Xiaopei's DokuWiki

These are the good times in your life,
so put on a smile and it'll be alright

User Tools

Site Tools


it:linux:rsyslog

rsyslog

学习目标

将查日志的工作从运维部转至项目部

rsyslog 的特点

Rsyslog is an enhanced multi-threaded syslogd with a focus on security and reliability. Among others, it offers support for on-demand disk buffering, reliable syslog over TCP, SSL, TLS and RELP, writing to databases, email alerting. It is a drop-in replacement for syslogd.

http://wiki.debian.org/Rsyslog

配置结构 Configuration Structure

Modules 模块

Rsyslog has a modular architecture. It enables functionalities to be added dynamically through these modules. The modules are categorized as:

  • Input Modules – Used to gather messages from various sources
  • Output Modules – Used to write the messages to various places ( file, socket etc.. )
  • Parser Modules – Used to parse the message content

Configuration Directives 配置指令

Rule line 规则

A Sample Configuration

######################
	MODULES
######################
 
$ModLoad imuxsock
$ModLoad imklog
 
######################
	Directives
######################
# Set the default permissions for all log files. 
 
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
 
######################
	RULES
######################
mail.info    /var/log/mail.info
mail.warn    /var/log/mail.warn
mail.err     /var/log/mail.err
daemon.*     /var/log/daemon.log

关于文件名前的横线 dash - 基本没区别, 可忽略:

What's that dash in front of the filename? It's not documented in the man page, but it turns out to mean “Don't sync after every write to the file”. Except that rsyslogd won't sync anyway, unless you add a special directive in the Global Directives section. So for most people, a dash makes no difference one way or the other – it will be ignored.

& ~ 可以阻止最后符合一条规则的日志继续记录 2)

需要在配置最后的 $IncludeConfig 上面加, 否则 filter 还没加载全, & ~ 功能可能不正常

配置详解之 RULES

Every rule line consists of two fields, a ‘selector field’ and an ‘action field’. The selector field is divided into two, ‘facilities & priorities’. Action specifies what action must be taken for the matched rule.

Selectors

基本

syslog 基本的 selectors 说明如下:

  1. facility.priority: a facility and a priority, separated by a period ('.'). Messages refer to a facility (auth, authpriv, daemon, cron, ftp, lpr, kern, mail, news, syslog, user, uucp, local0, … , local7 ) and are assigned a severity (debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)) by the sender of the message.
    1. 自定义程序使用 LOCAL1 比较合适, logging - Which program defaults uses syslog local[0-7] facilities? - Server Fault
      LOCAL0 is used by postgresql
      LOCAL2 is used by sudo
      LOCAL3 is used by some versions of SpamAssassin
      LOCAL4 is used by default by slapd (OpenLDAP server)
      LOCAL5 is sometimes used by the Snort IDS
      LOCAL7 is used for boot messages on Fedora 12
  2. >=: default is that all messages of the specified priority and higher are logged according to the given action.
  3. *.*: An asterisk ('*') stands for all facilities or all priorities.
  4. ,: You can specify multiple facilities with the same priority pattern in one statement using the comma (',') operator.
  5. ;: Multiple selectors may be specified for a single action using the semicolon (';') separator.

rsyslog 对基本的 selectors 做了如下扩展:

  1. =: You may precede every priority with an equals sign ('=') to specify only this single priority and not any of the above.
  2. <: You may also (both is valid, too) precede the priority with an exclamation mark ('!') to ignore all that priorities, either exact this one or this and any higher priority.

条件

rsyslog 还提供了 Property-Based Filters 和 Expression-Based Filters 两种更高级的条件筛选

Property-Based Filters

Property-Based Filters 的表达式形如:

:property, [!]compare-operation, "value"
  • property 的完整列表见 The Property Replacer
  • compare-operation 包括 contains, isempty, isequal, startswith, regex, ereregex. 需注意 startswith 测试总不符合期望, google 后发现反映此问题的 bug lauchpad Bug #479592, 还未解决 FIXME

Basic Filters 和 Property-Based Filters 不能加到一起用!

local1.notice:msg,contains,“[MY_PROGRAM]”

Expression-Based Filters

c-like, 详见 RainerScript,

refs

Actions

  • 普通文件 文件及父级目录不需提前建立, rsyslog 会自动建立
    *.*     /var/log/file.log # log to a file with RFC3339 timestamps
  • Remote machine
    *.* @192.168.0.1 // via UDP
    *.* :omrelp:192.168.0.1:2514 // RELP will prevent message loss
  • 显示给某(些)用户
    *.emerg :omusrmsg:root,user1,user2
    *.emerg :omusrmsg:*
  • 不记录
    *.*   ~      # discards everything.

更多见 man 5 rsyslog.conf

Central Logging

central log server

/etc/rsyslog.conf
# provides support for local system logging
$ModLoad imuxsock 
 
# provides kernel logging support (previously done by rklogd)
$ModLoad imklog
 
# provides UDP syslog reception. For TCP, load imtcp.
$ModLoad imudp
 
# For TCP, InputServerRun 514
$UDPServerRun 514
 
$template REMOTE,"/var/log/gstation/%fromhost-ip%.log"
if $fromhost-ip != '127.0.0.1' then ?REMOTE

需注意 rsyslog 用户($FileOwner syslog, $FileGroup adm)需对 log 目录有写权限

client machines

/etc/rsyslog.conf
$ModLoad imuxsock
 
$ModLoad imklog
 
$IncludeConfig /etc/rsyslog.d/*.conf
 
# Provides UDP forwarding. The IP is the server's IP address
*.* @192.168.1.1:514 
 
# Provides TCP forwarding. But the current server runs on UDP
# *.* @192.168.1.1:514

测试

在服务器/客户端都已配置好, 且重启后, 可在客户端 sudo echo 'hello' , 若设置成功, 则在客户端的 /var/log/auth.log3), 及服务器的 /var/log/192.168.1.2/syslog.log 中都会有相应记录.

另外, 由于 /etc/rsyslog.d/50-default.conf 中有规则 auth,authpriv.* /var/log/auth.log, 所以本地远程都有 log.

ref

Templates

没什么用

A sample template will look like:

$template mytemplate “Text-Before %msg% Text-After\n”

The above template will log the message “This is hello from rsyslog” as:

Text-Before This is hello from rsyslog Text-After

issues

ubuntu kernel: last message repeated n times! rsyslog 疯了! 狂记 syslog! 狂占 load!

详见: Bug #523610 “rsyslogd spins CPU on some kernels” : Bugs : “rsyslog” package : Ubuntu

2 种解决办法:

  1. 关闭 rsyslog 某模块: sed -i -e 's/^\$ModLoad imklog/#\$ModLoad imklog/g' /etc/rsyslog.conf
  2. 安装老版本 rsyslog
1)
why rsyslog? As of Debian 5.0, rsyslog has become the default syslog
3)
/etc/rsyslog.d/50-default.conf 中配置如此
it/linux/rsyslog.txt · Last modified: 2014/04/03 23:17 by admin