The installation

sudo yum install rsyslog

Unfortunately, distributions usually provide a fairly old version of Rsyslog. You can download the RPM or DEB package from the official website to install the new version, or use the Docker container to install the new version.

Generally speaking, this sentence is not executed, the system has been installed by default!

Install the new version

Here is the rsyslog download link for example:

cd /etc/yum.repos.d/
wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
yum install rsyslog
Copy the code

Check the version

rsyslogd -ver

Don’t say the version is new, V8:

Package structure

  • Core Software Package (often referred to simply as “Rsyslog”) – It contains the core technology required by all other software packages. It also contains modules such as file writers or syslog forwarders, which are very common and have few dependencies.
  • For example, “rsyslog-mysql” for MySQL component and “rsyslog-elasticSearch” for ElasticSearch support. If in doubt, use your distribution’s package manager and search for “rsyslog *”.

Use Docker containers

docker run -ti rsyslog/syslog_appliance_alpine

configuration

Usually in the/etc/rsyslog. Conf

There are three types of configuration syntax:

  • Basic is best suited for expressing basic content, such as a single line format for statements. It stems from the original syslog.conf format, which has been in use for decades.
  • Advanced, formerly known as the RainerScript format, was first available in Rsyslog V6 and preferably after V7. Specifically for more advanced use cases, such as forwarding to remote hosts that may be partially offline.
  • Obsolete Legacy Implies its name: It is obsolete and should not be used when writing new configurations.
  • Essentially, anything that needs to be written on a line starting with a dollar sign is old format. Users of this format are encouraged to migrate to Basic or Advanced.

Configuration of the sample

basicPatterns are still recommended

This format is still recommended for most configurations consisting of simple statements

Log /var/log/mail.log /var/log/mail.log @@server.example.netCopy the code

Use advanced Functionsadvancedformat

Advantage:

  • Fine control of Rsyslog operations by advanced parameters
  • The block structure is easy to understand
  • Easy to write
  • Can be used safely with include files

For the example above, for example, if you want to avoid losing data when the remote server target goes offline, use the following method:

mail.err action(type="omfwd" protocol="tcp" queue.type="linkedList" target="server")

marvelous,gorgeous,splendid and posh

Load module

module(load="module-name")

Module global configuration

module(load="imtcp" maxSessions="500")

Grammar contrast

Action chain

Use & to link an action chain

*.error /var/log/errorlog
&       @remote
Copy the code

Written in full:

*.error {
        action(type="omfile" file="/var/log/errorlog")
        action(type="omfwd" target="remote" protocol="udp")}Copy the code

This is easy to expand, modular is not easy to make mistakes. Stop prevents further processing with the symbol ~ :

:msg, contains, "error" @remote
& ~
Copy the code

The advanced form is:

:msg, contains, "error" {
        action(type="omfwd" target="remote" protocol="udp")
        stop
}
Copy the code

Or:

if $msg contains "error" then {
        action(type="omfwd" target="remote" protocol="udp")
        stop
}
Copy the code

Sysklogd format

Syntax: selector field (space or TAB) action field

The selector

The selector consists of facility and Priority. Connect. Both follow syslog(3) description. Can be directly through the system file/usr/include/sys/syslog. H to check the corresponding value.

facility: auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7.

priority: debug, info, notice, warning, err, crit, alert, emerg.

Warn, error and panic deprecated!

“*” stands for all,noneRepresents no, “, “to separate multiple facilities,”;” Delimited multiple rule

action

The action abstracts a “log file”.

  • Regular file A real file, usually using an absolute path
  • Named Pipes (FIFOS)
  • Terminal and console Tty or /dev/console
  • Unified collection and processing by remote machines
  • User list, etc.

The sample

# Store critical stuff in critical
#*.=crit; kern.none /var/adm/critical# # # # # # # # #
# Kernel messages are stored in the kernel file,
# critical messages and higher ones also go
# to another host and to the console
#kern.* /var/adm/kernel kern.crit @finlandia kern.crit /dev/console kern.info; kern.! err /var/adm/kernel-info# # # # # # # # #
# The tcp wrapper logs with mail.info, we display
# all the connections on tty12
#
mail.=info     /dev/tty12
# # # # # # # # # # # #
# Write all mail related logs to a file except for the info priority.
#mail.*; mail.! =info /var/adm/mail# # # # # # # #
# Log all mail.info and news.info messages to info
#
mail,news.=info    /var/adm/info
# Log info and notice messages to messages file
#*.=info; *.=notice; \ mail.none /var/log/messages
Copy the code