rsyslog介绍
官方原文:RSYSLOG is the rocket-fast system for log processing.
rsyslog可以理解为是syslog的升级版。
主要的特点有:
- Multi-threading
- TCP, SSL, TLS, RELP
- MySQL, PostgreSQL, Oracle and more
- Filter any part of syslog message
- Fully configurable output format
- Suitable for enterprise-class relay chains
它的主要作用就是用来处理日志,是很多Linux发行版默认的系统日志系统。能够接收各种来源的日志,并做一定的处理,最终输出到目标位置(文件、es等);
rsyslog支持的日志源(左侧)和目标位置(右侧)的示意图如下(来自官方):
rsyslog的启动配置
先通过systemd查看服务状态,如下图:
可见启动命令是:/usr/sbin/rsyslogd -n -iNONE
启动配置文件位置是:/lib/systemd/system/rsyslog.service
[Unit]
Description=System Logging Service
Requires=syslog.socket
Documentation=man:rsyslogd(8)
Documentation=https://www.rsyslog.com/doc/
[Service]
Type=notify
ExecStart=/usr/sbin/rsyslogd -n -iNONE
StandardOutput=null
Restart=on-failure
# Increase the default a bit in order to allow many simultaneous
# files to be monitored, we might need a lot of fds.
LimitNOFILE=16384
[Install]
WantedBy=multi-user.target
Alias=syslog.service
根据配置文件可以看到:重启策略是失败重启。同时还设置了alias别名为syslog.service,这是为了保持兼容。
rsyslog配置文件说明
主配置文件的位置是:/etc/rsyslog.conf,内容如下:
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
由于rsyslog是模块化设计,因此可以通过配置文件中的#### MODULES ####部分来配置各模块的启用和具体配置。如imuxsock模块代表本地socket日志。imtcp和imudp分别代表tcp和udp协议的接收处理模块。
而#### GLOBAL DIRECTIVES ####部分则是定义了一些全局的配置。如配置日志文件的默认权限、workDirectory位置、其它配置文件的位置等。
rsyslog的日志规则配置
根据上面主配置文件可以知道rules定义在/etc/rsyslog.d/50-default.conf中。
首先说明rules的格式是: facility.priority Target
其中facility直译为设施设备,也即是日志源的意思。具体有哪些是提前约定好的,在后文会列出来。
priority:代表日志级别,如:emerg、alert、crit、err、warning、notice、info、debug;
Target:代表目标位置;
那么根据以上格式,可以看到含义也就很清楚了:通过facility.priority过滤选择出匹配的日志,然后输出到Target即可;
下面的规则文件是我本机(Ubuntu 20.04.1 LTS)的默认规则文件:
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
#*.=debug;
# auth,authpriv.none;
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;
# auth,authpriv.none;
# cron,daemon.none;
# mail,news.none -/var/log/messages
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;
# news.=crit;news.=err;news.=notice;
# *.=debug;*.=info;
# *.=notice;*.=warn /dev/tty8
根据以上规则文件我们知道:mail功能的所有日志都会写入到/var/log/mail.log,且mail功能的err级别日志会写入到/var/log/mail.err。
下面做一个简单的验证:执行以下2条命令,分别生成err和info日志:
logger -ip mail.err test-error-msg
logger -ip mail.info test-info-msg
可以看到mail.log文件记录所有(2条)日志,而mail.err文件只记录了err级别的日志。
以上介绍了rsyslog的作用和基础配置,当然rsyslog还支持的更多特性和功能,本文没有一一展开。
如果大家有需要可以在理解基本原理的基础上,进一步配置所需的功能。
参考资料:
- rsyslog新手指南:https://www.rsyslog.com/newbie-guide-to-rsyslog/
- 发消息到服务器:https://www.rsyslog.com/sending-messages-to-a-remote-syslog-server/
- 接收远程系统的消息:https://www.rsyslog.com/receiving-messages-from-a-remote-system/
- rsyslog与es:https://www.rsyslog.com/rsyslog-and-elasticsearch/
附:预定义的facility列表:
auth
authpriv for security information of a sensitive nature
cron
daemon
ftp
kern cannot be generated from userspace process, automatically converted to user
lpr
mail
news
syslog
user
uucp
local0
to
local7
security deprecated synonym for auth