Linux

rsyslog 8 萬用字元停止發送

  • July 15, 2016

我們在使用 rsyslog8 萬用字元功能和預設情況下生成的帶有日期的日誌時遇到問題。Rsyslog 將在我第一次添加配置時發送日誌消息,但在最初處理文件後停止發送。以前我們使用過 nxlog 並且它有效,但我們希望標準化 rsyslog 上的所有內容,因為它是 CentOS 的預設設置。有任何想法嗎?

範例文件名: server.2016-07-12.log

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
$ModLoad omrelp

module(load="imfile"
    mode="inotify"
)


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$PreserveFQDN on

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

#### Filter ####

if $programname == 'dhclient' and $syslogseverity == '6' then stop
if $programname == 'snmpd' and ( $msg contains 'Connection from UDP' or $msg contains 'Received SNMP packet(s) from UDP' ) then stop

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages or app logs!
*.info;mail.none;authpriv.none;cron.none;local4.none   /var/log/messages


# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.=emerg                                                        :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

#Queuing setup
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionResumeInterval 10
$ActionQueueSize 100000
$ActionQueueDiscardMark 97500
$ActionQueueHighWaterMark 80000
$ActionQueueType LinkedList
$ActionQueueFileName queue
$ActionQueueCheckpointInterval 100
$ActionQueueMaxDiskSpace 2g
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
$ActionQueueTimeoutEnqueue 10
$ActionQueueDiscardSeverity 0

#SSL Configuration
$DefaultNetstreamDriverCAFile /etc/ssl/certs/cert.pem
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer log.domain.com

*.info;mail.none;authpriv.none;cron.none;local4.*   @@log.domain.com:5514

#Server Log File
input(type="imfile"
     File="/var/log/server/*.log"
     Tag="server_log"
     Severity="error"
     Facility="local4")

我發現我在 /var/spool/rsyslog 中有舊的狀態文件。刪除後一切都按預期工作。

引用自:https://serverfault.com/questions/789438