Wednesday, January 22, 2014

Install the rsyslog7 to CentOS6

Summary

Rsyslog v5 is installed by default on CentOS6 series.
Note how to install rsyslog v7 to this CentOS, to transfer the TCP syslog.
(New format while maintaining backward compatibility RainerScript because like has been adopted), and try to write in the new format is also set.

Install rsyslog v7

I want to install it according to the next page
Community of rsyslog because it provides the rpm of the latest version, I take advantage of this.
Add file who wrote the repository information. 
# cat /etc/yum.repos.d/rsyslog.repo
[rsyslog-v7-stable]
name=Adiscon Rsyslog v7-stable for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v7-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
protect=1
List of packages that are available, see the following files.
The following packages are provided in the current 2013/12/23.
  • v5-stable
  • v6-stable
  • v7-stable
  • v7-devel
  • v8-devel

The update package information 

# yum update
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: ftp.iij.ad.jp
 * extras: ftp.iij.ad.jp
 * updates: ftp.iij.ad.jp
base                                                     | 3.7 kB     00:00
extras                                                   | 3.4 kB     00:00
extras/primary_db                                        |  19 kB     00:00
rsyslog-v7-stable                                        | 2.5 kB     00:00
rsyslog-v7-stable/primary_db                             | 103 kB     00:02
updates                                                  | 3.4 kB     00:00
updates/primary_db                                       | 817 kB     00:01
Setting up Update Process
...

# yum info rsyslog
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.iij.ad.jp
 * epel: ftp.iij.ad.jp
 * extras: ftp.iij.ad.jp
 * updates: ftp.iij.ad.jp
Installed Packages
Name        : rsyslog
Arch        : x86_64
Version     : 7.4.7
Release     : 1.el6
Size        : 2.8 M
Repo        : installed
From repo   : rsyslog-v7-stable
Summary     : Enhanced system logging and kernel message trapping daemon
URL         : http://www.rsyslog.com/
License     : (GPLv3+ and ASL 2.0)
Description : Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
            : syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
            : and fine grain output format control. It is compatible with stock sysklogd
            : and can be used as a drop-in replacement. Rsyslog is simple to set up, with
            : advanced features suitable for enterprise-class, encryption-protected syslog
            : relay chains.

Install the rsyslog 

# yum instal rsyslog
...
# rsyslogd -v
rsyslogd 7.4.7, compiled with:
        FEATURE_REGEXP:                         Yes
        FEATURE_LARGEFILE:                      No
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes

See http://www.rsyslog.com for more information.

Server Setting

Configuration file (to accept the transfer log in TCP server in the log receiver /etc/rsyslog.conf to change)
That's legacy format 
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
To accept the transfer log on port 514 if you write and so on.
I write the following in the new format 
# /etc/rsyslog.conf

# define log filename
template(name="TransferFilename" type="string" string="/var/log/rsyslog/%fromhost%/syslog.log")

# Import imtcp module
module(load="imtcp"
       keepalive="on"
       MaxSessions="200"
       MaxListeners="20"
       NotifyOnConnectionClose="on")

# Provides TCP syslog reception on port 514
input(type="imtcp"
      port="514")

# TCP でログ転送されたものは TransferFilename で指定したパスにログ出力
# 出力先を "-" で始めているので、バッファリングされる
# & stop とすると、TCP 転送されたログが
# ここより下で設定されている通常の syslog に混ざらなくなる
if $inputname == "imtcp" then -?TransferFilename
& stop

# ... ここから下に通常の syslog 設定
Logs that are TCP transport is two for each source %fromhost% is logging turn off the directory, and output the local syslog so that their machines are not mixed.
Detailed settings, see the next page

Reload Configuration

Syntax check of the configuration file

Before you enable the setting $ rsyslogd -N1 to check the syntax of the configuration file. 
# rsyslogd -f /etc/rsyslog.conf -N 1
rsyslogd: version 7.4.7, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
If not specified by the-f option configuration file /etc/rsyslog.conf is utilized.
Of the above settings 
if $inputname == "imtcp" then -?TransferFilename
& stop
At the point of stop of the old format ~ If you change to a 
if $inputname == "imtcp" then -?TransferFilename
& ~
Deprecated warning similar to the following is displayed. 
# rsyslogd -f /etc/rsyslog.conf -N 1
rsyslogd: version 7.4.7, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]
rsyslogd: End of config validation run. Bye.

Reload the configuration

Rsyslog recent does not me a reload of the configuration file you can send a HUP , and to re-read the configuration and restart the rsyslogd daemon.
514 TCP port to confirm that a LISTEN 
# service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
# netstat -tl --numeric-ports
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 *:80                        *:*                         LISTEN
tcp        0      0 *:22                        *:*                         LISTEN
tcp        0      0 localhost:25                *:*                         LISTEN
tcp        0      0 *:514                       *:*                         LISTEN
tcp        0      0 *:22                        *:*                         LISTEN
tcp        0      0 localhost:25                *:*                         LISTEN
tcp        0      0 *:514                       *:*                         LISTEN
TCP port 514 is generally remote shell (rsh) is defined in the application 
$ grep ' 514/' /etc/services
shell           514/tcp         cmd             # no passwords used
syslog          514/udp
netstat if you did not output the numeric port number at the output of the shell and is output.

Client Setting

Transfer via TCP syslog to (192.168.0.1) server log.
If the destination log server does not respond, is set to spool (disk queue) to the local disk.
That's legacy format 
$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
*.* @@192.168.0.1:514
I write and so on. @ UDP transport is to be just one.
I write the following in the new format 
$WorkDirectory /var/lib/rsyslog
*.* action(type="omfwd"
           protocol="tcp"
           target="cent64a"
           port="514"
           queue.FileName="fwdRule1"
           queue.MaxDiskSpace="1g"
           queue.SaveOnShutdown="on"
           queue.size="1000"
           queue.Type="LinkedList"
           action.resumeretrycount="-1"
           )
Instead to line up with the soggy global variables, and clarity on how it is defined for any action.
Stop the rsyslog process on the destination server log, and then trying a lot of log output,,, 
# ls -l /var/lib/rsyslog/
total 7696
-rw-------. 1 root root 1048882 Dec 24 03:21 fwdRule1.00000001
-rw-------. 1 root root 1048924 Dec 24 03:21 fwdRule1.00000002
-rw-------. 1 root root 1048944 Dec 24 03:21 fwdRule1.00000003
-rw-------. 1 root root 1048950 Dec 24 03:21 fwdRule1.00000004
-rw-------. 1 root root 1048880 Dec 24 03:21 fwdRule1.00000005
-rw-------. 1 root root 1048938 Dec 24 03:22 fwdRule1.00000006
-rw-------. 1 root root 1048728 Dec 24 03:22 fwdRule1.00000007
-rw-------. 1 root root  510460 Dec 24 03:22 fwdRule1.00000008
# tail -n 20 /var/lib/rsyslog/fwdRule1.00000008
+pszRcvFromIP:1:9:127.0.0.1:
+offMSG:2:2:25:
>End
.
<Obj:1:msg:1:
+iProtocolVersion:2:1:0:
+iSeverity:2:1:5:
+iFacility:2:1:1:
+msgFlags:2:1:4:
+ttGenTime:2:10:1387822923:
+tRcvdAt:3:34:2:2013:12:24:3:22:3:550422:6:+:9:0:
+tTIMESTAMP:3:34:2:2013:12:24:3:22:3:550422:6:+:9:0:
+pszTAG:1:5:root::
+pszRawMsg:1:27:Dec 24 03:22:03 root: 1:
+pszInputName:1:8:imuxsock:
+pszRcvFrom:1:7:cent64b:
+pszRcvFromIP:1:9:127.0.0.1:
+offMSG:2:2:25:
>End
.
It is spooled and so on.
in-memory (default), and direct queue can be selected also in other disk queue. Details of the queue, see the following URL:

Sample Logging

I try to syslog output actually
client server 
$ logger test logging
logging server 
$ tail -f  /var/log/rsyslog/cent64b/syslog.log
2013-12-24T03:38:09+09:00 cent64b root: test logging
It has been successfully log transfer mean that.

References

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)