■Log output format
log device connector log level execute action
Log device (can be understood as log type facility):
auth -pam log generated
authpriv -ssh, ftp and other login information verification information
cron - time task related
kern -kernel
lpr -print
mail
-mail mark (syslog) -rsyslog service internal information, time stamp
news -newsgroup
user - Related information generated by user programs
uucp –unix to unix copy, related communication between unix hosts
local 1~7 – custom log device
Log level (level):
debug - with debug information, the most log information
info - general information log, the most commonly used
notice - the most important common condition information
warning - warning level
err - error level, information that prevents a function or module from not working properly
crit - critical level, information that prevents the entire system or the entire software from working properly
alert - information that needs to be corrected immediately
emerg - serious information such as a kernel crash
none - nothing is logged
From top to bottom, level from low to high, less and less information is recorded
The connector between facility and level:
.xxx: Represents information of level greater than or equal to xxx
.=xxx: Represents information of level equal to xxx
. !xxx: Represents information of level other than xxx
Execute the action:
1. Log to normal file or device file
*.* /var/log/file.log # Absolute path
*.* /dev/pts/0
2. Forward to remote
*.* @192.168.0.1 # Forward to port 514 (default) of 192.168.0.1 using UDP protocol
*.* @@192.168.0.1 # Forward to port 514 (default) of 192.168.0.1 using TCP protocol
3. Send to users (requires online to receive)
*.* root
*.* root,kadefor,up01 # Use, to separate multiple users
*.* * # * means all online users
4. Ignore, discard
local3.* ~ # Ignore all logs of all local3 types at all levels
5. Execute the script
local3.* ^/tmp/a.sh # ^ followed by the absolute path of the executable script or program
# The log content can be used as the first parameter of the script.
# Can be used to trigger an alarm
.. note::
logging The order matters!
Standard simple rsyslog configuration
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
■About the Logger command
Use the Logger command to test, logger is a shell command interface, you can use the system log module of Syslog through this interface, and
you can directly write a line of information to the system log file from the command line.
logger [options] [messages]
**options (options):**
-d, --udp
use datagram (UDP) instead of default stream connection (TCP)
-i, --id
log each logger line by line -f, --file
file_name
log specific file
-h, --help
display help text and exit
-n, --server
write to specified remote syslog server, use UDP instead of built-in syslog routines
-P , --port port_num
use the specified UDP port. The default port number is 514
-p, --priority priority_level
specifies the priority of incoming messages. The priority can be a number or specified in the format "facility.level". For example: "-p local3.info " The message level of the local3 device is info. The default level is "user.notice"
-s, --stderr
outputs standard error to the syslog.
-t, --tag tag
specifies the tag record
-u, --socket socket
Write to the specified socket instead of to the built-in syslog routine.
-V, --version Realize
version information and exit
**messages:** Content messages written to the log file, can be used with -f.
logger exits with 0 for success, greater than 0 for failure.
■ Learning verification
Case 1: Is the custom log information saved to the specified file as expected?
1. Modify
the last line of /etc/rsyslog.conf and append local3.=info /var/log/test.log
2.systemctl restart rsyslog
3.logger -i -p local3.info "abc test abc"
4. The result is in / Sep 20 16:20:53 test root[13091]: abc test abc can be seen in var/log/test.log and /var/log/messages
5. Modify again /etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none;local3.none /var/log/messages
6.systemctl restart rsyslog
7.logger -i -t "mytest" -p local3.info "abc test abc"
8. Finally, only generate Sep 20 17:47:18 test mytest[13241]: abc test abc in /var/log/test.log
Case 2: Filter specific logs to file, ignore (discard) logs containing a certain string
# Filter logs, start with :
:msg, contains, “error” /var/log/error.log
:msg, contains, “error” ~ # Ignore logs containing errors
: msg, contains, “user nagios” ~
local3.* ~
The definition of filtering requires special attention, as follows:
/*****************1*********************/
:msg,contains,"filtertest" /var/log/filtertest.log
*.info;mail.none;authpriv.none;cron.none;local3.none /var/log/messages
/*****************2*********************/
*.info;mail.none;authpriv.none;cron.none;local3.none /var/log/messages
:msg,contains,"filtertest" /var/log/filtertest.log
/*****************3*********************/
*.info;mail.none;authpriv.none;cron.none;local3.none /var/log/messages
:msg,contains,"filtertest" /var/log/filtertest.log
& ~
When defined in this order, the log containing filtertest will be generated both in /var/log/filtertest.log and in /var/log/messages, so how can it only be in /var/log/filtertest. log generated?
It must be defined in the following order, and then & ~ must be added, which means that after the above rules are used, they will be discarded, and the following rules will no longer apply even if they meet the requirements.
:msg,contains,"filtertest" /var/log/filtertest.log
& ~
*.info;mail.none;authpriv.none;cron.none;local3.none /var/log/messages
Case 3: Using a template to define the log format
Define the default log format:
-
$template myFormat,”%rawmsg%\n”
-
$ActionFileDefaultTemplate myFormat
-
#If you don't want the $ActionFileDefaultTemplate myFormat line, you need to use the template like this:
-
#Add the template name after the log file and separate it with ;
-
$template myFormat,”%rawmsg%\n”
-
# The authpriv file has restricted access.
-
authpriv. * / var / log / secure; myFormat
-
# Log all the mail messages in one place.
-
mail.* /var/log/maillog;myFormat
-
# Log cron stuff
-
cron. * / var / log / cron; myFormat
-
# Everybody gets emergency messages
-
*.emerg *
-
# Save news errors of level crit and higher in a special file.
-
uucp,news.crit /var/log/spooler;myFormat
-
# Save boot messages also to boot.log
-
local7.* /var/log/boot.log;myFormat
The default definition in rsyslog.conf is $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat, the template RSYSLOG_TraditionalFileFormat is the default template reserved for rsyslog ,
So you don't need to define it, just use it directly, but if you want to use your own defined template, then define the template as shown in the first line $template myFormat," %rawmsg %\n", and by default you want all the rules
By default, a custom rule is used, then the second line defines $ActionFileDefaultTemplate myFormat. If you only want a rule to use a custom template, then the second line is not required.
Instead, as shown in line 7, authpriv.* /var/ log /secure;myFormat , specify the template to be used when defining the rules.
Case 4: Remote sending and receiving of logs 1
Client configuration
Add the following configuration at the end, the meaning here is to forward the log to the server as needed
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
local3.* @192.168.100.96 # UDP uses default port 514, server IP: 192.168.100.96
or
local3.* @@192.168.100.96 # TCP uses the default port 514, server IP: 192.168.100.96
Server side configuration
$modload imtcp
$InputTCPServerRun 514
# for UDP use:
$modload imudp
$UDPServerRun 514
# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
local3.* /var/log/local3.log # 测试用
Execute the command: logger -i -t "mytest" -p local3.info "11111111111"
If configured in this way, many, many such messages will be generated2017-09-21T19:49:50+09:00 test mytest[15734]: 11111111111
Client: /var/log/messages
Server side: /var/log/messages, /var/log/local3.log
Therefore, if you only want the log to be generated in the /var/log/local3.log file on the server side, you need to modify the configuration. Referring to Case 1, modify the client and server sides as follows:
*.info;mail.none;authpriv.none;cron.none;local3.none /var/log/messages
Case 5: Remote sending and receiving of logs 2
Service-Terminal
vi /etc/rsyslog.conf #Add it at the beginning of the file, and ensure that port 514 can be accessed by the client using tcp
$ModLoad imtcp.so # needs to be done just once #Use the tcp method
$InputTCPMaxSessions 500 # The number of connections received by tcp is 500
$InputTCPServerRun 514 # The port where tcp receives information
$template logformat,”%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n” # Define a template named logformat to add log time to the information
$template DynFile,”/var/log/tlog%$year%%$month%%$day%.log” # Define the name of the log file, according to the year, month and day
: rawmsg, contains, “sdns_log” ?DynFile;logformat # Write the information containing the sdns_log flag in the rawmsg (you can also use msg) log to the log file defined by DynFile
: rawmsg, contains, “sdns_log” ~ # This means to discard the information containing the sdns_log flag, generally add it to avoid excessive A log file records repeated logs, this sentence can also be written as & ~
What if you want to save messages from different ips to different files?
:fromhost-ip, isequal, “192.168.0.160″ /var/log/host160.log
:FROMHOST-IP, isequal, “192.168.0.161″ /var/log/host161.log
:FROMHOST-IP, startswith, “192.168. 1.” /var/log/network1.log
:FROMHOST-IP, startswith, “192.168.2.” /var/log/network2.log
The meaning here is to define a template first. The logs of this template are stored in the /var/log/hosts directory and named after their respective host names.
Then save the logs from different nodes in the form defined in the template.
$template RemoteHost,"/var/log/hosts/%HOSTNAME%.log"
:fromhost-ip, !isequal, "127.0.0.1" -?RemoteHost
& ~
Of course, you can also save the logs you need to save according to your own needs, such as only keeping the logs from the node 192.168.128.254
: fromhost-ip, isequal, "192.168.128.254" -/var/log/messages-192.168.128.254. log
& ~
Also saves the log to the specified file by matching the log contents.
:msg, startswith, "" ## Firewalld LOGGED ## "" -/var/log/firewalld-denied.log
& ~
client
vi /etc/rsyslog.conf #Add # at the beginning of the file to
send the information containing sdns_log to 192.168.1.2 via tcp @@ means tcp @ means udp
:rawmsg, contains, “sdns_log” @@192.168.1.2 # Default port 514
#This means discarding the information containing the sdns_log flag to prevent this information from being written to the local /var/log/message
:rawmsg, contains, “sdns_log” ~
#or
& ~