man 5 rsyslog.conf
# provides support for local system logging $ModLoad imuxsock # provides kernel logging support (previously done by rklogd) $ModLoad imklog # provides UDP syslog reception. For TCP, load imtcp. $ModLoad imudp # For TCP, InputServerRun 514 $UDPServerRun 514 $template REMOTE,"/var/log/gstation/%fromhost-ip%.log" if $fromhost-ip != '127.0.0.1' then ?REMOTE
需注意 rsyslog 用户($FileOwner syslog, $FileGroup adm)需对 log 目录有写权限
$ModLoad imuxsock $ModLoad imklog $IncludeConfig /etc/rsyslog.d/*.conf # Provides UDP forwarding. The IP is the server's IP address *.* @192.168.1.1:514 # Provides TCP forwarding. But the current server runs on UDP # *.* @192.168.1.1:514
在服务器/客户端都已配置好, 且重启后, 可在客户端 sudo echo 'hello'
, 若设置成功, 则在客户端的 /var/log/auth.log
3), 及服务器的 /var/log/192.168.1.2/syslog.log
中都会有相应记录.
另外, 由于 /etc/rsyslog.d/50-default.conf
中有规则 auth,authpriv.* /var/log/auth.log
, 所以本地远程都有 log.
没什么用
A sample template will look like:
$template mytemplate “Text-Before %msg% Text-After\n”
The above template will log the message “This is hello from rsyslog” as:
Text-Before This is hello from rsyslog Text-After
详见: Bug #523610 “rsyslogd spins CPU on some kernels” : Bugs : “rsyslog” package : Ubuntu
2 种解决办法:
sed -i -e 's/^\$ModLoad imklog/#\$ModLoad imklog/g' /etc/rsyslog.conf