測試環境
server:10.0.0.100 client:10.0.0.10
server:
1.安裝rsyslog
yum -y install rsyslog
2.配置rsyslog
[root@master log]# grep -vE '^$|^#' /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $ModLoad imudp $UDPServerRun 514
#允許客戶端通過udp:514 端口連接 $ModLoad imtcp $InputTCPServerRun 514
#允許客戶端通過tcp:514 端口連接
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat ##這里是服務端添加的配置 begin
# 使用RemoteLogs模板接受客戶端的日志,保存到本地的/var/log/remote目錄下,下面第一層子目錄是通過年月日的命令格式,然后是每台客戶端的ip命令的log
$template RemoteLogs,"/var/log/remote/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%.log"
# 所有服務所有級別的日志都記錄 *.* ?RemoteLogs
#服務端本機的日志不記錄 :fromhost-ip, !isequal, "127.0.0.1" ?Remote
#指示rsyslog在將消息寫入文件后停止處理消息。如果不包含"&~",則消息將被寫入本地文件 & ~
##這里是服務端添加的配置 end
$ActionFileEnableSync on $IncludeConfig /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log *.err /var/log/errors $template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" :programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl authpriv.info /var/log/authpriv_info *.info /var/log/info auth.none /var/log/auth_none
如果希望自定義客戶端日志的保存格式,請參考本文最底部的鏈接
3.重啟rsyslog
systemctl restart rsyslog
systemctl status rsyslog
查看狀態rsyslog服務是否正常
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-11-23 10:16:38 CST; 35min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 9834 (rsyslogd)
Tasks: 10
CGroup: /system.slice/rsyslog.service
└─9834 /usr/sbin/rsyslogd -n
[root@master log]# netstat -anput|grep syslog
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 9834/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 9834/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 9834/rsyslogd
udp6 0 0 :::514 :::* 9834/rsyslogd
此時說明配置正常,處於監聽狀
client
1.安裝rsyslog
2.配置rsyslog
authpriv.* @10.0.0.100:514 #一個@表示通過udp:514 通信 authpriv.* @@10.0.0.100:514 #兩個@表示通過tcp:514 通信 根據你自己要保存的日志修改,我只是測試,就保存了登錄系統相關的日志
3.重啟rsyslog
驗證:
在服務端查看 /var/log/remote 目錄下面是否有客戶端的日志產生
[root@master /]# ls /var/log/remote 2021-11-23 [root@master /]# ls /var/log/remote/2021-11-23/ 10.0.0.10.log 127.0.0.1.log [root@master /]# cat /var/log/remote/2021-11-23/10.0.0.10.log Nov 23 10:18:12 apache_0 sshd[1349]: pam_unix(sshd:session): session closed for user root Nov 23 10:18:12 apache_0 sshd[1353]: pam_unix(sshd:session): session closed for user root Nov 23 10:18:14 apache_0 sshd[1404]: Accepted password for root from 10.0.0.1 port 53252 ssh2 Nov 23 10:18:14 apache_0 sshd[1404]: pam_unix(sshd:session): session opened for user root by (uid=0) Nov 23 10:18:14 apache_0 sshd[1408]: Accepted password for root from 10.0.0.1 port 53253 ssh2 Nov 23 10:18:15 apache_0 sshd[1408]: pam_unix(sshd:session): session opened for user root by (uid=0) [root@master /]#
此時說明搭建完畢,驗證成功
本文轉自:
https://www.cnblogs.com/haimeng/p/10823699.html
https://www.tecmint.com/install-rsyslog-centralized-logging-in-centos-ubuntu/ (服務端客戶端實現通信)
http://c.biancheng.net/linux_tutorial/15/ (解釋了什么是rsyslog服務)
https://www.freebuf.com/articles/es/246659.html (自定義模板的示例)
https://www.rsyslog.com/how-to-bind-a-template/ (官網)