1. 首页
  2. IT资讯

[20191224]集中管理Syslog Server信息.txt

[20191224]集中管理Syslog Server信息.txt

–//一直希望有一台服务器收集Syslog Server信息,接收其他机器的syslog信息,包括交换机以及路由器的logging信息.
–//我们整个团队太不重视这些细节了,出现问题解决周期很长,试想一下,没有任何记录,一旦管理者离开遇到问题非常麻烦…
–//目前的服务器已经使用rsyslog代替syslog,我也使用它来代替syslog.首先在测试环境测试看看:

1.环境:
# cat /etc/issue | head -1
Oracle Linux Server release 5.9

–//我的测试环境并没有安装rsyslog,实际安装的是sysklogd(注意中间有1个K)
# rpm -qa | grep sys | grep log
sysklogd-1.4.1-46.el5

# rpm -ivh rsyslog-3.22.1-7.el5.x86_64.rpm
warning: rsyslog-3.22.1-7.el5.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
Preparing…                ########################################### [100%]
   1:rsyslog                ########################################### [100%]

2.编辑/etc/rsyslog.conf,追加如下内容:
# Provides UDP syslog reception
$ModLoad imudp
$InputUDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
–//以上信息最好在开始部分.注:我看一些文档是写$ModLoad imudp.so ,最好看man rsyslog.conf
# This one is the template to generate the log filename dynamically, depending on the client's IP address.
$template FILENAME,"/var/log/rsyslog/%fromhost-ip%_syslog.log"

# Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc…),
# will be under a separate directory which is formed by the template FILENAME.
*.* ?FILENAME
*.*                             /dev/tty4

–//说明一下:最后1行可以将全部错误定位到/dev/tty4.这样在一些调式是只要登录时设置80*25显示模式.
–//执行 tail -f /dev/vcs4就可以看到信息输出,当然这个有安全问题.你可以在需要时打开.
–//缺点是不会刷新,有什么方法刷新.只能watch cat /dev/vcs4.而且必须在COLUMNS=80列的情况下看才比较直观,不然有点乱.
–//当然你可以全部写入文件,不过这样增长很快:
*.*                                                 /var/log/rsyslog/all.log

3.修改/etc/sysconfig/rsyslog配置文件:
#SYSLOGD_OPTIONS="-m 0"
SYSLOGD_OPTIONS="-c3 -x"

–//加入-x目的是disables DNS lookups on messages recieved with -r.
–//修改-c3,主要目的避免启动后出现:
# cat /var/log/rsyslog/127.0.0.1_syslog.log
Dec 24 17:25:49 xxxxxxx4 kernel: imklog 3.22.1, log source = /proc/kmsg started.
Dec 24 17:25:49 xxxxxxx4 rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="13956" x-info="http://www.rsyslog.com"] (re)start
Dec 24 17:25:49 xxxxxxx4 rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config
                directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c3
                as the first rsyslogd option.
Dec 24 17:25:49 xxxxxxx4 rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock

4..启动rsyslog服务:
–//我的测试环境要关闭syslog服务.
# service syslog stop
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]

# service rsyslog start
Starting system logger:                                    [  OK  ]

4.客户端配置:
–//修改 /etc/syslog.conf文件,加入:
*.*                             @192.168.100.78

–//也可以写成如下:
*.*                             @@192.168.100.78

–//按照文档介绍: 单个@表示集中系统日志服务器和端口号的UDP、IP地址或主机名,也就是使用UDP端口.两个@使用TCP端口.
–//另外我发现/etc/syslog.conf不能写上端口号,也许sysklogd软件包不能加入端口号.
# man rsyslog.conf

Remote machine

       There are three ways to forward message: the traditional UDP transport, which is extremely lossy but standard,
       the plain TCP based transport which loses messages only during certain situations but is widely available and the
       RELP

       transport which does not lose messages but is currently available only as part of rsyslogd 3.15.0 and above.

       To forward messages to another host via UDP, prepend the hostname with the at sign ("@").  To forward it via
       plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend the string ":omrelp:" in front of the
       hostname.

       Example:
              *.* @192.168.0.1

       In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destination port defaults to
       514. Due to the nature of UDP, you will probably lose some messages in transit.  If you expect high traffic
       volume,

       you can expect to lose a quite noticeable number of messages (the higher the traffic, the more likely and severe
       is message loss).

       If you would like to prevent message loss, use RELP:
              *.* :omrelp:192.168.0.1:2514

       Note that a port number was given as there is no standard port for relp.

       Keep in mind that you need to load the correct input and output plugins (see "Modules" above).

       Please note that rsyslogd offers a variety of options in regarding to remote forwarding. For full details, please
       see the html documentation.

–//还有1个细节问题要注意客户端的rsyslog的/etc/sysconfig/rsyslog的配置文件,要修改如下,不能使用-c3选项,否者服务器无法接收
–//信息.
#SYSLOGD_OPTIONS="-m 0"
SYSLOGD_OPTIONS="-m 0 -x"

5.加入logrotate管理:
–//因为记录数据量很大的话,服务器很多消耗磁盘空间很大,必须定期清理:
–//修改/etc/logrotate.d/syslog文件加入如下:

/var/log/rsyslog/1*.log {
  size=100M
  rotate 4
  copytruncate
  compress
  notifempty
}

–//size大小根据需要设定.注意兆单位是大写的M,千字节单位是小写的k.
–//使用如下命令调式logrotate配置:
# /usr/sbin/logrotate -d  /etc/logrotate.d/syslog

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/267265/viewspace-2670388/,如需转载,请注明出处,否则将追究法律责任。

主题测试文章,只做测试使用。发布者:深沉的少年,转转请注明出处:http://www.cxybcw.com/182806.html

联系我们

13687733322

在线咨询:点击这里给我发消息

邮件:1877088071@qq.com

工作时间:周一至周五,9:30-18:30,节假日休息

QR code