rsyslog配置以及原理

rsyslog

日志由程序產生，在內存中產生。通過Rsyslog來將內存中程序產生的日志持久化到硬盤，并且支持udp、tcp等協議來進行不同服務器的日志同步。

/var/log/messages:大多數系統日志信息紀錄在此/var/log/secure：安全和身份認證相關的消息和錯誤的日志文件/var/log/maillog:與郵件服務器相關的日志文件/var/log/cron:與定時任務相關的日志文件/var/log/boot.log:與系統啟動有關的日志文件pam：在linux中執行某些程序，這些程序在執行前要對啟動它的用戶進行認證，符合一定要求后才允許執行，例如login、su等，在linux中進行身份驗證或是狀態的驗證程序由pam來進行。pam即可動態加載驗證模塊，因為可以按需要動態的對驗證的內容進行變更，大大提高驗證的靈活性。Linux-pam：是一套共享庫，使本地系統管理員可以隨意選擇程序的認證方式。使用配置/etc/pam.d/下的文件來管理對程序的認證方式。應用程序調用相應的配置文件，從而調用本地的認證模塊，模塊放置在/lib/secureity下，以加載動態庫的形式進行，像我們使用su命令時，系統提示你輸入root用戶的密碼，這就是su命令通過調用PAM模塊實現的。日志類型分為：auth：pam產生的日志authpriv：ssh，ftp等登陸信息的驗證信息cron:時間任務相關kern：內核lpr：打印mail：郵件mark(syslog)-rsyslog:服務內部的信息，時間標識news:新聞組user：用戶程序產生的相關信息uucp：unix to unix copy，unix主機之間相關的通訊local 1-7：自定義的日志設備日志級別：（由上到下，級別由低到高，記錄信息越來越少）debug：有調試信息的，日志信息最多info:一般信息的日志，最常用notice：具有重要性的普通條件的信息warning：警告級別err：錯誤級別，阻止某個功能或者模塊不能正常工作的信息crit：嚴重級別，阻止整個系統或者整個軟件不能正常運行的信息alert：需要立刻修改的信息emerg：內核崩潰等嚴重信息none：什么都不記錄

配置

test1 作為日志服務器收集日志
test4 作為客戶端

test1配置

1.安裝

yum install rsyslog -y

2.更改配置文件

vim /etc/rsyslog.conf
#這四行去掉注釋
$ModLoad imudp          收集udp日志,并開啟端口
$UDPServerRun 514$ModLoad imtcp          收集tcp日志，并開啟端口
$InputTCPServerRun 514#添加$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat#表示收集的日志存放在/var/log/rsyslog/下，收集那個機器的日志就以那個機器ip命名
$template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"#不收集本機的日志
:fromhost-ip, !isequal, "127.0.0.1" ?RemoteLogs
& ~

3.重啟服務

systemctl restart rsyslog.service

2.test4客戶端配置

1.安裝

yum install rsyslog -y

2.配置

# 無論什么級別的日志都收集到 /var/log/messages*.*;mail.none;authpriv.none;cron.none                /var/log/messages#*.info;mail.none;authpriv.none;cron.none                /var/log/messages  只收集info以上的日志
#在最底部添加
*.* @@192.168.134.25:514  #@@兩個代表收集tcp的日志    
*.* @192.168.134.25:514   #@代表收集udp的日志#192.168.206.25是日志服務器的地址

3.重啟服務

systemctl restart rsyslog.service

3.測試

#此時再看服務端就有ip對應的日志
[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-1
192.168.134.28_2023-12-11.log  192.168.134.28_2023-12-12.log

1.此時我們讓test4的nginx報錯

[root@test4 ~]# grep http  /etc/nginx/nginx.conf
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/
http ;{'$status $body_bytes_sent "$http_referer" '

2.重啟nginx,此時test1服務端就有日志產生

[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-1
192.168.134.28_2023-12-11.log  192.168.134.28_2023-12-12.log
[root@test1 ~]# tail -f /var/log/rsyslog/192.168.134.28/192.168.134.28_2023-12-12.log
Dec 12 08:56:49 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9285:162270604 (system bus name :1.1063, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 08:56:49 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9285:162270604 (system bus name :1.1063, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:01:01 test4 systemd[1]: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd[1]: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd: Started Session 512 of user root.
Dec 12 09:01:01 test4 systemd: Started Session 512 of user root.
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)
Dec 12 09:01:01 test4 CROND[9326]: (root) CMD (run-parts /etc/cron.hourly)Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 polkitd[528]: Registered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Dec 12 09:36:42 test4 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 systemd: Starting The nginx HTTP and reverse proxy server...
Dec 12 09:36:42 test4 nginx[9867]: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx[9867]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: [emerg] directive "http" has no opening "{" in /etc/nginx/nginx.conf:17
Dec 12 09:36:42 test4 nginx: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 nginx: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 12 09:36:42 test4 systemd[1]: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd[1]: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd[1]: nginx.service failed.
Dec 12 09:36:42 test4 systemd: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd: nginx.service failed.
Dec 12 09:36:42 test4 systemd[1]: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd[1]: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd[1]: nginx.service failed.
Dec 12 09:36:42 test4 systemd: nginx.service: control process exited, code=exited status=1
Dec 12 09:36:42 test4 systemd: Failed to start The nginx HTTP and reverse proxy server.
Dec 12 09:36:42 test4 systemd: Unit nginx.service entered failed state.
Dec 12 09:36:42 test4 systemd: nginx.service failed.
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Dec 12 09:36:42 test4 polkitd[528]: Unregistered Authentication Agent for unix-process:9860:162509910 (system bus name :1.1068, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)