Technology Sharing

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

rsyslog

1. What is rsyslog

rsyslog is a high-performanceLog Handler, which can receive, process and forward log messages. It is widely used in UNIX and Linux systems for system logging and management.

2. Main functions of rsyslog

1. high performance: Able to process large amounts of log messages and suitable for large-scale log management needs.
2. Modular architecture: Supports multiple input and output modules and can flexibly expand functions.
3. Log filtering and rewriting: Supports complex log filtering and rewriting rules to facilitate precise control of log streams.
4. Support multiple protocols: Able to handle multiple log transmission protocols, such as TCP, UDP, TLS, etc.
5. safety: Supports encrypted transmission and authentication to ensure the security of log messages.

3. Basic configuration of rsyslog

The configuration file for rsyslog is usually located in /etc/rsyslog.conf or/etc/rsyslog.d/ The configuration file uses the rules-actions structure.

Order:

systemctl status rsyslog.service

Configuration Example

# 基本格式
# :规则:动作

# 接收本地日志并写入文件
*.* /var/log/all.log

# 接收远程日志（UDP）并写入文件
$ModLoad imudp
$UDPServerRun 514
*.* /var/log/remote.log

# 接收远程日志（TCP）并写入文件
$ModLoad imtcp
$InputTCPServerRun 514
*.* /var/log/remote_tcp.log

# 基于消息优先级的日志过滤
authpriv.* /var/log/secure.log

# 基于消息内容的日志过滤
:msg, contains, "error" /var/log/error.log

4. Log Priority and Facility

rsyslog uses facilities and priorities to categorize and process log messages.

facility

Common facilities include:

• auth, authpriv: authentication and security related messages
• cron: scheduled task related messages
• daemon: system background process related messages
• kern: kernel related messages
• mail: mail system related messages
• syslog: internal log processing related messages

priority

The priorities from highest to lowest include:

• emerg: Emergency, all users need to be notified immediately
• alert: issues that require immediate attention
• crit: serious situation
• err: error
• warning: warning
• notice: general but important news
• info: informational message
• debug: debug messages

5. Common commands

• Start rsyslog：sudo systemctl start rsyslog
• Stop rsyslog：sudo systemctl stop rsyslog
• Restart rsyslog：sudo systemctl restart rsyslog
• Check rsyslog status：sudo systemctl status rsyslog
• Reload Configuration：sudo systemctl reload rsyslog

6. Advanced Features

• Log forwarding: Forward log messages to a remote server
• Log rewriting: Modify the log message content according to the rules
• Log Archiving: Archive log messages to save storage space
• Log analysis: Integrate third-party tools for log analysis and visualization

Configuration Example

1. Client Configuration
   On the client server, configure rsyslog to forward log messages to the centralized log server:

   # 配置远程日志传输（UDP）
   *.* @logs.example.com:514
   
   # 配置远程日志传输（TCP）
   *.* @@logs.example.com:514
   

2. server configuration
   On the centralized log server, configure rsyslog to receive log messages from clients:

   # 加载输入模块
   $ModLoad imudp
   $UDPServerRun 514
   
   $ModLoad imtcp
   $InputTCPServerRun 514
   
   # 将接收到的日志写入文件
   *.* /var/log/centralized.log