Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of rsyslog log service under Linux, which has a certain reference value. Interested friends can refer to it. I hope you will learn a lot after reading this article.

The Syslog (system Log Protocol) service on Linux can act as a log monitoring point in the enterprise backbone network on the network, where all servers, network devices, switches, routers and internal services create logs, whether they are linked to specific internal issues or just provide informational messages to send their logs to this syslog server.

Locate the log file

Most log files are located in the / var/log/ directory. In this directory, you may notice that many log files contain a string of numbers at the end (such as maillog-20150301), which indicates that these log files have been dumped by the log, which prevents the log files from being too large.

❝

A scheduled task is included in the package logrotate to dump log files periodically according to the configuration in the / etc/logrotate.conf file and / etc/logrotate.d/ directory.

Basic configuration of Rsyslog

The main configuration file for Rsyslog is the / etc/rsyslog.conf file, in which we manage the logs by configuring filter and action.

In the rsyslog configuration file, define the rules using the following format

Filter action

When rsyslog finds a log that meets the filter rules, it sends the log to the action specified by action for processing.

Filter

In rsyslog, there are three ways to filter:

Facility / priority based filter (Facility/Priority-based filters)

Facility / priority-based filters are the most commonly used method, with the following syntax:

FACILITY.PRIORITY

FACILITY specifies the subsystem that generates log messages. Available values are auth, authpriv, cron, daemon, kern, lpr, mail, news, syslog, user, ftp, uucp, local0 ~ local7.

PRIORITY specifies the priority of log messages, and the available priorities include debug (7), info (6), notice (5), warning (4), err (3), crit (2), alert (1), emerg (0).

❝

The leading symbol = indicates that only messages of that priority will be captured,! Indicates that a priority other than that priority will be captured. In addition to the leading symbol, you can use the symbol *

Indicates all facilities or priorities, and using the none keyword on the priority part will capture all messages that do not have a priority specified.

Define multiple facilities or priorities to use, separate, if it is multiple filter, use; to separate.

Use example

Kern.* # Select all priority kernel logs mail.crit # Select all mail logs with higher priority than crit.! cron logs debug # Select cron logs except info and debug priority attribute-based filters

Attribute-based filter syntax

: PROPERTY, COMPARE_OPERATION, "STRING"

PROPERTY is the log attribute to be compared, COMPARE_OPERATION is the comparison operation to be performed, and this! It means reverse, and "STRING" is the value of comparison.

Comparison operations that can be used:

The comparison operation describes whether the string value provided by the contains match is part of the attribute. If it is not case-sensitive, use contains_iisequal to compare whether the attribute and value are equal. Whether the startswith attribute starts with a specified string (startswith_i) regex regular expression (POSIX BRE basic regular) matches ereregex regular expression (POSIX ERE extension regular) matches isempty to determine whether the attribute is empty and does not require value

Examples of use:

Msg, contains, "error": hostname, isequal, "host1": msg,! regex, "fatal. * error" expression-based filter

Expression-based filters use rsyslog's custom scripting language RainerScript to build complex filter, which is not covered here for the time being.

Action

Action defines what to do when the specified filter is matched.

❝

If you want to specify more than one ACTION, use & to connect multiple ACTION. For example:

Kern.=crit user1 & ^ test-program;temp & @ 192.168.0.1

The; temp here specifies that when the log is passed to the test-program program (the beginning of ^ indicates that the log is sent to the executable), the temp template is used to format the log.

Append to ACTION; the template name can be used to format the log for the specified action.

Save the log to the log file

Syntax:

FILTER PATH

The PATH here specifies the file to which the log is saved. For example, cron.* / var/log/cron.log specifies that all scheduled task logs are written to the / var/log/cron.log file.

❝

By default, the log information is synchronized to the log file each time the syslog is generated. You can use-to specify that synchronization is ignored before the file path (logs will be lost if the system crashes, but this can improve log performance).

In addition to the above method of logging (static), you can also generate log files dynamically.

FILTER? DynamicFile

The DynamicFile here is a predefined output path template.

Send syslog over the network

Rsyslog can use the network to send log messages or accept logs, using this feature, you can use a single log server to manage multiple server logs.

@ [(zNUMBER)] HOST: [Port]

@ here tells syslog to send logs using the UDP protocol, or @ @ if you want to use TCP. The optional value zNUMBER sets whether to allow log compression using zlib (compression level 1-9).

Use example

*. * @ 192.168.0.1 # is sent using UDP. The default port 514room.* @ @ example.com:18 # is sent to port 18 using TCP. By default, 10514room.* @ (z9) [2001:db8::1] # UDP, ipv6, and zlib level 9 are used to compress discarded logs.

To discard log messages, use the ~ action.

FILTER ~

For example:

Cron.* ~ template

Any log generated by rsyslog can be formatted using a template as needed. To create a template, use the following instructions

$template TEMPLATE_NAME, "text% PROPERTY% more text", [OPTION]

The $template instruction here indicates that the next content defines a template, TEMPLATE_NAME is the name of the template, and then the content between the double quotes is the content of the template.

❝

There is also an OPTION, which specifies the functionality of the template, and the support options are sql and stdsql, which are used when using database storage.

Generate dynamic file name

Templates can be used to generate dynamic file names, as mentioned earlier, when using dynamic file names, it needs to be added before the template name in ACTION. Indicates that the file name is dynamically generated.

For example:

$template DynamicFile, "/ var/log/test_logs/%timegenerated%-test.log" *. *? DynamicFile

❝

The timegenerated attribute extracts the timestamp of the message from the log information, which generates a unique file name for each log.

Attribute

The attribute used in the template is the content between%, which allows you to access the content in the log message.

% PROPERTY_NAME [: FROM_CHAR:TO_CHAR:OPTION]%

The list of available attributes can be found in man rsyslog.conf.

Global instruction

The global directive is the configuration instruction of the rsyslogd daemon. All global directives must start with $, and there can be only one instruction per line, for example:

$MainMsgQueueSize 50000

❝

In the new configuration format (rsyslog V6), instructions in this way are no longer used, but they are still available.

Queue

In rsyslog, queues are used to transmit data. When rsyslog receives a message, it first delivers the message preprocessor, then adds it to the main message queue, and then takes the message out of the queue and passes it to the rule processor.

The rule processor is a parsing filtering engine that performs corresponding actions (action) based on the rules defined in the configuration file. Each action has its own action queue, through which messages are sent to the corresponding action processor and then output.

❝

For the same message, the message can be delivered to multiple action queues at the same time.

Define queu

In the configuration file / etc/rsyslog.conf file

$objectQueueType queue_type

The queue type here can be direct, linkedlist, fixedarray (memory queue), or disk.

By default, for the home queue, the FixedArray queue (10000 message length) is used, and the action queue is the direct queue.

PHP uses syslog to output logs

In PHP, there are three functions that call the Syslog system

Bool openlog (string $ident, int $option, int $facility) bool syslog (int $priority, string $message) bool closelog (void)

The function openlog is used to open a connection to the Syslog system. The first parameter, $ident, is a string that syslog automatically appends to all log messages output using the syslog function. The second parameter is the logging option, and the third parameter is the logging facility.

❝

The functions openlog () and closelog () are optional.

For example, we added the following configuration to the / etc/rsyslog.conf configuration file

Local5.* / tmp/php_test.log

After the increase, you need to restart the rsyslog process (sudo / etc/init.d/rsyslog restart)

In the PHP script, do the following

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.