Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to install Syslog in the Linux system, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Syslog, often referred to as Syslog or system logging, is a standard used to deliver log messages on the Internet Protocol (TCP/IP) network. This term is often used to refer to the actual syslog protocol, or to applications or databases that submit syslog messages.

Syslog standard foundation

When collecting logs through the syslog mechanism, there are three important things to consider: facility level: what type of process severity (priority) level to listen for: what level of log messages to collect target: where to send or record log messages

Now let's take a closer look at how configuration is defined.

The facility level defines a method for classifying internal system processes Some common facilities in linux include: auth: authentication related messages (when logging in) cron: process or application scheduling related messages daemon: daemon related messages (internal server) kernel: kernel related messages mail: internal mail server related messages syslog: syslog daemon itself related messages lpr: Print service-related messages local0-local7: user-defined messages (local7 is commonly used by Cisco and Windows servers)

The severity (priority) level has fixed standard abbreviations and referential values, of which the number 7 has the highest level, including: emerg: Emergency (emergency)-0 alert: Alerts (alarm)-1 crit: Critical (critical)-2 err: Errors (error)-3 warn: Warnings (warning)-4 notice: Notification (notification)-5 info: Information (message)-6 debug: Debugging (debugging)-7

Finally, the target statement asks an syslog client to perform one of the following three tasks: 1. Save log messages to a local file; 2. Route the message to the remote syslog server through TCP/UDP; 3. Send it to a standard output, such as the console.

In rsyslog, the configuration of syslog is structured based on the following patterns.

1. [facility-level]. [severity-level] [destination] configure Rsyslog in Linux

After we understand syslog, we can now configure a Linux server as a central syslog server through rsyslog, and we will also see how to configure a syslog client on a Windows system to send internal logs to the syslog server.

Step 1: initialize system requirements

To set up the linux host as a central log server, we need to create a separate / var partition and allocate enough disk space or create a special LVM volume group. This enables the syslog server to bear the potential growth caused by the cumulative collection of logs.

Step 2: let the rsyslog background process take effect

The rsyslog daemon comes from the preinstalled module of the current linux release, but is not started by default. In order to enable the rsyslog daemon to accept external messages, you need to edit its configuration file / etc/rsyslog.conf.

Open the file for editing, find the location of the following two lines, and uncomment by removing the # character at the beginning of the line.

1.$ModLoad imudp2.$UDPServerRun 514

This allows the rsysolog daemon to accept log messages on UDP port 514-UDP is faster than TCP but does not have the reliability of data streams like TCP. So if you need to use a reliable delivery mechanism, you can uncomment the following lines.

1.$ModLoad imtcp2.$InputTCPServerRun 514

It is important to note that TCP and UDP can be in effect at the same time to listen for TCP/UDP connections.

Step 3: create a log receiving template

In the next step, we need to create a template for the remote message and tell the rsyslog daemon how to log messages received from other client machines.

Use a text editor to open / etc/rsyslog.conf, and then append the following template before the GLOBAL DIRECTIVE block.

1.$template RemoteLogs, "/ var/log/%HOSTNAME%/%PROGRAMNAME%.log" * 2.room.*? RemoteLogs3.& ~

The template is explained briefly here, and the $template RemoteLogs (where the "RemoteLogs" string can be any other descriptive name) directive causes the rsyslog daemon to write log messages to a separate local log file under / var/log, where the log file name is defined based on the host name of the remote log sending machine and the application name that generated the log. The second line implies that we apply the RemoteLogs template to all received logs.

The symbol "& ~" indicates a redirection rule that is used to tell the rsyslog daemon to stop further processing of log messages and not to write locally. If the redirection rule is not used, all remote messages are written to the local log file in addition to the log file described above, which means that the log message is actually written twice. Another result of using this rule is that log messages from the syslog server itself will only be in proprietary files named after the host name of the machine.

If you want, you can also use the following mode to log messages directly using a new template for a specific device or severity level.

1. [facility-level]. [severity-level]? RemoteLogs

For example:

Specify all internal user authentication messages with full priority as RemoteLogs templates:

1.authpriv.*? RemoteLogs

Specify message-level logs generated by all system processes except mail, user authentication, and cron messages as RemoteLogs templates:

1. Authpriv.infomail mail.nonerect authpriv.nonerection cron.none? RemoteLogs

If we want to write all messages received from remote clients to a single file named after their IP address, we can use the following template. Here we give the template the name "IpTemplate".

1.$template IpTemplate, "/ var/log/%FROMHOST-IP%.log" 2.room.*? IpTemplate3.& ~

After we enable the rsyslog daemon and edit the configuration file, we need to restart the daemon.

In Debian,Ubuntu or CentOS/RHEL 6:

1. $sudo service rsyslog restart

In Fedora or CentOS/RHEL 7:

1. $sudo systemctl restart rsyslog

We can verify that the rsyslog daemon is working properly through the netstat command.

1. $sudo netstat-tulpn | grep rsyslog

The rsyslog daemon working under the UDP listening port will have output similar to the following.

1.udp 0 0 0.0.0.0 551/rsyslogd 514 0.0.0.0 551/rsyslogd * 551/rsyslogd2.udp6 0 0: 514::

If the rsyslog daemon is set on the TCP connection port, there should be output similar to the one shown below.

1.tcp 0 0 0.0.0.0 LISTEN 1891/rsyslogd 514 0.0.0.0 LISTEN 1891/rsyslogd sends Windows logs to a remote rsyslog server

To forward a log message from a Windows client to our rsyslog server, we need an installation of the Windows syslog agent. Of course, there are many syslog agents that can run on windows, and here we can use a free software program Datagram SyslogAgent.

After downloading and installing the syslog agent, you need to configure it to run as a service. Specify which protocol to use to send data, as well as the IP address and port of the remote rsyslog server, and finally specify the type of event log that should be transmitted, as shown below.

Configure a syslog server on Linux configure a syslog server on Linux

After we have done all this configuration, we can start the service and use the command line tool tail-f to view the log files in the central rsyslog server.

Thank you for reading this article carefully. I hope the article "how to install Syslog in Linux system" shared by the editor will be helpful to everyone. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.