Centos
Rsyslog 不斷寫入 /var/log/messages 和子文件夾
我在 CentOS 8 上有一個 rsyslog,我用這部分配置將幾個系統配置到子文件夾
$template RemoteLogs,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log" *.* ?RemoteLogs
這工作正常,但來自遠端系統的所有日誌都被寫入 /var/log/messages。我怎麼能在他們自己的子文件夾中有遠端日誌而不被寫入**/var/log/messages**?
這是我的配置文件。
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### module(load="imuxsock" # provides support for local system logging (e.g. via logger command) SysSock.Use="off") # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. module(load="imjournal" # provides access to the systemd journal StateFile="imjournal.state") # File to store the position in the journal module(load="imklog") # reads kernel messages (the same are read from journald) #module(load"immark") # provides --MARK-- message capability # Provides UDP syslog reception # for parameters see http://www.rsyslog.com/doc/imudp.html module(load="imudp") # needs to be done just once input(type="imudp" port="514") # Provides TCP syslog reception # for parameters see http://www.rsyslog.com/doc/imtcp.html #module(load="imtcp") # needs to be done just once #input(type="imtcp" port="514") $template RemoteLogs,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log" *.* ?RemoteLogs # # Set the default permissions for all log files. # $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 # These may require root $FileOwner syslog $FileGroup syslog $PrivDropToUser syslog $PrivDropToGroup syslog #### GLOBAL DIRECTIVES #### # Where to place auxiliary files global(workDirectory="/var/lib/rsyslog") # Use default timestamp format module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") # Include all config files in /etc/rsyslog.d/ include(file="/etc/rsyslog.d/*.conf" mode="optional") #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. kern.* /var/log/messages # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### sample forwarding rule ### #action(type="omfwd" # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #queue.filename="fwdRule1" # unique name prefix for spool files #queue.maxdiskspace="1g" # 1gb space limit (use as much as possible) #queue.saveonshutdown="on" # save messages to disk on shutdown #queue.type="LinkedList" # run asynchronously #action.resumeRetryCount="-1" # infinite retries if host is down # Remote Logging (we use TCP for reliable delivery) # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514 #Target="remote_host" Port="XXX" Protocol="tcp") [root@rsyslog log]# [root@rsyslog log]# cat /etc/rsyslog.conf # rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### module(load="imuxsock" # provides support for local system logging (e.g. via logger command) SysSock.Use="off") # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. module(load="imjournal" # provides access to the systemd journal StateFile="imjournal.state") # File to store the position in the journal module(load="imklog") # reads kernel messages (the same are read from journald) #module(load"immark") # provides --MARK-- message capability # Provides UDP syslog reception # for parameters see http://www.rsyslog.com/doc/imudp.html module(load="imudp") # needs to be done just once input(type="imudp" port="514") # Provides TCP syslog reception # for parameters see http://www.rsyslog.com/doc/imtcp.html #module(load="imtcp") # needs to be done just once #input(type="imtcp" port="514") $template RemoteLogs,"/var/log/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log" *.* ?RemoteLogs # # Set the default permissions for all log files. # $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 # These may require root $FileOwner syslog $FileGroup syslog $PrivDropToUser syslog $PrivDropToGroup syslog #### GLOBAL DIRECTIVES #### # Where to place auxiliary files global(workDirectory="/var/lib/rsyslog") # Use default timestamp format module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") # Include all config files in /etc/rsyslog.d/ include(file="/etc/rsyslog.d/*.conf" mode="optional") #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. kern.* /var/log/messages # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### sample forwarding rule ### #action(type="omfwd" # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #queue.filename="fwdRule1" # unique name prefix for spool files #queue.maxdiskspace="1g" # 1gb space limit (use as much as possible) #queue.saveonshutdown="on" # save messages to disk on shutdown #queue.type="LinkedList" # run asynchronously #action.resumeRetryCount="-1" # infinite retries if host is down # Remote Logging (we use TCP for reliable delivery) # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514 #Target="remote_host" Port="XXX" Protocol="tcp")
您正在定義規範以在不使用停止的情況下儲存外部日誌。因此,外部日誌儲存在您的模板中,也儲存在本地系統日誌中。要將模板僅用於外部日誌,我使用:
*.* ?RemoteLogs if $fromhost-ip != '127.0.0.1' then stop
然後將外部日誌儲存在模板中,由於 IP 不是 127.0.0.1,因此停止該過程。這意味著本地日誌也記錄在 RemoteLogs 模板中。當然,停止線的位置必須在模板使用之後!