Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to build a log server syslog under Linux", which is easy to understand and clear. I hope it can help you solve your doubts. Let me lead you to study and learn this article "how to build a log server syslog under Linux".

On Unix operating systems, syslog is widely used in system logs. Syslog log messages can be logged in a local file or sent over the network to the server that receives the syslog. The server that receives syslog can store the syslog messages of multiple devices uniformly, or parse the contents of them to deal with them accordingly. The common application scenarios are network management tools, security management system and log audit system.

Step 1: initialize system requirements

To set up the linux host as a central log server, we need to create a separate / var partition and allocate enough disk space or create a special LVM volume group. This enables the syslog server to bear the potential growth caused by the cumulative collection of logs.

Step 2: let the rsyslog background process take effect

The rsyslog daemon comes from the preinstalled module of the current linux release, but is not started by default. In order to enable the rsyslog daemon to accept external messages, you need to edit its configuration file / etc/rsyslog.conf.

Open the file for editing, find the location of the following two lines, and uncomment by removing the # character at the beginning of the line.

$ModLoad imudp$UDPServerRun 514

This allows the rsysolog daemon to accept log messages on UDP port 514-UDP is faster than TCP but does not have the reliability of data streams like TCP. So if you need to use a reliable delivery mechanism, you can uncomment the following lines.

$ModLoad imtcp$InputTCPServerRun 514

It is important to note that TCP and UDP can be in effect at the same time to listen for TCP/UDP connections.

Step 3: create a log receiving template

In the next step, we need to create a template for the remote message and tell the rsyslog daemon how to log messages received from other client machines.

Use a text editor to open / etc/rsyslog.conf, and then append the following template before the GLOBAL DIRECTIVE block.

$template RemoteLogs, "/ var/log/%HOSTNAME%/%PROGRAMNAME%.log" *. *? RemoteLogs& ~

The template is explained briefly here, and the $template RemoteLogs (where the "RemoteLogs" string can be any other descriptive name) directive causes the rsyslog daemon to write log messages to a separate local log file under / var/log, where the log file name is defined based on the host name of the remote log sending machine and the application name that generated the log. The second line implies that we apply the RemoteLogs template to all received logs.

The symbol "& ~" indicates a redirection rule that is used to tell the rsyslog daemon to stop further processing of log messages and not to write locally. If the redirection rule is not used, all remote messages are written to the local log file in addition to the log file described above, which means that the log message is actually written twice. Another result of using this rule is that log messages from the syslog server itself will only be in proprietary files named after the host name of the machine.

If you want, you can also use the following mode to log messages directly using a new template for a specific device or severity level.

[facility-level]. [severity-level]? RemoteLogs

For example:

Specify all internal user authentication messages with full priority as RemoteLogs templates:

Authpriv.*? RemoteLogs

Specify message-level logs generated by all system processes except mail, user authentication, and cron messages as RemoteLogs templates:

* .info, mail.none,authpriv.none,cron.none? RemoteLogs

If we want to write all messages received from remote clients to a single file named after their IP address, we can use the following template. Here we give the template the name "IpTemplate".

Template IpTemplate, "/ var/log/%FROMHOST-IP%.log" *. *? IpTemplate & ~

After we enable the rsyslog daemon and edit the configuration file, we need to restart the daemon.

In Debian,Ubuntu or CentOS/RHEL 6:

$sudo service rsyslog restart

In Fedora or CentOS/RHEL 7:

$sudo systemctl restart rsyslog

We can verify that the rsyslog daemon is working properly through the netstat command.

$sudo netstat-tulpn | grep rsyslog

The rsyslog daemon working under the UDP listening port will have output similar to the following.

Udp 0 0 0.0.0.0 551/rsyslogd 514 0.0.0.0 551/rsyslogd * 551/rsyslogd udp6 0 0: 514::

If the rsyslog daemon is set on the TCP connection port, there should be output similar to the one shown below.

Tcp 0 0 0.0.0.0 LISTEN 1891/rsyslogd 514 0.0.0.0 LISTEN 1891/rsyslogd sends Windows logs to a remote rsyslog server

To forward a log message from a Windows client to our rsyslog server, we need an installation of the Windows syslog agent. Of course, there are many syslog agents that can run on windows, and here we can use a free software program Datagram SyslogAgent.

After downloading and installing the syslog agent, you need to configure it to run as a service. Specify which protocol to use to send data, as well as the IP address and port of the remote rsyslog server, and finally specify the type of event log that should be transmitted, as shown below.

After we have done all this configuration, we can start the service and use the command line tool tail-f to view the log files in the central rsyslog server.

The above is all the contents of the article "how to build a log server syslog under Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.