centos7设置rsyslog日志服务集中服务器

centos7设置rsyslog日志服务集中服务器

环境：centos6.9_x86_64，自带的rsyslog版本是7.4.7，很多配置都不支持，于是进行升级后配置

# 安装新版本的rsyslog程序
wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
mv rsyslog.repo /etc/yum.repos.d/rsyslog.repo
yum install rsyslog* --skip-broken

[root@:/etc]# rsyslogd -ver
rsyslogd 8.1907.0 (aka 2019.07) compiled with:
PLATFORM: x86_64-redhat-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: Yes
Config file: /etc/rsyslog.conf
PID file: /var/run/syslogd.pid
Number of Bits in RainerScript integers: 64

See https://www.rsyslog.com for more information.

服务端的配置:

[root:/etc]# egrep -v '^#|^$' /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$DirCreateMode 0755
$FileCreateMode 0644
$Umask 0022
$IncludeConfig /etc/rsyslog.d/*.conf
$template slog, "%$year%%$month%%$day%%$hour%%$minute% %msg:R,ERE,3,DFLT:(SLOG|ALOG|BLOG)(_[a-zA-Z0-9]+)+\s(.*)--end%\n"
$template slogfile1, "/data/www/logs/%msg:R,ERE,1,DFLT:(SLOG|ALOG|BLOG)(_[A-Z0-9]+)+\s.*--end:lowercase%/%msg:R,ERE,2,DFLT:(SLOG|ALOG|BLOG)_([A-Z0-9]+)(_[a-zA-Z0-9]+)*\s.*--end:lowercase%/%msg:R,ERE,2,DFLT:(SLOG|ALOG|BLOG)_([A-Z0-9]+(_[a-zA-Z0-9]+)*)\s.*--end:lowercase%/%$year%%$month%%$day%%$hour%%$minute%.log"
$template slogfile2, "/data/www/logs/%msg:R,ERE,2,DFLT:(BLOG)_([A-Z0-9]+)(_[a-zA-Z0-9]+)*\s.*--end:lowercase%/%msg:R,ERE,3,DFLT:(BLOG)_([A-Z0-9]+)_([a-zA-Z0-9]+)*\s.*--end:lowercase%/%$year%%$month%%$day%.log"
:msg, ereregex, "(S|A|B)LOG(_[A-Z0-9]+)+ " ?slogfile2;slog
:msg, ereregex, "(S|A|B)LOG(_[A-Z0-9]+)+ " ~
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$MainMsgQueueDiscardMark 2000000
$MainMsgQueueHighWaterMark 1000000
$MainMsgQueueLowWaterMark 800000
$MainMsgQueueMaxDiskSpace 5g
$MainMsgQueueSize 8000000
$MainMsgQueueTimeoutEnqueue 0
$MainMsgQueueSaveOnShutdown on

# 客户端配置

[root@:~]# egrep -v '^#|^$' /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
# 服务端的ip地址
local7.* @172.17.0.36:514
*.* @@172.17.0.36:514

# 客户端测试：
[root@:~]# logger -t 'hello' 'jack'

# 服务端观察，看到测试日志说明配置成功
[root@:~]# tail -f /var/log/messages

Jul 19 00:01:28 eus_pe_web03 hello: jack