A normal provision of services Linux server, all the time produce a lot of log information, if a production environment, there are dozens or even hundreds of servers, then log in to view the system is one of a very troublesome of.
In today's constantly updated technology, there are many possible techniques can be centrally managed for logging the most common operations still have to be ELK log analysis systems , but these logs is how to generate? Which service is carried out by the unified management of it? This article will look around to describe the system log service --rsyslog this service.
There are a lot of Linux systems log type, the following are some of the log file system itself:
/var/log/boot.log
/var/log/cron
/var/log/dmesg
/var/log/lastlog
/var/log/maillog或/var/log/mail/*
/var/log/messages
/var/log/secure
/var/log/wtmp,/var/log/faillog
/var/log/httpd/* , /var/log/samba/*More information on the log file records what information, refer to this blog post: Introduction Linux common log file , which also includes error introduced seven levels! Here it is not long-winded.
System logs mostly by the rsyslog service to this administration, this service is the main configuration file as follows:
[root@aaa ~]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#" #过滤配置文件中的空行和注释行
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
#上面行开头的星号表示所有服务,点号后面的等级表示那些等级记录下来,/var/lo....表示记录到哪里
authpriv.* /var/log/secure #表示authpriv所有等级的信息都记录到secure文件中
mail.* -/var/log/maillog #表示mail服务的所有级别信息都记录到/var/log/maillog中
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
#由上面几行注释可以看出,第一段中的点号前面表示某个服务,点号后面表示哪些报错等级要记录。
#点号前后都可以使用通配符星号来表示,如第一列为“*.*”,则表示所有服务的所有等级
#若为“*.info”,则表示所有服务的info等级及比info更严重的等级都记录起来。In the above configuration file, log storage location can be altered, which can also change the level of logging to be recorded, but generally not recommended changes.
In fact, relying on /etc/rsyslog.conf this configuration file, also can send their logs to another server, and then another for unified management on the server, if at a smaller production environment, small server case We can use this situation, but if the number of production servers more, it is recommended to deploy ELK log analysis system.
Configuring rsyslog service instance
Here I have two servers, host names are aaa and bbb (IP address is 192.168.1.1 and 1.2, respectively), now to meet the following requirements:
- 1, synchronized to send more info log level for all system services aaa server to the unified management on bbb server;
- 2, the transmission log Nginx compiled and installed on the management server bbb;
- 3, apache logs will be compiled and installed is also sent to the management server on bbb (due and default port and Nginx conflict, so in the realization of the second requirement, Nginx service will stop, restart apache service);
Start the configuration:
1, the synchronous aaa send more info log level for all services of the server system to conduct unified management on the server bbb
(1) perform the following operations on the server aaa:
[root@aaa ~]# vim /etc/rsyslog.conf #编辑日志服务的配置文件
#..............省略部分内容
$ModLoad imudp #将该行开头的注释符号“#”去掉,以便开启udp协议
$UDPServerRun 514 #将该行开头的注释符号“#”去掉,以便开启udp的514端口
# Provides TCP syslog reception
$ModLoad imtcp #将该行开头的注释符号“#”去掉,以便开启tcp协议
$InputTCPServerRun 514 #将该行开头的注释符号“#”去掉,以便开启tcp的514端口
#..............省略部分内容
*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info @@192.168.1.2 #星号表示所有服务“*.info”表示info等级及以上的信息
#@@表示使用tcp协议传输,192.168.1.2是指定要发送到哪台服务器,若使用一个@符号,则表示使用udp协议传输
#..............省略部分内容
#编辑完成后,保存退出即可。
[root@aaa ~]# systemctl restart rsyslog #重启rsyslog服务,以便更改生效(2) perform the following operations on the server bbb:
[root@bbb ~]# vim /etc/rsyslog.conf #编辑日志服务的配置文件,开启udp和tcp的514端口
#..............省略部分内容
$ModLoad imudp #去掉该行开头的“#”注释符号
$UDPServerRun 514 #去掉该行开头的“#”注释符号
# Provides TCP syslog reception
$ModLoad imtcp #去掉该行开头的“#”注释符号
$InputTCPServerRun 514 #去掉该行开头的“#”注释符号
#..............省略部分内容
[root@bbb ~]# systemctl restart rsyslog #重启服务,使更改生效
[root@bbb ~]# tailf /var/log/secure #动态监控着本机的日志文件
Sep 19 15:00:32 aaa useradd[5998]: new group: name=lvjianzh, GID=1003
Sep 19 15:00:32 aaa useradd[5998]: new user: name=lvjianzh, UID=1003, GID=1003, home=/home/lvjianzh, shell=/bin/bash
#..............省略部分内容(3) perform the following operations on the server aaa (mainly in order to generate log information):
[root@aaa ~]# useradd admini
[root@aaa ~]# echo '123.com' | passwd --stdin admini
更改用户 admini 的密码 。
passwd:所有的身份验证令牌已经成功更新。(4) View bbb generate new log is as follows:
2, the transmission log Nginx compiled and installed on the management server bbb;
(1) perform the following operations on the server aaa:
[root@aaa ~]# vim /etc/yum.repos.d/epel.repo #写入以下文件,指定阿里镜像站
[epel]
name=epel
baseurl=https://mirrors.aliyun.com/epel/7/x86_64/
gpgcheck=0
#必须保证系统默认自带的yum文件也存在/etc/yum.repos.d/目录下,写入后保存退出即可。
[root@aaa ~]# yum repolist #最好执行一下该命令
#..............省略部分内容
(7/7): base/7/x86_64/primary_db | 6.0 MB 00:01
源标识 源名称 状态
base/7/x86_64 CentOS-7 - Base 10,097
epel epel 13,384 #这一行就是我们刚写入的文件生效的,表示没问题
extras/7/x86_64 CentOS-7 - Extras 304
updates/7/x86_64 CentOS-7 - Updates 311
repolist: 24,096
#若命令yum repolist执行后没有显示出上述内容,排除配置文件的错误后,可以执行以下命令
[root@aaa ~]# yum makecache #用来建立元数据缓存的
#..............省略部分内容
元数据缓存已建立
[root@aaa ~]# yum -y install nginx #安装nginx服务
[root@aaa ~]# systemctl start nginx #启动Nginx服务
[root@aaa ~]# netstat -anpt | grep nginx #确定Nginx服务已启动
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6609/nginx: master
tcp6 0 0 :::80 :::* LISTEN 6609/nginx: master
[root@aaa ~]# ls /var/log/nginx/ #以下是yum安装Nginx后,Nginx两个日志文件的存放位置
access.log error.log
#记住Nginx日志的存放路径,一会要用到,若采用的是编译安装,请自行找到Nginx日志存放路径记下来
[root@aaa ~]# vim /etc/rsyslog.conf #编辑rsyslog服务的配置文件
#..............省略部分内容
#在配置文件末尾写入以下内容
$ModLoad imfile
$InputFilePollInterval 1
$InputFileName /var/log/nginx/access.log
$InputFileTag nginx-info-access;
$InputFilestateFile state-nginx-info-accesslog
$InputRunFileMonitor
$InputFileName /var/log/nginx/error.log
$InputFileTag nginx-info-error;
$InputFilestateFile state-nginx-info-errorlog
$InputRunFileMonitor
$InputFilePollInterval 10
if $programname == 'nginx-info-access' then @192.168.1.2:514
if $programname == 'nginx-info-access' then ~
if $programname == 'nginx-info-error' then @192.168.1.2:514
if $programname == 'nginx-info-error' then ~
[root@aaa ~]# systemctl restart rsyslog #重启服务以便生效Written about the configuration item above are explained as follows:
$ModLoad imfile #加载模块
$InputFilePollInterval 1 #间隔多久采集次,默认单位是秒
$InputFileName /var/log/nginx/access.log #指定要采集的日志文件
$InputFileTag nginx-info-access; #给对应的日志打一个标签
$InputFilestateFile state-nginx-info-accesslog #给这个日志命名
$InputRunFileMonitor #启动监控
#以下的配置和上面类似,因为要采集两个日志文件嘛!
$InputFileName /var/log/nginx/error.log
$InputFileTag nginx-info-error;
$InputFilestateFile state-nginx-info-errorlog
$InputRunFileMonitor
$InputFilePollInterval 10
#以下是指定将采集的日志发送到哪里,同理,一个@符号表示使用的udp协议,两个表示tcp协议
if $programname == 'nginx-info-access' then @192.168.1.2:514
if $programname == 'nginx-info-access' then ~ #这的~,表示本地的意思
if $programname == 'nginx-info-error' then @192.168.1.2:514
if $programname == 'nginx-info-error' then ~(2) to monitor logs on the server bbb:
(3) Client Access aaa of Nginx service, in order to produce a log.
(4) bbb back to the server to see if there are about Nginx aaa server access log generated (if no new log is generated, troubleshoot configuration errors in the premise, the client can refresh a few times):
Can be seen, the log information Nginx simply not be too detailed, right? Log information contains the time the log produced? Which is generated by the server? The label name is what? Which IP address access? Access time is when? What is the status code access? Use when accessing the client what the system, the number of bits of the system is how much? Such as (Windows NT 10.0; Win64; x64, 64 is represented as a win10 system), what browser is used for access? I use Google visited here, it actually also recorded my client version Google browser.
So far, Nginx log file collection is complete, so now apache log collection, with the front of the bedding, which is much easier, simply change what configuration items on it.
3, the apache log compiler installation is also sent to the management server bbb
(1) perform the following operations on the server aaa:
[root@aaa ~]# yum -y install httpd #安装apache服务
[root@aaa ~]# systemctl stop nginx #为了避免端口冲突,停止Nginx服务
[root@aaa ~]# systemctl start httpd #启动apache服务
[root@aaa ~]# vim /etc/rsyslog.conf #更改rsyslog配置文件,主要是更改采集日志的路径
#..............省略部分内容
$ModLoad imfile
$InputFilePollInterval 1
$InputFileName /var/log/httpd/access_log #主要是改这个
$InputFileTag httpd-info-access;
$InputFilestateFile state-httpd-info-accesslog
$InputRunFileMonitor
$InputFileName /var/log/httpd/error_log #还要改这个,其余配置项可不改,但是建议改一下,以免看起来日志不太直观
$InputFileTag httpd-info-error;
$InputFilestateFile state-httpd-info-errorlog
$InputRunFileMonitor
$InputFilePollInterval 10
if $programname == 'httpd-info-access' then @192.168.1.2:514
if $programname == 'httpd-info-access' then ~
if $programname == 'httpd-info-error' then @192.168.1.2:514
if $programname == 'httpd-info-error' then ~
#主要就是将上面配置中的Nginx都换成了httpd。
[root@aaa ~]# systemctl restart rsyslog #重启服务,使更改生效
(2) to monitor logs on the server bbb:
(3) Client Access aaa of Nginx service, in order to produce a log (refresh a few times).
(4) bbb back to the server to see if httpd server access log on aaa generation.
OK! No problem, gather up. . .
-------- end of this article so far, thanks for reading --------