系统版版本为CentOS Stream release 9
rsyslog和lograte通常系统已经安装了。
#rpm -qa | grep rsyslog
rsyslog-logrotate-8.2310.0-4.el9.x86_64
rsyslog-8.2310.0-4.el9.x86_64
rsyslog-gnutls-8.2310.0-4.el9.x86_64
rsyslog-gssapi-8.2310.0-4.el9.x86_64
rsyslog-relp-8.2310.0-4.el9.x86_64
rsyslog-mysql-8.2310.0-4.el9.x86_64
#
rpm -qa | grep logrotate
logrotate-3.18.0-8.el9.x86_64
rsyslog-logrotate-8.2310.0-4.el9.x86_64
rsyslog高配本支持低版本的配置语法,下面附上我的配置
cat /etc/rsyslog.conf | egrep -v "^#|^$"
global(workDirectory="/var/lib/rsyslog")
$template myformat,"%$NOW% %TIMESTAMP:8:15% %hostname% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate myformat
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
FileCreateMode="0644" # Set the access permissions for the state file
StateFile="imjournal.state") # File to store the position in the journal
module(load="ommysql")
$ModLoad ommysql
include(file="/etc/rsyslog.d/*.conf" mode="optional")
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
127.0.0.1.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
$template NetworkDevices,"/data/logs/network-devices/%FROMHOST-IP%.log"
*.* ?NetworkDevices
*.* :ommysql:127.0.0.1,Syslog,rsyslog,dbpasswd
其中
$template myformat,"%$NOW% %TIMESTAMP:8:15% %hostname% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate myformat
rsylog传过来的时间差8小时的问题,我一直接没解决,传过来的timestamp使用的就是utc时间格式,所以时间就是差8小时,反正记录中另有时间就略过这个问题,能用就好。
下面这二行的使用是接收网络设备log
$template NetworkDevices,"/data/logs/network-devices/%FROMHOST-IP%.log"
*.* ?NetworkDevices
还有
*.info;mail.none;authpriv.none;cron.none /var/log/messages
被我改成,避免local7的日志发到message文件里。
127.0.0.1.info;mail.none;authpriv.none;cron.none /var/log/messages
bootlog的一行给我删除了,没什么意义。
在/etc/logrotate.d下添加一个lograte配置
# cat network-devices
# Note that logs are not compressed unless "compress" is configured,
# which can be done either here or globally in /etc/logrotate.conf.
/data/logs/network-devices/*log {
daily
rotate 180
dateext
missingok
notifempty
sharedscripts
delaycompress
postrotate
/bin/systemctl reload rsyslog.service > /dev/null 2>/dev/null || true
endscript
}
参数dateext的作用是在文件名结尾添加日期。
手动验证下
cd /etc/logrotate.d
logrotate -f network-devices
检验效果
在防墙配置syslog发送到日志服务器,防火墙是华为的,日志类型为local7,日志的量比较大,一天有20G左右,所以配置按天生成日志。
不使用elk和数据库是因为需要统一记录日志的设备不多,在命令行下查找更快
如下
cat 172.18.5.1.log | egrep "172.18.111.160" | more
参考文档:Linux日志切割工具Logrotate_logrotate日志切割-CSDN博客
Rsyslog发送日志时间转化_rsyslog时间格式-CSDN博客