江乐的笔记

rsyslogd + graylog2 日志管理方案(1)

 tech  543  2 分钟

##为什么还要加上rsyslogd? graylog2web界面相比rsyslogd的cli界面相比好上一百倍,而且支持很多新的协议。为什么要加上rsyslogd呢?

syslog是一个很古老的协议,很多设备导出的日志不标准,直接用graylog2会有各种各样的问题。rsyslog在这方面比较强悍,所以把rsyslog放在前端,对各设备的syslog处理之后再导出给graylog2。

##相关系统&软件

  • CentOS 6.2
  • rsyslog 4.6.2
  • graylog 0.9.6

##安装rsyslogd 我的系统是CentOS 6.2,已经自带了rsyslog,不用再另外安装了。但是需要做一些额外的设置。

由于我仅仅用rsyslogd转发设备发送的日志到graylog2,所以不需要服务器本地的日志。但是CentOS 6.2自带的rsyslogd版本过低,不支持转发的时候绑定规则,所以我的办法是运行第二个rsyslogd进程,专门用来转发。

###启动脚本

vi /etc/init.d/rsyslogforwarder

输入下面的内容

#!/bin/bash
#
# rsyslogforwarder Starts rsyslogd/rklogd forwarder.
#
#
# chkconfig: 2345 12 88
# description: Syslog is the facility by which many daemons use to log \
# messages to various system log files. It is a good idea to always \
# run rsyslog.
### BEGIN INIT INFO
# Provides: $syslog
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Enhanced system logging and kernel message trapping daemons
# Description: Rsyslog is an enhanced multi-threaded syslogd supporting,
# among others, MySQL, syslog/tcp, RFC 3195, permitted
# sender lists, filtering on any message part, and fine
# grain output format control.
### END INIT INFO
# Source function library.
. /etc/init.d/functions
RETVAL=0
PIDFILE=/var/run/syslogdforwarder.pid
prog=rsyslog
exec=/sbin/rsyslogd
lockfile=/var/lock/subsys/rsyslogforwarder
# Source config
if [ -f /etc/sysconfig/$prog ] ; then
. /etc/sysconfig/$prog
fi
start() {
[ -x $exec ] || exit 5
umask 077
echo -n $"Starting system logger: "
daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS -f /etc/rsyslogforwarder.conf
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
stop() {
echo -n $"Shutting down system logger: "
killproc -p "$PIDFILE" $exec
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $lockfile
return $RETVAL
}
reload() {
RETVAL=1
syslog=$(cat "${PIDFILE}" 2>/dev/null)
echo -n "Reloading system logger..."
if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
kill -HUP "$syslog";
RETVAL=$?
fi
if [ $RETVAL -ne 0 ]; then
failure
else
success
fi
echo
return $RETVAL
}
rhstatus() {
status -p "$PIDFILE" -l $prog $exec
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload|force-reload)
reload
;;
status)
rhstatus
;;
condrestart|try-restart)
rhstatus >/dev/null 2>&1 || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status}"
exit 2
esac
exit $?
view raw rsyslogforwarder hosted with ❤ by GitHub

修改权限

chmod a+x /etc/init.d/rsyslogforwarder

###配置文件

vi /etc/rsyslogforwarder.conf
#rsyslog v3 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
#### MODULES ####
# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template GRAYLOG2,"<%PRI%>1 %timegenerated:::date-rfc3339% %fromhost% %syslogtag% - %APP-NAME%: %msg:::drop-last-lf%\n"
$ActionForwardDefaultTemplate GRAYLOG2
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/spppl/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @@127.0.0.1:1514
# ### end of the forwarding rule ###
view raw rsyslogforwarder.conf hosted with ❤ by GitHub

其中*.* @@127.0.0.1:1514这一行指定转发的目的地,本机的1514 TCP端口。稍后会将graylog2安装在这个端口。

###启动

/etc/init.d/rsyslogforwarder start

###设置自动启动 chkconfig rsyslogforwarder on

##参考资料

updatedupdated2020-07-232020-07-23

相关文章: