RSYSLOG is the rocket-fast system for log processing.
It offers high-performance, great security features and a modular design. While it started as a regular syslogd, rsyslog has evolved into a kind of swiss army knife of logging, being able to accept inputs from a wide variety of sources, transform them, and output to the results to diverse destinations.
RSYSLOG can deliver over one million messages per second to local destinations when limited processing is applied. Even with remote destinations and more elaborate processing the performance is usually considered “stunning”.
另外:
命令行的日志工具 logger 应该选中
logger makes entries in the system log, it provides a shell command interface to the syslog system log module
为了便于日志的维护,logrotate 应该选中
xxxxxxxxxx
logrotate is designed to ease administration of systems that generate large numbers of log files. It allows auto-matic rotation, compression, removal and mailing of log files. Each log file may be handled daily, weekly, monthly or when it grows too large.
xxxxxxxxxx
Administration --->
<*> rsyslog...... Enhanced system logging and kernel message trapping daemons
xxxxxxxxxx
Utilities --->
<*> logger......... a shell command interface to the syslog system log module
<*> logrotate..................... rotates, compresses, and mails system logs
rsyslog的功能比默认的logd功能全且强大,去掉默认的logd即可
xxxxxxxxxx
Base system --->
< > logd................................... OpenWrt system log implementation
rsyslog 设备S的IP地址 192.168.0.1
设备A的IP地址 192.168.0.3(设备A使用标准的openwrt logd)
xxxxxxxxxx
# unix sockets
module(load="imuxsock")
# kernel log
module(load="imklog")
# for udp syslog
module(load="imudp")
input(type="imudp" port="514")
# for tcp syslog
#module(load="imtcp")
#input(type="imtcp" port="514")
# List of sub networks authorized to connect
$AllowedSender UDP, 127.0.0.1, 192.168.0.0/16
*.* /var/log/syslog/local_syslog.log
#
# Redirect all messages received from the network to subfolders
#
$template Remote,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$now%_syslog.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
&~
重启生效
xxxxxxxxxx
/etc/init.d/rsyslog restart
xxxxxxxxxx
option log_remote '1'
option log_ip '192.168.0.1'
option log_port '514'
重启生效
xxxxxxxxxx
/etc/init.d/log restart
/etc/init.d/system restart
在A设备执行如下命令
xxxxxxxxxx
root@Cite-:~# logger "uxxxxxxxxxxxxxxxxx from client 0.3"
root@Cite-:~# ifconfig eth3
eth3 Link encap:Ethernet HWaddr 34:E3:0C:22:10:00
inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0
在S设备上查询日志已收到
xxxxxxxxxx
root@OpenWrt:~# cat /var/log/syslog/192.168.0.3/192.168.0.3_2022-07-01_syslog.lo
g | grep "uxxxx"
2022-07-03T17:19:59+00:00 192.168.0.3 : ash[9170] uxxxxxxxxxxxxxxxxx from client 0.3
PC(192.168.0.8)侧需要提前搭建syslog 服务器(自行解决)
修改rsyslog,添加如下UDP规则
xxxxxxxxxx
*.* @192.168.0.8:514
如果走TCP,对应修改如下
x
*.* @@192.168.0.8:514
重启
xxxxxxxxxx
/etc/init.d/rsyslog restart
设备S 写一条syslog日志
xxxxxxxxxx
root@OpenWrt:~# logger "yyyyyyyyyyyyyyyyyyyyyyyyyyyyy from 0.1"
在PC侧查询,看到已经接收到
xxxxxxxxxx
➜ ~ cat /var/log/192.168.0.1.log | grep yyyy
2022-07-01T10:59:03+08:00 OpenWrt root: yyyyyyyyyyyyyyyyyyyyyyyyyyyyy from 0.1
logrotate 即日志轮转,日志轮转有如下作用
修改配置/etc/logrotate.conf
x
/var/log/syslog/*.log /var/log/syslog/client/*.log {
daily
rotate 2
size +10M
nocompress
dateext
notifempty
copytruncate
missingok
}
参数解析
daily
日志轮询周期,还可以为 weekly, monthly, yearly
rotate 2
保存2天的数据,超过则删除
size +10M
日志超过10M时分割,单位K,M,G,优先级高于daily
nocompress
日志切割后,不做压缩,也可以为compress
dateext
日志切割时,添加日期后缀
missingok
如果没有日志文件也不报错
copytruncate
切割时的策略,把正在输出的日志copy一份,再清空原来的日志。存在问题,如果日志太大,可能导致部分日志丢失。
另一种方案是create,这个方案的思路是重命名原日志文件,创建新的日志文件。
其中路径配置
xxxxxxxxxx
/var/log/syslog/*.log /var/log/syslog/client/*.log
需要修改对应rsyslog的配置,如下
xxxxxxxxxx
$template Remote,"/var/log/syslog/client/%fromhost-ip%_%$now%_syslog.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
&~
保证client目录下没有子目录
开始的日志
xxxxxxxxxx
root@OpenWrt:~# ls /var/log/syslog/
client local_syslog.log
root@OpenWrt:~# ls /var/log/syslog/client/
192.168.0.3_2022-07-04_syslog.log
root@OpenWrt:~#
确认日志分割功能可用
手动rotate快速验证方案是否可行
xxxxxxxxxx
logrotate -v -f /etc/logrotate.conf
看到两个目录下的所有日志都被备份
xxxxxxxxxx
root@OpenWrt:~# ls /var/log/syslog/
client local_syslog.log-20220704
local_syslog.log
root@OpenWrt:~# ls /var/log/syslog/client/
192.168.0.3_2022-07-04_syslog.log
192.168.0.3_2022-07-04_syslog.log-20220704
确认rotate 2 可用
生成3天的日志文件
xxxxxxxxxx
root@OpenWrt:~# cd /var/log/syslog/
root@OpenWrt:/tmp/log/syslog# ls
client local_syslog.log-20220704
local_syslog.log
root@OpenWrt:/tmp/log/syslog# cp local_syslog.log-20220704 local_syslog.log-2022
0703
root@OpenWrt:/tmp/log/syslog# cp local_syslog.log-20220704 local_syslog.log-2022
0702
root@OpenWrt:/tmp/log/syslog# ls
client local_syslog.log-20220703
local_syslog.log local_syslog.log-20220704
local_syslog.log-20220702
验证 local_syslog.log-20220702 已被删除
xxxxxxxxxx
logrotate -v -f /etc/logrotate.conf
root@OpenWrt:~# ls /var/log/syslog/
client local_syslog.log-20220703
local_syslog.log local_syslog.log-20220704