凋谢 snmp 协定端口
信息等级:1 info 2 notice 3 warning(warn) 4 err(error) 5 crit 6 alert 7 emerg(panic) 越到前面,越重大
两个非凡等级,debug(谬误检测等级)与 none(不须要登录等级),须要做谬误检测或者疏忽掉某些服务信息时应用“.”代表比符号前面更高的等级(含该等级 ) 都被记录。如:mail.info 代表只有是 mail 的信息,而且改信息等级高于 info(含 info),都会被记录下来。“.=“代表所须要的等级就是前面接的等级,其它不要“.!”代表不等于,即除该等级外的其余等级都记录
syslog 的日志文件只有被编辑过,就无奈记录,须要重新启动 rsyslog 服务
/etc/logrotate.conf 针对文件进行轮替操作
agent
/etc/rsyslog.conf
<code>
$MaxMessageSize 128k
$ModLoad imuxsock
$ModLoad imklog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ModLoad imudp
$UDPServerRun 514
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
:msg,contains,"GET /daemon.php?tableid" ~
*.* @@10.1.100.11
</code>
log server
/etc/rsyslog.conf
<code>
$MaxMessageSize 128k
$ModLoad imuxsock.so
$ModLoad imklog.so
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$ModLoad imtcp
$InputTCPServerRun 514
:msg,contains,"GET /daemon.php?tableid" ~
:rawmsg,contains,"ASKMQ-WORKER 29" ~
# Standard System Services
$template DYNmessages,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages"
$template DYNsecure,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure"
$template DYNmaillog,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/maillog"
$template DYNcron,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron"
$template DYNspooler,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/spooler"
$template DYNboot,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/boot.log"
$template DYNiptables,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/iptables.log"
$template DYNaudit,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/audit.log"
$template DYNapache-access,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-access.log"
$template DYNapache-error,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-error.log"
$template DYNphp,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/php.log"
$template DYNredis,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/redis.log"
$template DYNnodejs,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/nodejs.log"
if $programname == 'apache-access' then ?DYNapache-access
&~
if $programname == 'apache-error' then ?DYNapache-error
&~
if $programname == 'audispd' then ?DYNaudit
&~
if $programname == 'php' then ?DYNphp
&~
if $programname == 'redis' then ?DYNredis
&~
if $programname == 'NodeJS' then ?DYNnodejs
&~
if $msg contains 'iptables:' then ?DYNiptables
&~
if $syslogseverity <= '6' and ($syslogfacility-text != 'mail' and $syslogfacility-text != 'authpriv' and $syslogfacility-text != 'cron') then ?DYNmessages
if $syslogfacility-text == 'authpriv' then ?DYNsecure
if $syslogfacility-text == 'mail' then -?DYNmaillog
if $syslogfacility-text == 'cron' then ?DYNcron
if ($syslogfacility-text == 'uucp' or $syslogfacility-text == 'news') and $syslogseverity-text == 'crit' then ?DYNspooler
if $syslogfacility-text == 'local7' then ?DYNboot
</code>