rsyslog配置以及原理

rsyslog

日志由程序产生，在内存中产生。通过Rsyslog来将内存中程序产生的日志持久化到硬盘，并且支持udp、tcp等协议来进行不同服务器的日志同步。

/var/log/messages:大多数系统日志信息纪录在此/var/log/secure：安全和身份认证相关的消息和错误的日志文件/var/log/maillog:与邮件服务器相关的日志文件/var/log/cron:与定时任务相关的日志文件/var/log/boot.log:与系统启动有关的日志文件pam：在linux中执行某些程序，这些程序在执行前要对启动它的用户进行认证，符合一定要求后才允许执行，例如login、su等，在linux中进行身份验证或是状态的验证程序由pam来进行。pam即可动态加载验证模块，因为可以按需要动态的对验证的内容进行变更，大大提高验证的灵活性。Linux-pam：是一套共享库，使本地系统管理员可以随意选择程序的认证方式。使用配置/etc/pam.d/下的文件来管理对程序的认证方式。应用程序调用相应的配置文件，从而调用本地的认证模块，模块放置在/lib/secureity下，以加载动态库的形式进行，像我们使用su命令时，系统提示你输入root用户的密码，这就是su命令通过调用PAM模块实现的。日志类型分为：auth：pam产生的日志authpriv：ssh，ftp等登陆信息的验证信息cron:时间任务相关kern：内核lpr：打印mail：邮件mark(syslog)-rsyslog:服务内部的信息，时间标识news:新闻组user：用户程序产生的相关信息uucp：unix to unix copy，unix主机之间相关的通讯local 1-7：自定义的日志设备日志级别：（由上到下，级别由低到高，记录信息越来越少）debug：有调试信息的，日志信息最多info:一般信息的日志，最常用notice：具有重要性的普通条件的信息warning：警告级别err：错误级别，阻止某个功能或者模块不能正常工作的信息crit：严重级别，阻止整个系统或者整个软件不能正常运行的信息alert：需要立刻修改的信息emerg：内核崩溃等严重信息none：什么都不记录

配置

test1 作为日志服务器收集日志
test4 作为客户端

test1配置

1.安装

yum install rsyslog -y

2.更改配置文件

vim /etc/rsyslog.conf
#这四行去掉注释
$ModLoad imudp          收集udp日志,并开启端口
$UDPServerRun 514$ModLoad imtcp          收集tcp日志，并开启端口
$InputTCPServerRun 514#添加$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat#表示收集的日志存放在/var/log/rsyslog/下，收集那个机器的日志就以那个机器ip命名
$template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"#不收集本机的日志
:fromhost-ip, !isequal, "127.0.0.1" ?RemoteLogs
& ~

3.重启服务

systemctl restart rsyslog.service

2.test4客户端配置

1.安装

yum install rsyslog -y

2.配置

# 无论什么级别的日志都收集到 /var/log/messages*.*;mail.none;authpriv.none;cron.none                /var/log/messages#*.info;mail.none;authpriv.none;cron.none                /var/log/messages  只收集info以上的日志
#在最底部添加
*.* @@192.168.134.25:514  #@@两个代表收集tcp的日志    
*.* @192.168.134.25:514   #@代表收集udp的日志#192.168.206.25是日志服务器的地址

3.重启服务

systemctl restart rsyslog.service

3.测试

#此时再看服务端就有ip对应的日志
[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-1
192.168.134.28_2023-12-11.log  192.168.134.28_2023-12-12.log

1.此时我们让test4的nginx报错

[root@test4 ~]# grep http  /etc/nginx/nginx.conf
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/
http ;{'$status $body_bytes_sent "$http_referer" '

2.重启nginx,此时test1服务端就有日志产生

[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-1
192.168.134.28_2023-12-11.log  192.168.134.28_2023-12-12.log
[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-12.log
Dec 12 08:56:49 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9285:162270604 (system bus name :1.1063, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 08:56:49 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9285:162270604 (system bus name :1.1063, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:01:01 test4 systemd[1]: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd[1]: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd: Started Session 512 of user root.
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 nginx[9867]: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 systemd[1]: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd[1]: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd[1]: nginx.service failed.
Dec 12 09:36:42 test4 systemd: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd: nginx.service failed.
Dec 12 09:36:42 test4 systemd[1]: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd[1]: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd[1]: nginx.service failed.
Dec 12 09:36:42 test4 systemd: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd: nginx.service failed.
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)