Linux: rsyslog.conf 配置

refer to: https://www.debian.org/doc/manuals/debian-handbook/sect.syslog.en.html

  • 日志子系统
    Each log message is associated with an application subsystem (called “facility” in the documentation):

    auth and authpriv: for authentication;
    cron: comes from task scheduling services, cron and atd;
    daemon: affects a daemon without any special classification (DNS, NTP, etc.);
    ftp: concerns the FTP server;
    kern: message coming from the kernel;
    lpr: comes from the printing subsystem;
    mail: comes from the e-mail subsystem;
    news: Usenet subsystem message (especially from an NNTP — Network News Transfer Protocol — server that manages newsgroups);
    syslog: messages from the syslogd server, itself;
    user: user messages (generic);
    uucp: messages from the UUCP server (Unix to Unix Copy Program, an old protocol notably used to distribute e-mail messages);
    local0 to local7: reserved for local use.

  • 日志级别
    Each message is also associated with a priority level. Here is the list in decreasing order:

    emerg: “Help!” There is an emergency, the system is probably unusable.
    alert: hurry up, any delay can be dangerous, action must be taken immediately;
    crit: conditions are critical;
    err: error;
    warn: warning (potential error);
    notice: conditions are normal, but the message is important;
    info: informative message;
    debug: debugging message.

  • 配置规则(selector + action)
    The syntax of the /etc/rsyslog.conf file is detailed in the rsyslog.conf(5) manual page, but there is also HTML documentation available in the rsyslog-doc package (/usr/share/doc/rsyslog-doc/html/index.html). The overall principle is to write “selector” and “action” pairs. The selector defines all relevant messages, and the action describes how to deal with them.

# Log anything (except mail) of level info or higher. 
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# 除了 mail authpriv cron 这几个子系统,其他子系统的info及以上的日志都记录到/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
posted @ 2022-11-09 15:38  武平宁  阅读(289)  评论(0)    收藏  举报