The log server relies on the Linux Rsyslog function to forward and collect logs

Rsyslog is used by a Linux server as a log server to collect logs forwarded by other servers, namely, the Rsyslog client. Therefore, Rsyslog can be used as either a log server or a log client

This section describes how to configure Rsyslog

Rsyslog configuration includes the /etc/rsyslog.conf file and the custom configuration file in the /etc/rsyslog.d folder (the custom configuration file is loaded in the rsyslog.conf global configuration).

The rsyslog.conf configuration file includes module configuration, global configuration, and rules

Log Server Configuration

The rsyslog configuration file of the log server consists of the following parts:

The module configuration

Generally speaking, you only need to configure whether the log server receives log files from other servers through UDP or TCP

Global configuration

With the rsyslog variable: Data items are called properties in Rsyslog and are usually used in templates(variables between % and %) or for conditional checking. There are three main Properties:

Message Properties: MSG Matches the MSG part of the message received by rawmsg from the socket, which is used to debug rawmsg-after-pri. Rawmsg-after-pri is similar to rawMSG, but syslog pri has the hostname message removedsourceFromhost indicates the HOSTNAME from which the message comes. Fromhost-ip is the same as fromhost. Programname is the static part of the tag. For example, if the tag is named[123456], programname is the pri of the named pri message. Undecoded System Properties:$bom			The UTF-8 encoded Unicode byte-order mask (BOM)
$myhostnameThe name of The current host as it knows itself time-related System Properties:$nowThe current date, in the format YYYY-MM-DD, where now is the current time for message processing$yearCurrent year (4-Digit)$monthCurrent month (2-Digit)$dayCurrent date (2-digit)$hourCurrent hour (24 hour) Time (2-digit)$hhour			From minute 0 to 29, this is always 0 while from 30 to 59 it is always 1.
$minuteCurrent Minute (2-Digit)Copy the code

Rules (selector + Action)

Each rule line consists of two parts, the Selector section and the Action section, which are separated by one or more Spaces or tabs. The Selector section specifies the source and log level, and the Action section specifies the corresponding action.

SELECTORS also consist of two parts, facilities and priorities, by dots. Space. The first part is the message source, or logging facility, and the second part is the logging level.

The log facility has

Auth (Security), authPriv: authorization and security-related messages kern: messages from the Linux kernel Mail: messages generated by the Mail subsystem cron: information generated by the Cron daemon Daemon: information generated by the daemon news: Network message subsystem LPR: displays logs. User: displays information about user processeslocal0 to local7: Reserved for local useCopy the code

Log levels are as follows:

Debug: Information containing detailed development information, usually used only when debugging a program. Info: Normal system messages, such as harassment reports and bandwidth data, do not need to be processed. Notice: This is not an error and does not require immediate action. Warning: Indicates a warning, but not an error, for example, the system disk usage is 85%. Err: It's an error. It's not urgent. It can be fixed within a certain amount of time. Crit: critical conditions, such as hard disk errors or lost backup connections. Alert: A problem that should be corrected immediately, such as a system database being corrupted or an ISP connection being lost. Emerg: This is an emergency. You need to notify the technician immediately. None: Indicates no record levelCopy the code

Pay special attention to the.[=!] before the message level. The link symbol oh! For example, mail.info means that every request for mail is logged if the message level is more serious than info. .= : represents the required level is the following level only, other do not! .! : a bit of a reverse selection feeling, which means ignoring messages greater than or equal to this level! Only those below this level will be recorded.

ACTION Actions are part of the rule description, which is used to process messages. Generally, message content is written to a log file, but other actions can also be performed, such as writing to database tables or forwarding to other hosts.

Note: 1. The minus sign in front of the log file indicates that the file is written asynchronously, for example: mail.! Info -/var/log/mail.info 2.*. Emerg :omusrmsg: Indicates that emerg level logs of all services are notified to all online personnel

Log client configuration

The log client also uses the Rsyslog function, and the configuration file is the same as that of the log server. However, the following information is generally configured in the global configuration

.
.

The symbol “& ~” indicates a redirection rule that is used to tell the Rsyslog daemon to stop further processing of log messages and not to write them locally. You only need to write to the specified file or server. Without this redirection rule, all remote messages are written to the local log file simultaneously in addition to the log files described above, which means that the log messages are actually written multiple times. For example:.@ip & ~

Note: User-defined services of local0-local7 must be configured in the configuration file of the corresponding service. Otherwise, only system logs are forwarded

Restart the rsyslog

All updates to rsyslog, including the :wq operation after the rsyslog.conf change, must be restarted. Otherwise, rsyslog cannot be used

Centos7: systemctl restart rsyslog.service Ubuntu or Centos6: service rsyslog restartCopy the code

Laravel service forwarding

Laravel supports sending logs to Rsyslog, but the syslog configuration needs to be enabled. After the syslog configuration is enabled, logs can be sent to Rsyslog, which is automatically monitored by Rsyslog. If the logs change, they are forwarded to the log server

The final result of forwarding to the log server is shown as follows: