[20191224]集中管理Syslog Server資訊.txt

[20191224]集中管理Syslog Server資訊.txt

--//一直希望有一臺伺服器收集Syslog Server資訊,接收其他機器的syslog資訊,包括交換機以及路由器的logging資訊.
--//我們整個團隊太不重視這些細節了,出現問題解決週期很長,試想一下,沒有任何記錄,一旦管理者離開遇到問題非常麻煩...
--//目前的伺服器已經使用rsyslog代替syslog,我也使用它來代替syslog.首先在測試環境測試看看:

1.環境:
# cat /etc/issue | head -1
Oracle Linux Server release 5.9

--//我的測試環境並沒有安裝rsyslog,實際安裝的是sysklogd(注意中間有1個K)
# rpm -qa | grep sys | grep log
sysklogd-1.4.1-46.el5

# rpm -ivh rsyslog-3.22.1-7.el5.x86_64.rpm
warning: rsyslog-3.22.1-7.el5.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
Preparing...                ########################################### [100%]
   1:rsyslog                ########################################### [100%]

2.編輯/etc/rsyslog.conf,追加如下內容:
# Provides UDP syslog reception
$ModLoad imudp
$InputUDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
--//以上資訊最好在開始部分.注:我看一些文件是寫$ModLoad imudp.so ,最好看man rsyslog.conf
# This one is the template to generate the log filename dynamically, depending on the client's IP address.
$template FILENAME,"/var/log/rsyslog/%fromhost-ip%_syslog.log"

# Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...),
# will be under a separate directory which is formed by the template FILENAME.
*.* ?FILENAME
*.*                             /dev/tty4

--//說明一下:最後1行可以將全部錯誤定位到/dev/tty4.這樣在一些調式是隻要登入時設定80*25顯示模式.
--//執行 tail -f /dev/vcs4就可以看到資訊輸出,當然這個有安全問題.你可以在需要時開啟.
--//缺點是不會重新整理,有什麼方法重新整理.只能watch cat /dev/vcs4.而且必須在COLUMNS=80列的情況下看才比較直觀,不然有點亂.
--//當然你可以全部寫入檔案,不過這樣增長很快:
*.*                                                 /var/log/rsyslog/all.log

3.修改/etc/sysconfig/rsyslog配置檔案:
#SYSLOGD_OPTIONS="-m 0"
SYSLOGD_OPTIONS="-c3 -x"

--//加入-x目的是disables DNS lookups on messages recieved with -r.
--//修改-c3,主要目的避免啟動後出現:
# cat /var/log/rsyslog/127.0.0.1_syslog.log
Dec 24 17:25:49 xxxxxxx4 kernel: imklog 3.22.1, log source = /proc/kmsg started.
Dec 24 17:25:49 xxxxxxx4 rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="13956" x-info="] (re)start
Dec 24 17:25:49 xxxxxxx4 rsyslogd: WARNING: rsyslogd is running in compatibility mode. Automatically generated config
                directives may interfer with your rsyslog.conf settings. We suggest upgrading your config and adding -c3
                as the first rsyslogd option.
Dec 24 17:25:49 xxxxxxx4 rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: ModLoad imuxsock

4..啟動rsyslog服務:
--//我的測試環境要關閉syslog服務.
# service syslog stop
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]

# service rsyslog start
Starting system logger:                                    [  OK  ]

4.客戶端配置:
--//修改 /etc/syslog.conf檔案,加入:
*.*                             @192.168.100.78

--//也可以寫成如下:
*.*                             @@192.168.100.78

--//按照文件介紹: 單個@表示集中系統日誌伺服器和埠號的UDP、IP地址或主機名,也就是使用UDP埠.兩個@使用TCP埠.
--//另外我發現/etc/syslog.conf不能寫上埠號,也許sysklogd軟體包不能加入埠號.
# man rsyslog.conf
...
Remote machine

       There are three ways to forward message: the traditional UDP transport, which is extremely lossy but standard,
       the plain TCP based transport which loses messages only during certain situations but is widely available and the
       RELP

       transport which does not lose messages but is currently available only as part of rsyslogd 3.15.0 and above.

       To forward messages to another host via UDP, prepend the hostname with the at sign ("@").  To forward it via
       plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend the string ":omrelp:" in front of the
       hostname.

       Example:
              *.* @192.168.0.1

       In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the destination port defaults to
       514. Due to the nature of UDP, you will probably lose some messages in transit.  If you expect high traffic
       volume,

       you can expect to lose a quite noticeable number of messages (the higher the traffic, the more likely and severe
       is message loss).

       If you would like to prevent message loss, use RELP:
              *.* :omrelp:192.168.0.1:2514

       Note that a port number was given as there is no standard port for relp.

       Keep in mind that you need to load the correct input and output plugins (see "Modules" above).

       Please note that rsyslogd offers a variety of options in regarding to remote forwarding. For full details, please
       see the html documentation.

--//還有1個細節問題要注意客戶端的rsyslog的/etc/sysconfig/rsyslog的配置檔案,要修改如下,不能使用-c3選項,否者伺服器無法接收
--//資訊.
#SYSLOGD_OPTIONS="-m 0"
SYSLOGD_OPTIONS="-m 0 -x"

5.加入logrotate管理:
--//因為記錄資料量很大的話,伺服器很多消耗磁碟空間很大,必須定期清理:
--//修改/etc/logrotate.d/syslog檔案加入如下:

/var/log/rsyslog/1*.log {
  size=100M
  rotate 4
  copytruncate
  compress
  notifempty
}

--//size大小根據需要設定.注意兆單位是大寫的M,千位元組單位是小寫的k.
--//使用如下命令調式logrotate配置:
# /usr/sbin/logrotate -d  /etc/logrotate.d/syslog