Linux下rsyslog日志收集服务环境部署记录(5)

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
$ModLoad imfile                               ##装载imfile模块,这一行手动添加

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages             ##不记录local5的日志

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
user.info /var/log/history

#在文件底部添加下面几行内容
$InputFileName /data/nginx/logs/www.kevin.com-access.log        ##读取日志文件(要监控的日志文件)
$InputFileTag web_access             ##日志写入日志附加标签字符串
$InputFileSeverity info           ##日志等级
$InputFileStateFile /etc/rsyslog.d/stat-access         ##记录日志点等信息。(相当于msyql的master.info)文件名变了,
这个StateFile标志必须变,否则无法传输。
$InputFileFacility local5         ##设施类别
$InputFilePollInterval 1          ##检查日志文件间隔(秒)
$InputFilePersistStateInterval 1       ##回写偏移量数据到文件间隔时间(秒)
$InputRunFileMonitor                          ##激活读取,可以设置多组日志读取,每组结束时设置本参数。以示生效。
local5.* @192.168.10.52            ##代表local5设施的所有级别通过udp协议传送到192.168.10.51

重启rsyslog服务
[root@nginx-server ~]# /etc/init.d/rsyslog restart
关闭系统日志记录器: [确定]
启动系统日志记录器: [确定]

由于作为日志的推送端,rsyslog日志不需要开启514端口(如上在rsyslog.conf文件里没有打开dup或tcp的514端口)
[root@nginx-server ~]# lsof -i:514
[root@nginx-server ~]#

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/3383d577509407943881fbeb5a77ebd9.html