乐趣区

关于linux:Rsyslog

凋谢 snmp 协定端口


信息等级:1 info  2 notice  3 warning(warn)  4 err(error)  5 crit  6 alert  7 emerg(panic)      越到前面,越重大
两个非凡等级,debug(谬误检测等级)与 none(不须要登录等级),须要做谬误检测或者疏忽掉某些服务信息时应用“.”代表比符号前面更高的等级(含该等级 ) 都被记录。如:mail.info 代表只有是 mail 的信息,而且改信息等级高于 info(含 info),都会被记录下来。“.=“代表所须要的等级就是前面接的等级,其它不要“.!”代表不等于,即除该等级外的其余等级都记录

syslog 的日志文件只有被编辑过,就无奈记录,须要重新启动 rsyslog 服务

/etc/logrotate.conf 针对文件进行轮替操作

agent  
/etc/rsyslog.conf
<code>
$MaxMessageSize 128k
$ModLoad imuxsock
$ModLoad imklog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$ModLoad imudp
$UDPServerRun 514

$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0

$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

:msg,contains,"GET /daemon.php?tableid" ~

*.* @@10.1.100.11
</code>


log server

/etc/rsyslog.conf
<code>
$MaxMessageSize 128k
$ModLoad imuxsock.so
$ModLoad imklog.so
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0

$ModLoad imtcp
$InputTCPServerRun 514


:msg,contains,"GET /daemon.php?tableid" ~
:rawmsg,contains,"ASKMQ-WORKER 29" ~

# Standard System Services
$template DYNmessages,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages"
$template DYNsecure,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure"
$template DYNmaillog,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/maillog"
$template DYNcron,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron"
$template DYNspooler,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/spooler"
$template DYNboot,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/boot.log"
$template DYNiptables,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/iptables.log"
$template DYNaudit,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/audit.log"
$template DYNapache-access,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-access.log"
$template DYNapache-error,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-error.log"
$template DYNphp,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/php.log"
$template DYNredis,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/redis.log"
$template DYNnodejs,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/nodejs.log"


if $programname == 'apache-access' then ?DYNapache-access
&~
if $programname == 'apache-error' then ?DYNapache-error
&~
if $programname == 'audispd' then ?DYNaudit
&~
if $programname == 'php' then ?DYNphp
&~
if $programname == 'redis' then ?DYNredis
&~
if $programname == 'NodeJS' then ?DYNnodejs
&~
if $msg contains 'iptables:' then ?DYNiptables
&~


if $syslogseverity <= '6' and ($syslogfacility-text != 'mail' and $syslogfacility-text != 'authpriv' and $syslogfacility-text != 'cron') then ?DYNmessages

if $syslogfacility-text == 'authpriv' then ?DYNsecure

if $syslogfacility-text == 'mail' then -?DYNmaillog

if $syslogfacility-text == 'cron' then ?DYNcron

if ($syslogfacility-text == 'uucp' or $syslogfacility-text == 'news') and $syslogseverity-text == 'crit' then ?DYNspooler

if $syslogfacility-text == 'local7' then ?DYNboot
</code>
退出移动版