Rsyslog配置及使用教程

1.Rsyslog介绍 Rsyslog is Rocket-fast System for Log processing.Rsyslog是CentOS6系列默认的日志处理软件。Rsyslog基于模块化设计，提供高性能，安全的日志处理系统。Rsyslog是多线程的，支持TCP,UDP,TLS,RELP.Rsyslog实际上syslog的一个增强版本。

2.安装Rsyslog

CentOS下默认已经安装了rsyslog 查看rsyslog运行状态

$service rsyslog status rsyslogd (pid  7542) is running...

$ ps -ef|grep rsyslog|grep -v grep root      1014    1  0  2014 ?        00:15:09 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5

这里-c 5 是在/etc/sysconfig/rsyslog中定义的 $ cat /etc/sysconfig/rsyslog  # Options for rsyslogd # Syslogd options are deprecated since rsyslog v3. # If you want to use them, switch to compatibility mode 2 by "-c 2" # See rsyslogd(8) for more details SYSLOGD_OPTIONS="-c 5"

3.配置rsyslog

rsyslog的配置文件/etc/rsyslog.conf # rsyslog v5 configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog  # provides kernel logging support (previously done by rklogd) #$ModLoad immark  # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.*                                                /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none                /var/log/messages # The authpriv file has restricted access. authpriv.*                                              /var/log/secure # Log all the mail messages in one place. mail.*                                                  -/var/log/maillog # Log cron stuff cron.*                                                  /var/log/cron # Everybody gets emergency messages *.emerg                                                * # Save news errors of level crit and higher in a special file. uucp,news.crit                                          /var/log/spooler # Save boot messages also to boot.log local7.*                                                /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g  # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList  # run asynchronously #$ActionResumeRetryCount -1    # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ###

$ cat /etc/rsyslog.conf|grep -v -E "^#|^$" $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog  # provides kernel logging support (previously done by rklogd) $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none                /var/log/messages authpriv.*                                              /var/log/secure mail.*                                                  -/var/log/maillog cron.*                                                  /var/log/cron *.emerg                                                * uucp,news.crit                                          /var/log/spooler local7.*                                                /var/log/boot.log

配置格式如下：

日志类型.日志级别              日志处理方式