rsyslog介绍
rsyslog 是一个 syslogd 的多线程增强版。它提供高性能、极好的安全功能和模块化设计。虽然它基于常规的 syslogd,但 rsyslog 已经演变成了一个强大的工具,可用于:
- 接收来自各种来源的输入
- 转换它们
- 将结果输出到不同的目的地
rsyslog移植
移植版本
-rw-rw-r-- 1 bala bala 558K Oct 28 13:11 zlib-1.2.8.tar.gz
-rw-rw-r-- 1 bala bala 280K Oct 20 07:03 liblogging-1.0.5.tar.gz
-rw-rw-r-- 1 bala bala 311K Oct 19 13:57 libuuid-1.0.3.tar.gz
-rw-rw-r-- 1 bala bala 329K Oct 19 11:45 libestr-0.1.10.tar.gz
-rw-rw-r-- 1 bala bala 2.2M Oct 19 11:28 rsyslog-8.22.0.tar.gz
-rw-rw-r-- 1 bala bala 1.3M Oct 28 21:44 libfastjson-0.99.4.zip
libestr-0.1.10.tar.gz
libfastjson-0.99.4
libuuid-1.0.3.tar.gz
./configure
CC=XXX-gcc
--build=$(./config.guess)
--host=x86_64-pc-linux && make && sudo make install
zlib-1.2.8.tar.gz
CC=XXX-gcc
./configure && make && sudo make install
liblogging-1.0.5.tar.gz
autoreconf -v --install
./configure
CC=XXX-gcc
--build=$(./config.guess)
--disable-journal --disable-man-pages
--host=x86_64-pc-linux && make && sudo make install
编译时,如遇到类似如下malloc或realloc错误,在config.h.in中注释掉如下定义:
#undef malloc
#undef realloc:
./.libs/liblogging-stdlog.so: undefined reference to `rpl_malloc'
collect2: error: ld returned 1 exit status
make[2]: *** [stdlogctl] Error 1
rsyslog-8.22.0.tar.gz
./configure
CC=XXX-gcc
--build=$(./config.guess)
LIBS=-lm
--disable-libgcrypt
--enable-imfile --enable-imptcp --enable-omstdout
--host=x86_64-pc-linux
&& make && sudo make install
rsyslog client端配置
client端需要注意处理日志传输的可靠性,如果处理不当,可能你会遇到如下日志丢失的场景:
- 在tcp建链前把rsyslog拉起来,在tcp建链前的日志都会丢掉。
- tcp建链后,中间发生断链后又恢复(比如ifconfig eth0 down/up),这期间的日志也会丢掉。
所以采取的可靠性保证措施如下:
- 配置使能官网推荐的本地数据缓存机制;
- 在确认建链后重新启动rsyslog服务;
alex@cb:~$ cat rcS (省略) # slave rsyslog chmod +x /etc/run_rsyslog ./etc/run_rsyslog & (省略) alex@cb:~$ cat run_rsyslog #!/bin/sh rsyslogd -f /etc/rsyslog.slave.conf -i /etc/rsyslogd.pid while true do # send a msg to check whether tcp connection is established. logger "running rsyslogd..." netstat -t 2>&1 | grep -e ":514[ ]*ESTABLISHED" if [ "$?" = "1" ]; then sleep 3 continue fi kill -9 $(cat /etc/rsyslogd.pid) sleep 1 rsyslogd -f /etc/rsyslog.slave.conf -i /etc/rsyslogd.pid logger "rsyslogd TCP connection ESTABLISHED." exit 0 done alex@cb:~$ cat rsyslog.slave.conf module(load="imuxsock") # provides support for local system logging (e.g. via logger command) module(load="imklog") # provides kernel logging support (previously done by rklogd) #module(load"immark") # provides --MARK-- message capability module(load="imfile") input(type="imfile" File="/dev/util" Severity="info" Facility="local0" Tag="util") input(type="imfile" File="/dev/usrdrvexc0" Severity="info" Facility="local1" Tag="usrdrvexc0") input(type="imfile" File="/dev/usrdrvexc1" Severity="info" Facility="local2" Tag="usrdrvexc1") input(type="imfile" File="/var/eip_svc_*.log" Severity="info" Facility="local3" Tag="subcard") $template myFormat,"%TIMESTAMP:::date-rfc3164% %msg% " $ActionFileDefaultTemplate myFormat $WorkDirectory /var/lib/rsyslog $ActionQueueFileName fwdRule1 $ActionQueueMaxFileSize 1m $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 *.* @@168.0.31.1:514
rsyslog server端配置
alex@cb:~$ cat rcS
(省略)
# log rotation
mkdir -p /var/spool/cron/crontabs
crond -l 20 -L /var/log/crond.log
chmod +x /usr/sbin/log_rotation
echo "* * * * * /usr/sbin/log_rotation" > /var/spool/cron/crontabs/root
# rsyslog
rsyslogd -f /etc/rsyslog.master.conf -i /etc/rsyslogd.pid
(省略)
alex@cb:~$ cat rsyslog.master.conf
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
$template myFormat,"%TIMESTAMP:::date-rfc3164% %msg%
"
$ActionFileDefaultTemplate myFormat
$template KlogFile,"/sysdisk0/run_log/util/dmesg-%FROMHOST%.log"
$template UserlogFile,"/sysdisk0/run_log/util/userlog-%FROMHOST%.log"
$template UtilFile,"/sysdisk0/run_log/util/util-%FROMHOST%.log"
$template Usrdrvexc0File,"/sysdisk0/run_log/util/usrdrvexc0-%FROMHOST%.log"
$template Usrdrvexc1File,"/sysdisk0/run_log/util/usrdrvexc1-%FROMHOST%.log"
$template SubcardFile,"/sysdisk0/run_log/util/subcard-%FROMHOST%.log"
kern.* ?KlogFile
local0.* ?UtilFile
local1.* ?Usrdrvexc0File
local2.* ?Usrdrvexc1File
local3.* ?SubcardFile
*.info;kern.none;local0.none;local1.none;local2.none;local3.none ?UserlogFile
日志回卷配置
官网提供的一种简单的日志回卷方案,
# start log rotation via outchannel # outchannel definition $outchannel log_rotation,/var/log/log_rotation.log, 52428800,/home/me/./log_rotation_script # activate the channel and log everything to it *.* :omfile:$log_rotation # end log rotation via outchannel
这个方案可以对有固定文件名的日志文件进行回卷,单其缺点就是不支持动态模板命名文件。
对于动态模板命名文件,一种可用的日志回卷方案是基于crond实现方案,示例如下。
alex@cb:~$ cat log_rotation #!/bin/sh large_logs=`find /sysdisk0/run_log/util/ -type f -size +1024k -regex "/sysdisk0/run_log/util/(subcard|usrdrvexc0|usrdrvexc1|userlog|util)-.*.log"` for file in $large_logs; do mv -f $file $file.1; done;
--EOF--