CentOS6.5安装配置官方最新版rsyslog

2016-02-26 1043

简介： Some log files are controlled by a daemon called rsyslogd. Log files can also be managed by the journald daemon – a component of systemd.

+关注继续查看

Some log files are controlled by a daemon called rsyslogd.

Log files can also be managed by the journald daemon – a component of systemd.

Step1: Centos6.5最小化安装后默认使用的是5.X的版本，

为了安装最新版，下载rsyslog官方源http://rpms.adiscon.com/v8-stable/rsyslog.repo到系统/etc/yum.repo.d/

[root@192_168_174_68 ~]# yum info rsyslog

Available Packages

Name : rsyslog

Arch : x86_64

Version : 5.8.10

Release : 10.el6_6

Size : 650 k

Repo : base

Summary : Enhanced system logging and kernel message trapping daemons

URL : http://www.rsyslog.com/

License : (GPLv3+ and ASL 2.0)

Description : Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,

: syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,

: and fine grain output format control. It is compatible with stock sysklogd

: and can be used as a drop-in replacement. Rsyslog is simple to set up, with

: advanced features suitable for enterprise-class, encryption-protected syslog

: relay chains.

Step2.下载官方最新的源仓库

[root@192_168_174_68 ~]# wget http://rpms.adiscon.com/v8-stable/rsyslog.repo -O /etc/yum.repos.d/rsyslog.repo

2016-02-26 11:35:45 (29.7 MB/s) - “/etc/yum.repos.d/rsyslog.repo” saved [227/227]

[root@192_168_174_68 ~]# cat /etc/yum.repos.d/rsyslog.repo

[rsyslog_v8]

name=Adiscon CentOS-$releasever - local packages for $basearch

baseurl=http://rpms.adiscon.com/v8-stable/epel-$releasever/$basearch

enabled=1

gpgcheck=0

gpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon

protect=1

Step3.安装rsyslog软件。

[root@192_168_174_68 ~]# yum install rsyslog

Step4.备份原配置文件，并修改配置文件

[root@192_168_174_68 ~]# cp -pv /etc/rsyslog.conf{,.orig}

`/etc/rsyslog.conf' -> `/etc/rsyslog.conf.orig'

[root@192_168_174_68 ~]# vim /etc/rsyslog.conf

确认已经开启下面2行，一个是unixsock日志，一个是内核日志。

#### MODULES ####

module(load="imuxsock") # provides support for local system logging (e.g. via logger command)

module(load="imklog") # provides kernel logging support (previously done by rklogd)

# Everybody gets emergency messages

*.emerg :omusrmsg:*

#开启udp支持。

module(load="imudp") # needs to be done just once

input(type="imudp" port="514")

#在配置文件的末尾添加自定义模板

$template TmplAuth, "/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log"

$template TmplMsg, "/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log"

authpriv.* ?TmplAuth

*.info,mail.none,authpriv.none,cron.none ?TmplMsg

最终的配置文件如下：

[root@192_168_174_68 ~]# grep -E -v '^#|^$' /etc/rsyslog.conf

module(load="imuxsock") # provides support for local system logging (e.g. via logger command)

module(load="imklog") # provides kernel logging support (previously done by rklogd)

module(load="imudp") # needs to be done just once

input(type="imudp" port="514")

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$IncludeConfig /etc/rsyslog.d/*.conf

*.info;mail.none;authpriv.none;cron.none /var/log/messages

authpriv.* /var/log/secure

mail.* /var/log/maillog

cron.* /var/log/cron

*.emerg :omusrmsg:*

uucp,news.crit /var/log/spooler

local7.* /var/log/boot.log

$template TmplAuth, "/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log"

$template TmplMsg, "/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log"

authpriv.* ?TmplAuth

*.info,mail.none,authpriv.none,cron.none ?TmplMsg

step5添加SYSLOGD_OPTIONS=""到/etc/sysconfig/rsyslog

[root@192_168_174_68 ~]# cat /etc/sysconfig/rsyslog

# Options for rsyslogd

# Syslogd options are deprecated since rsyslog v3.

# If you want to use them, switch to compatibility mode 2 by "-c 2"

# See rsyslogd(8) for more details

SYSLOGD_OPTIONS=""

step6启动服务

[root@192_168_174_68 ~]# /etc/init.d/rsyslog start

Starting system logger:

step7创建日志目录

[root@192_168_174_68 ~]# mkdir -p /var/log/rsyslog_custom

关于SELINUX的一些说明

Set SELINUX rules for rsyslog

Some system admin, disable the selinux .

If you want to keep SELINUX enable. Use the below given command

(Read this post,in case semanage command not found)

semanage fcontext -a -t syslogd_exec_t /sbin/rsyslogd

restorecon /sbin/rsyslogd

/usr/sbin/semanage fcontext -a -t var_log_t "/var/log/rsyslog_custom(/.*)?"

/sbin/restorecon -R -v /var/log/rsyslog_custom

step8:查看商品监听状态

[root@192_168_174_68 ~]# netstat -naup |grep rsyslogd

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

udp 0 0 0.0.0.0:514 0.0.0.0:* 1039/rsyslogd

udp 0 0 :::514 :::* 1039/rsyslogd

客户端：
step1安装软件仓库

[root@S192-168-175-40 ~]# wget http://rpms.adiscon.com/v8-stable/rsyslog.repo -O /etc/yum.repos.d/rsyslog.repo
step2.安装软件

[root@S192-168-175-40 ~]# yum install rsyslog
step3添加服务器ip

[root@S192-168-175-40 ~]# vim /etc/rsyslog.conf

添加

*.* @192.168.174.68:514
step4.启动服务

[root@S192-168-175-40 ~]# /etc/init.d/rsyslog restart

Shutting down system logger: [FAILED]

Starting system logger: [ OK ]

step5.去服务器上对比客户端的/var/log/messages的日志与服务器上的是否一致。

[root@192_168_174_68 rsyslog_custom]# pwd

/var/log/rsyslog_custom

[root@192_168_174_68 rsyslog_custom]# ll

total 8

drwx------ 2 root root 4096 Feb 26 13:27 192_168_174_68

drwx------ 2 root root 4096 Feb 26 13:34 S192-168-175-40

[root@192_168_174_68 S192-168-175-40]# ll

total 32

-rw------- 1 root root 2028 Feb 26 13:34 kernel.log

-rw------- 1 root root 0 Feb 26 13:34 rsyslogd.log

-rw------- 1 root root 20135 Feb 26 13:40 snmpd.log

-rw------- 1 root root 81 Feb 26 13:37 sshd.log

-rw------- 1 root root 728 Feb 26 13:39 xinetd.log