Rsyslog Tutorials Remote Syslogging with rsyslog on Red Hat Enterprise Linux - Red Hat Customer Portal Chapter 23. Viewing and Managing Log Files Red Hat Enterprise Linux 7 | Red Hat Customer Portal The Definitive Guide to Centralized Logging with Syslog on Linux (devconnected.com) 鳥哥私房菜 - 第十八章、認識與分析登錄檔 (vbird.org) 常用指令 # Validate the rsyslog configuration rsyslogd -N 2 -f /etc/rsyslog.conf # Restart the rsyslog systemctl restart rsyslog 整合特定應用程式 情境一: 寫入日誌檔 應用程式透過 rsyslog 協定寫入訊息,系統要輸出特定日誌檔。 /etc/rsyslog.d/myapp.conf # Save db2audit log to db2audit # Test command: # logger -t db2audit -p user.info "Hello, This is Test Message" if $programname == 'db2audit' then action(type="omfile" file="/var/log/db2audit") & stop TIP: 如果不用這判斷式,只用 user.* 格式,其他不相關的應用程式日誌也會一併寫入。 情境二: 讀取日誌檔 應用程式已經有自己的日誌檔,內容也符合 rsyslog 標準日誌格式,需要同步也寫到外部的日誌伺服器。 /etc/rsyslog.d/myapp.conf $ModLoad imfile $InputFileName /app/your-file.log $InputFileTag your-tag $InputFileStateFile your-tag $InputFileSeverity info $InputFileFacility local7 $InputRunFileMonitor $InputFilePersistStateInterval 1000 local7.* @@remote-rsyslog-server:port 情境三:過濾不需要的日誌 系統日誌檔 (/var/log/messages) 不想顯示以下的訊息 Jul 24 08:50:01 example.com systemd: Created slice user-0.slice. Jul 24 08:50:01 example.com systemd: Starting Session 150 of user root. Jul 24 08:50:01 example.com systemd: Started Session 150 of user root. Jul 24 09:00:01 example.com systemd: Created slice user-0.slice. Jul 24 09:00:02 example.com systemd: Starting Session 151 of user root. Jul 24 09:00:02 example.com systemd: Started Session 151 of user root. /etc/rsyslog.d/ignore-systemd-session-slice.conf  if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of") then stop Central Log Server Server Configuration /etc/rsyslog.d/10-from-remote.conf # Avoid the duplicate messages from local syslog $template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" if ($fromhost != "local-server-hostname" ) then ?RemoteLogs & stop /etc/rsyslog.conf # Provides TCP syslog reception # for parameters see http://www.rsyslog.com/doc/imtcp.html module(load="imtcp") # needs to be done just once input(type="imtcp" port="514") Client Configuration /etc/rsyslog.d/10-to-remote.conf # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional # Use @@ for TCP protocol, @ for UDP protocol *.* @10.4.1.77:514;RSYSLOG_SyslogProtocol23Format Restrict access to the log server (on Server) /etc/rsyslog.d/9-acl.conf # Restrict access to the log server that is sent from # $AllowedSender , ip[/bits], ip[/bits] $AllowedSender TCP, 127.0.0.1, 10.15.9.31 FAQ 日誌檔不明原因無法被寫入新日誌 日誌檔一旦被編輯過就無法再被寫入,必須重啟 rsyslog 服務後才會恢復。 AIX: 接收 AIX 主機的 syslog 時無法正確顯示來源 IP 原因:AIX syslog 傳遞至遠端 Log Server 時,預設會自動加上 "Message forwarded by $hostname" 的資訊。要避免這個問題,在啟動 syslogd 服務加上參數 -n 。 startsrc -s syslogd -a "-n"