用rsyslog的缘由:
1.防止系统崩溃无法获取系统日志分享崩溃原因,用rsyslog可以把日志传输到远程的日志服务器上
2.使用rsyslog日志可以减轻系统压力,因为使用rsyslog可以有效减轻系统的磁盘IO
3.rsyslog使用tcp传输非常可靠,可以对日志进行过滤,提取出有效的日志,rsyslog是轻量级的日志软件,在大量日志写的情况下,系统负载基本上在0.1以下
一、安装前准备
1.下载rsyslog-5.6.2
2.准备两台机器(linux或者unix),一台客户端,一台服务端
服务端和客户端的安装步骤:
- #指定安装目录
- ./configure --prefix=/Application/rsyslog
- #编译
- make
- #安装
- make install
- #添加lib
- echo "/Application/rsyslog/lib/rsyslog" >> /etc/ld.so.conf
- #更新lib
- ldconfig
- #产生配置文件
- cp /etc/syslog.conf /etc/rsyslog.conf
#产生服务文件
vi /etc/init.d/rsyslog
- #!/bin/bash
- #
- # rsyslog Starts rsyslogd/rklogd.
- #
- #
- # chkconfig: - 12 88
- # description: Syslog is the facility by which many daemons use to log \
- # messages to various system log files. It is a good idea to always \
- # run rsyslog.
- ### BEGIN INIT INFO
- # Provides: $syslog
- # Required-Start: $local_fs $network $remote_fs
- # Required-Stop: $local_fs $network $remote_fs
- # Default-Stop: 0 1 2 3 4 5 6
- # Short-Description: Enhanced system logging and kernel message trapping daemons
- # Description: Rsyslog is an enhanced multi-threaded syslogd supporting,
- # among others, MySQL, syslog/tcp, RFC 3195, permitted
- # sender lists, filtering on any message part, and fine
- # grain output format control.
- ### END INIT INFO
- # Source function library.
- basedir=/Application/rsyslog
- moddir=/Application/rsyslog/lib/rsyslog/
- rsyslogdfile=$basedir/sbin/rsyslogd
- . /etc/init.d/functions
- RETVAL=0
- start() {
- [ -x $rsyslogdfile ] || exit 5
- # Do not start rsyslog when sysklogd is running
- if [ -e /var/run/syslogd.pid ] ; then
- echo $"Shut down sysklogd before you run rsyslog";
- exit 1;
- fi
- # Source config
- if [ -f /etc/sysconfig/rsyslog ] ; then
- . /etc/sysconfig/rsyslog
- else
- SYSLOGD_OPTIONS="-M $moddir"
- fi
- if [ -z "$SYSLOG_UMASK" ] ; then
- SYSLOG_UMASK=077;
- fi
- umask $SYSLOG_UMASK
- echo -n $"Starting system logger: "
- daemon $rsyslogdfile $SYSLOGD_OPTIONS
- RETVAL=$?
- echo
- [ $RETVAL -eq 0 ] && touch /var/lock/subsys/rsyslog
- return $RETVAL
- }
- stop() {
- echo -n $"Shutting down system logger: "
- killproc $rsyslogdfile
- RETVAL=$?
- echo
- [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/rsyslog
- return $RETVAL
- }
- reload() {
- RETVAL=1
- syslog=`cat /var/run/rsyslogd.pid 2>/dev/null`
- echo -n "Reloading system logger..."
- if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
- kill -HUP "$syslog";
- RETVAL=$?
- fi
- if [ $RETVAL -ne 0 ]; then
- failure
- else
- success
- fi
- echo
- return $RETVAL
- }
- rhstatus() {
- status rsyslogd
- }
- restart() {
- stop
- start
- }
- case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart)
- restart
- ;;
- reload|force-reload)
- reload
- ;;
- status)
- rhstatus
- ;;
- condrestart)
- [ -f /var/lock/subsys/rsyslog ] && restart || :
- ;;
- *)
- echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart}"
- exit 2
- esac
- exit $?
#启动服务
- #产生服务文件
- chmod +x /etc/init.d/rsyslog
- #启动前先把syslog停止
- service syslog stop
- service rsyslog start
#配置服务端
vi /etc/rsyslog.conf #在文件开始加上,同时确保514端口能够被客户端用tcp访问
- #指定日志文件的拥有者
- $FileOwner apache
- #使用tcp方式
- $ModLoad imtcp # needs to be done just once
- #tcp接收连接数为500个
- $InputTCPMaxSessions 500
- #tcp接收信息的端口
- $InputTCPServerRun 514
- #为信息加上日志时间
- $template logformat,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
- #定义的日志文件的名称,按照年月日
- $template DynFile,"/Application/sdns/log/%$year%%$month%%$day%.log"
- #把包含sdns_log标志的信息写到DynFile定义的日志文件里
- :rawmsg, contains, "sdns_log" ?DynFile;logformat
- #这个表示丢弃包含sdns_log标志的信息
- :rawmsg, contains, "sdns_log" ~
配置客户端
vi /etc/rsyslog.conf #在文件开始加上
- #把包含sdns_log的信息通过tcp发到192.168.1.2 @@表示tcp @表示udp
- :rawmsg, contains, "sdns_log" @@192.168.1.2
- #这个表示丢弃包含sdns_log标志的信息,防止这个信息写到本机的/var/log/message
- :rawmsg, contains, "sdns_log" ~
测试:
在客户端上执行
logger -p user.info "sdns_log 34334"
在服务端的/Application/sdns/log/目录里是否有日志产生
本文转自yifangyou 51CTO博客,原文链接:http://blog.51cto.com/yifangyou/609330,如需转载请自行联系原作者