UBUNTU18安装RSYSLOG

基础知识后面再补，先说如何安装；以便先有直观体验。

1. 安装RSYSLOG(默认UBUNTU18是安装了RSYSLOG的)：

sudo apt install rsyslog

查看版本

root@test3:/etc# rsyslogd -v
rsyslogd 8.32.0, compiled with:
    PLATFORM:               x86_64-pc-linux-gnu
    PLATFORM (lsb_release -d):      
    FEATURE_REGEXP:             Yes
    GSSAPI Kerberos 5 support:      Yes
    FEATURE_DEBUG (debug build, slow code): No
    32bit Atomic operations supported:  Yes
    64bit Atomic operations supported:  Yes
    memory allocator:           system default
    Runtime Instrumentation (slow code):    No
    uuid support:               Yes
    systemd support:            Yes
    Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.

启动状态

root@test3:/etc# systemctl status rsyslog.service
● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor pres
   Active: active (running) since Mon 2020-04-13 20:18:54 CST; 3min 55s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 17633 (rsyslogd)
    Tasks: 4 (limit: 1108)
   CGroup: /system.slice/rsyslog.service
           └─17633 /usr/sbin/rsyslogd -n

Apr 13 20:18:54 test3.xiem.com systemd[1]: Starting System Logging Service..
Apr 13 20:18:54 test3.xiem.com systemd[1]: Started System Logging Service.
Apr 13 20:18:54 test3.xiem.com rsyslogd[17633]: imuxsock: Acquired UNIX sock
Apr 13 20:18:54 test3.xiem.com rsyslogd[17633]: rsyslogd's groupid changed t
Apr 13 20:18:54 test3.xiem.com rsyslogd[17633]: rsyslogd's userid changed to
Apr 13 20:18:54 test3.xiem.com rsyslogd[17633]:  [origin software="rsyslogd"
root@test3:/etc# systemctl status rsyslog.service
● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor pres
   Active: active (running) since Mon 2020-04-13 20:18:54 CST; 3min 55s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 17633 (rsyslogd)
    Tasks: 4 (limit: 1108)
   CGroup: /system.slice/rsyslog.service
           └─17633 /usr/sbin/rsyslogd -n

Apr 13 20:18:54 test3.xiem.com systemd[1]: Starting System Logging Service..
Apr 13 20:18:54 test3.xiem.com systemd[1]: Started System Logging Service.
Apr 13 20:18:54 test3.xiem.com rsyslogd[17633]: imuxsock: Acquired UNIX sock
Apr 13 20:18:54 test3.xiem.com rsyslogd[17633]: rsyslogd's groupid changed t
Apr 13 20:18:54 test3.xiem.com rsyslogd[17633]: rsyslogd's userid changed to
Apr 13 20:18:54 test3.xiem.com rsyslogd[17633]:  [origin software="rsyslogd"

2. 集中式日志服务器配置

RSYSLOG可以工作在单机模式，也可以工作在C/S模式；单机模式下，日志信息会发送到本机的RSYSLOG服务中，RSYSLOG服务会将日志记录到本地存储中(如文件、MYSQL数据库等)；C/S模式下，服务端和客户端都是启动RSYSLOG进程的，服务端需要配置监听端口，而客户端RSYSLOG需要将搜集的日志发送的服务端(默认是存储在本地的)，具体配置如下：

• 服务端

vim /etc/rsyslog.conf

#################
#### MODULES ####
#################

# 开启UDP端口
module(load="imudp")
input(type="imudp" port="514")

# 开启TCP端口
module(load="imtcp")
input(type="imtcp" port="514")

# 可选配置--用于限制特定子网、IP等的访问
$AllowedSender TCP, 127.0.0.1, 10.10.10.0/8, *.xiem.com

创建模板 -- 用于告知RSYSLOG服务如何解析存储从客户机接收到的消息

###########################
#### GLOBAL DIRECTIVES ####
###########################

$PreserveFQDN on                                      # 允许主机名保留FQDN

$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" 
*.* ?remote-incoming-logs
& ~

1. %HOSTNAME%    客户端主机名称
2. %PROGRAMNAME%  生成日志消息的应用程序名称
3. & ~  表示仅将日志消息存储到指定的文件中

重启服务：

systemctl restart rsyslog.service

• 客户端

vim /etc/rsyslog.conf

$PreserveFQDN on                                      # 允许主机名保留FQDN

# 配置使用UDP发送消息
*.* @10.10.10.162:514                                 # 添加远程RSYSLOG服务器
或
*.* @test2.xiem.com:514                              # 添加远程RSYSLOG服务器

# 配置使用TCP发送消息
*.* @@10.10.10.162:514
或
*.* @@test2.xiem.com:514

# 配置当服务端不在线时的处理方式：进行本地缓存
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

注意：上面的TCP和UDP两种通信配置方式只能二选一，如果TCP和UDP同时起作用则会发送两条相同的数据到服务端。

重启服务：

systemctl restart rsyslog.service

• 联调测试
  当重启客户端的RSYSLOG时就能在服务端看到对应日志

root@test2:/etc/rsyslog.d# tail -100f /var/log/test3/rsyslogd.log
2020-04-13T20:35:04+08:00 test3 rsyslogd:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="17877" x-info="http://www.rsyslog.com"] exiting on signal 15.
2020-04-13T20:35:04+08:00 test3 rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.32.0]
2020-04-13T20:35:04+08:00 test3 rsyslogd: rsyslogd's groupid changed to 106
2020-04-13T20:35:04+08:00 test3 rsyslogd: rsyslogd's userid changed to 102
2020-04-13T20:35:04+08:00 test3 rsyslogd:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="17896" x-info="http://www.rsyslog.com"] start
2020-04-13T20:35:04+08:00 test3 rsyslogd:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="17877" x-info="http://www.rsyslog.com"] exiting on signal 15.
2020-04-13T20:35:04+08:00 test3 rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.32.0]
2020-04-13T20:35:04+08:00 test3 rsyslogd: rsyslogd's groupid changed to 106
2020-04-13T20:35:04+08:00 test3 rsyslogd: rsyslogd's userid changed to 102
2020-04-13T20:35:04+08:00 test3 rsyslogd:  [origin software="rsyslogd" swVersion="8.32.0" x-pid="17896" x-info="http://www.rsyslog.com"] start