4,986 瀏覽數

Linux – rsyslog

從 RHEL 6 以及 Ubuntu 11.04 (natty)之後的版本,就找不到 /var/log/messages (RHEL 6 還保留),因為原本的 syslog 變成了 rsyslog

所以這些檔案都被歸類到 /var/log/syslog ,RSYSLOG(rocket-fast system for log processing) 可以參考官方的說明

RSYSLOG 基本上就是強化版的 syslog 套件

  • Multi-threading
    可以同時記錄傳送多達(每秒高達百萬筆記錄),不管是本底端或是遠端資料.
  • TCP, SSL, TLS, RELP
    更安全的傳輸
  • MySQL, PostgreSQL, Oracle and more
    可以使用 MySQL 與 PostgreSQL 資料庫當做儲存的媒介
  • Filter any part of syslog message
    更好的過濾器 (Filter) 來分析記錄.
  • Fully configurable output format
    支援自定的紀錄格式以及可以使用
  • Suitable for enterprise-class relay chains
    適用於企業的資料

不過,我們也可以修改設定檔將系統訊息寫到 /var/log/messages 以及其他的 log 中.

  • RHEL/CentOS 6/7
    編輯 /etc/rsyslog.conf

    [root@localhost ~]$ vi /etc/rsyslog.conf 
    #### MODULES ####
    
    # The imjournal module bellow is now used as a message source instead of imuxsock.
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imjournal # provides access to the systemd journal
    
    #### GLOBAL DIRECTIVES ####
    
    # Where to place auxiliary files
    $WorkDirectory /var/lib/rsyslog
    
    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    
    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on
    
    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf
    
    # Turn off message reception via local log socket;
    # local messages are retrieved through imjournal now.
    $OmitLocalLogging on
    
    # File to store the position in the journal
    $IMJournalStateFile imjournal.state
    
    #### RULES ####
    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    
    # The authpriv file has restricted access.
    authpriv.*                                              /var/log/secure
    
    # Log all the mail messages in one place.
    mail.*                                                  -/var/log/maillog
    
    # Log cron stuff
    cron.*                                                  /var/log/cron
    
    # Everybody gets emergency messages
    *.emerg                                                 :omusrmsg:*
    
    # Save news errors of level crit and higher in a special file.
    uucp,news.crit                                          /var/log/spooler
    
    # Save boot messages also to boot.log
    local7.*                                                /var/log/boot.log
    

    設定方式類似 syslog – http://benjr.tw/22756

    修改存檔後,重新啟動 rsyslog

    # sudo /etc/init.d/rsyslog restart
    

    在 systemD 的環境提供了一個工具 journalctl ,讀取系統日誌檔時,可以依據需求做分類,請參考 http://benjr.tw/97011

  • Ubuntu
    編輯 /etc/rsyslog.d/50-default.conf

    #sudo vi /etc/rsyslog.d/50-default.conf
    

發表迴響