Shulou(Shulou.com)06/01 Report--

Editor to share with you how to build rsyslog log server, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Environment configuration

Centos7 system client1:192.168.91.17

Centos7 system master:192.168.91.18

Rsyslog client configuration

1. Rsyslog installation

Yum install rsyslog

2. Enable UDP for transmission

Vim / etc/rsyslog.conf# Provides UDP syslog reception # if UDP is enabled for transfer, uncomment the following two lines $ModLoad imudp$UDPServerRun 51 transport Provides TCP syslog reception # if TCP is enabled, uncomment the following two lines # $ModLoad imtcp#$InputTCPServerRun 514 transport. * @ 192.168.28.149UDP 514 # use @ @ if TCP transfer is enabled, use @ if UDP

3. Restart the rsyslog service

Systemctl restart rsyslog

Rsyslog server configuration

1. Enable UDP/TCP for transmission

Vim / etc/rsyslog.conf# Provides UDP syslog reception # if UDP is enabled for transfer, uncomment the following two lines $ModLoad imudp$UDPServerRun 514 # Provides TCP syslog reception # if TCP is enabled for transfer, uncomment the following two lines # $ModLoad imtcp#$InputTCPServerRun 514

2. Restart the rsyslog service

Systemctl restart rsyslog

Test whether the service can send the client's system log back to the server

1. Continuously output system log files on the server side

Tailf / var/log/messages

Second: use logger to generate test log information on the client side (and check the server-side output to determine whether the logs have been collected over the network)

Logger "rsyslog test"

Rsyslog builds Central Log Server

By default, the received log is written to the corresponding log file of the server. For example, if the record of secure log is involved, it will be written to / var/log/secure on the server side, that is, the client writes one and then writes another to the server.

We optimize the server log configuration through the following three questions.

Optimization question 1: logs sent from the client show their hostname in the host location, and it is OK to view them locally. If they are all converged to a server, how to determine which server sent this message? obviously, it is better to use the form of IP. Let's set it up below.

You need to modify the log template configuration on the server side:

# GLOBAL DIRECTIVES # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$template myFormat, "% timestamp%% fromhost-ip%% syslogtag%% msg%\ n" $ActionFileDefaultTemplate myFormat

After restarting the rsyslog service, display it in the form of IP:

Optimization problem 2: the logs received by the server are too scattered, whether it is suspicious to store the logs in a specified directory for classified storage.

Open the / etc/rsyslog.conf file, enable the UDP protocol, and avoid modifying the main configuration file as much as possible. We create a new default.conf in / etc/rsyslog.d/ and append the following template:

# GLOBAL DIRECTIVES # Use default timestamp format # use the custom format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$template myFormat, "% timestamp%% fromhost-ip%% syslogtag%% msg%\ n" $ActionFileDefaultTemplate myFormat # store host logs separately in different directories according to the IP of the client Rsyslog needs to manually create $template RemoteLogs. "/ var/log/rsyslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" # excludes local host IP logging and only records remote host logs: fromhost-ip,! isequal, "127.0.0.1"? RemoteLogs# ignores all previous logs, and does not continue to record after the remote host logs are finished & ~

By using a custom format, the logs of different client IP are stored in different directories separately.

Optimization question 3:

Rsyslog write log customization, for example, the permissions of the / data/rsyslog directory are fine, but the log does not output properly?

You only need to close SELinux to solve the problem of writing log file paths.

Temporarily shutting down SELinuxsetenforce 0 permanently shutting down vi / etc/selinux/config and changing it to SELINUX=disable is all the contents of this article "how to build a rsyslog Log Server". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.