1、以IP地址命名
在/etc/rsyslog.conf中加入如下配置,并做好备注。添加这三行配置之后,远程日志会被单独输出到一个以IP命名的日志文件中。
#IP format by zhz at xxxx-xx-xx $template IpTemplate,"/var/log/%FROMHOST-IP%.log" *.* ?IpTemplate & ~
2、设备名&日期
Rsyslog的日志轮询默认为一周,保存4周,如果生产中日志产生量很大,或者设备数目过多的话,查询时就会遇到障碍,此时我们选择将日志以设备名和日期来命名日志,此处以天为单位,每天存储一份。在/etc/rsyslog.conf中加入如下配置,并做好备注。
#Divided by prefecture and city,end by date. #province $EscapeControlCharactersOnReceive off $template PRO-SW-01,"/var/log/province/PRO-SW-01_log.%$year%-%$month%-%$day%" $template myFormat,"%msg%\n" :rawmsg,contains,"PRO-SW-01" -?PRO-SW-01;myFormat $EscapeControlCharactersOnReceive off $template PRO-QR-01,"/var/log/province/PRO-QR-01_log.%$year%-%$month%-%$day%" $template myFormat,"%msg%\n" :rawmsg,contains,"PRO-QR-01" -?PRO-QR-01;myFormat #huawei-route $EscapeControlCharactersOnReceive off $template City--QR-01,"/var/log/NE40X3/City-QR-01_log.%$year%-%$month%-%$day%" $template myFormat,"%msg%\n" :rawmsg,contains,"City--QR-01" -?City--QR-01;myFormat #h3c-route $EscapeControlCharactersOnReceive off $template City-SR-01,"/var/log/SR/City-SR-01_log.%$year%-%$month%-%$day%" $template myFormat,"%msg%\n" :rawmsg,contains,"City-SR-01" -?City-SR-01;myFormat #huawei-sw $EscapeControlCharactersOnReceive off $template City-SW-01,"/var/log/S5756/City-SW-01_log.%$year%-%$month%-%$day%" $template myFormat,"%msg%\n" :rawmsg,contains,"City-SW-01" -?City-SW-01;myFormat
3、采用默认的存储方式
如果采用默认的方式的话,即以周为轮询单位,存储4周。
4、日志备份
不管采取哪种方式,显然只有一台日志主机的话,会存在单点故障,为了解决这个问题,我们将收集的日志采用定期备份的方式推送到Backup服务器上,我这里使用的是rsync。
思路如下:
通过本地打包备份,rsync应用把日志数据统一备份到一个固定的存储服务器上,通过脚本检测并通知管理员备份的结果。
rysnc的有关知识请查阅本博客: