rsyslog 使用说明

$umask 0022
$FileCreateMode 0755
$DirCreateMode 0755
注:此处是修改模板新建文件夹的权限

$ModLoad imudp
$UDPServerRun 514
注:此次为开启udp端口

$ModLoad imtcp
$InputTCPServerRun 514
注:此次为开启TCP端口

$template myFormat,"%HOSTNAME% %syslogtag%%msg%\n" #(完整接受日志格式不做任何修改)
$ActionFileDefaultTemplate myFormat
注:此处为默认模板,修改默认模板不对日志做任何处理,完全接收日志内容

$template ssl1,"/home/elsearch/it/it-logs/array/sslvpn/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, isequal, "192.168.x.x" ?ssl1
action(type="omfwd" Target="192.168.x.x" Port="514" Protocol="tcp" )
& ~
注:新建自定义模板ssl1, 接收日志存放的位置
此处译为:当ip发过来的主机ip地址为192.168.x.x的时候,符合ssl1模板
此处译为:动作为 转发此模板下的日志到对应端口的日志服务器
此处译为:停止指令 代表如果log被当前的rule已经处理过了,则完成本次执行,跳过后续rule的处理

$template acc,"/home/elsearch/it/it-logs/huawei/acc/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
local7.* ?acc
注: 自定义模板acc
符合loacal7的全部接收放置指定位置

附:使用的配置文件
$umask 0022
$FileCreateMode 0755
$DirCreateMode 0755

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog

$template myFormat,"%HOSTNAME% %syslogtag%%msg%\n" #(完整接受日志格式不做任何修改)
$ActionFileDefaultTemplate myFormat

$template ssl,"/home/elsearch/it/it-logs/array/sslvpn/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, isequal, "192.168.x.x" ?ssl
action(type="omfwd" Target="192.168.x.x" Port="515" Protocol="udp" )
& ~

$template ssl1,"/home/elsearch/it/it-logs/sangfor/sslvpn/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, isequal, "192.168.x.x" ?ssl1
& ~

$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state

.info;mail.none;authpriv.none;cron.none;local6.none;local5.none;local7.none /var/log/messages
authpriv. /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
.emerg :omusrmsg:
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

$template acc,"/home/elsearch/it/it-logs/huawei/acc/%$YEAR%-%$MONTH%-%$DAY%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
local7.* ?acc

补充说明:
如发现message中文件增大可以将发送至message的某个日志等级的日志过滤掉
age:
*.info;mail.none;authpriv.none;cron.none /var/log/messages 默认配置

*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages 意味接收大于info级别以上的日志,但是mail,authpriv,cron和local0级别的日志不放进message

posted @ 2022-07-21 11:01  云淡风轻2020  阅读(198)  评论(0)    收藏  举报