Rsyslog 8. Centralized logging
All good.
This month we finish the first stream of the “Linux Administrator” and launch the second one, which will now be noticeably reworked and strengthened by new teachers. One of them - Alexey Tsykunov , is sharing today with a small useful note.
Go.
')
There are several servers running programs that save logs to their directories.
It is necessary to centrally save all these logs in subdirectories by the name of servers, keeping the file names.
There is no opportunity to reconfigure programs for writing logs to syslog immediately.
Environment:
Both on the client and on the server it is necessary to update rsyslog to the latest version.
Rsyslog has the following standard modules:
Using them, the client and the server are configured:
On the server, I configured /etc/rsyslog.conf directly
As always, we are waiting for comments, questions here or you can look at the open lesson and torment the teachers there.
This month we finish the first stream of the “Linux Administrator” and launch the second one, which will now be noticeably reworked and strengthened by new teachers. One of them - Alexey Tsykunov , is sharing today with a small useful note.
Go.
')
Task
There are several servers running programs that save logs to their directories.
It is necessary to centrally save all these logs in subdirectories by the name of servers, keeping the file names.
There is no opportunity to reconfigure programs for writing logs to syslog immediately.
Environment:
- server - centos7
- client - centos6
Both on the client and on the server it is necessary to update rsyslog to the latest version.
cd /etc/yum.repos.d/ wget http://rpms.adiscon.com/v8-stable/rsyslog.repo yum update rsyslog Decision
Rsyslog has the following standard modules:
- imfile - read from file
- omfwd - redirection (for example, to the network)
- imtcp - read from the network by tcp
- omfile - write to file, inline module
Using them, the client and the server are configured:
On the client
module(load="imfile" mode="inotify") # template (name="LongTagForwardFormat" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%$.suffix%%msg:::sp-if-no-1st-sp%%msg%") # ruleset(name="sendToLogserver") { action(type="omfwd" Target="192.168.1.1" Port="514" protocol="tcp" Template="LongTagForwardFormat") } # . input(type="imfile" File="/your_app_path_logs/log/*.log" tag="apptag__" ruleset="app_logs" addMetadata="on") # , ruleset(name="app_logs") { set $.suffix=re_extract($!metadata!filename, "(.*)/([^/]*)", 0, 2, "app.log"); call sendToLogserver } On server
On the server, I configured /etc/rsyslog.conf directly
# unix socket module(load="imuxsock") # journald module(load="imjournal") # module(load="imtcp" MaxSessions="500") # input(type="imtcp" port="514" ruleset="remote") # , template(name="RemoteHost" type="string" string="/opt/pabkss/%HOSTNAME%/%$.logpath%") # template(name="OnlyMsg" type="string" string="%msg:::drop-last-lf%\n") # ruleset(name="remote") { # , set $.logpath = replace($programname, "__", "/"); action(type="omfile" dynaFile="RemoteHost" template="OnlyMsg") } Emerging issues
- use single quotes
- if there are any errors in the syntax when restarting on the server, it displays the correct status, but in fact does not work. Be careful, spoils a lot of nerves.
systemctl restart rsyslog THE END
As always, we are waiting for comments, questions here or you can look at the open lesson and torment the teachers there.
Source: https://habr.com/ru/post/352682/
All Articles