Summary
Rsyslog v5 is installed by default on CentOS6 series.Note how to install rsyslog v7 to this CentOS, to transfer the TCP syslog.
(New format while maintaining backward compatibility RainerScript because like has been adopted), and try to write in the new format is also set.
Install rsyslog v7
I want to install it according to the next pageCommunity of rsyslog because it provides the rpm of the latest version, I take advantage of this.
Add file who wrote the repository information.
# cat /etc/yum.repos.d/rsyslog.repo [rsyslog-v7-stable] name=Adiscon Rsyslog v7-stable for CentOS-$releasever-$basearch baseurl=http://rpms.adiscon.com/v7-stable/epel-$releasever/$basearch enabled=1 gpgcheck=0 protect=1List of packages that are available, see the following files.
The following packages are provided in the current 2013/12/23.
- v5-stable
- v6-stable
- v7-stable
- v7-devel
- v8-devel
The update package information
# yum update Loaded plugins: fastestmirror Determining fastest mirrors * base: ftp.iij.ad.jp * extras: ftp.iij.ad.jp * updates: ftp.iij.ad.jp base | 3.7 kB 00:00 extras | 3.4 kB 00:00 extras/primary_db | 19 kB 00:00 rsyslog-v7-stable | 2.5 kB 00:00 rsyslog-v7-stable/primary_db | 103 kB 00:02 updates | 3.4 kB 00:00 updates/primary_db | 817 kB 00:01 Setting up Update Process ... # yum info rsyslog Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: ftp.iij.ad.jp * epel: ftp.iij.ad.jp * extras: ftp.iij.ad.jp * updates: ftp.iij.ad.jp Installed Packages Name : rsyslog Arch : x86_64 Version : 7.4.7 Release : 1.el6 Size : 2.8 M Repo : installed From repo : rsyslog-v7-stable Summary : Enhanced system logging and kernel message trapping daemon URL : http://www.rsyslog.com/ License : (GPLv3+ and ASL 2.0) Description : Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL, : syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, : and fine grain output format control. It is compatible with stock sysklogd : and can be used as a drop-in replacement. Rsyslog is simple to set up, with : advanced features suitable for enterprise-class, encryption-protected syslog : relay chains.
Install the rsyslog
# yum instal rsyslog ... # rsyslogd -v rsyslogd 7.4.7, compiled with: FEATURE_REGEXP: Yes FEATURE_LARGEFILE: No GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes Runtime Instrumentation (slow code): No uuid support: Yes See http://www.rsyslog.com for more information.
Server Setting
Configuration file (to accept the transfer log in TCP server in the log receiver/etc/rsyslog.conf
to change) That's legacy format
module(load="imtcp") # needs to be done just once input(type="imtcp" port="514")To accept the transfer log on port 514 if you write and so on.
I write the following in the new format
# /etc/rsyslog.conf # define log filename template(name="TransferFilename" type="string" string="/var/log/rsyslog/%fromhost%/syslog.log") # Import imtcp module module(load="imtcp" keepalive="on" MaxSessions="200" MaxListeners="20" NotifyOnConnectionClose="on") # Provides TCP syslog reception on port 514 input(type="imtcp" port="514") # TCP でログ転送されたものは TransferFilename で指定したパスにログ出力 # 出力先を "-" で始めているので、バッファリングされる # & stop とすると、TCP 転送されたログが # ここより下で設定されている通常の syslog に混ざらなくなる if $inputname == "imtcp" then -?TransferFilename & stop # ... ここから下に通常の syslog 設定Logs that are TCP transport is two for each source
%fromhost%
is logging turn off the directory, and output the local syslog so that their machines are not mixed. Detailed settings, see the next page
Reload Configuration
Syntax check of the configuration file
Before you enable the setting$ rsyslogd -N1
to check the syntax of the configuration file. # rsyslogd -f /etc/rsyslog.conf -N 1 rsyslogd: version 7.4.7, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: End of config validation run. Bye.If not specified by the-f option configuration file
/etc/rsyslog.conf
is utilized. Of the above settings
if $inputname == "imtcp" then -?TransferFilename & stopAt the point of
stop
of the old format ~
If you change to a if $inputname == "imtcp" then -?TransferFilename & ~Deprecated warning similar to the following is displayed.
# rsyslogd -f /etc/rsyslog.conf -N 1 rsyslogd: version 7.4.7, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ] rsyslogd: End of config validation run. Bye.
Reload the configuration
Rsyslog recent does not me a reload of the configuration file you can send a HUP , and to re-read the configuration and restart the rsyslogd daemon.514 TCP port to confirm that a LISTEN
# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] # netstat -tl --numeric-ports Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:80 *:* LISTEN tcp 0 0 *:22 *:* LISTEN tcp 0 0 localhost:25 *:* LISTEN tcp 0 0 *:514 *:* LISTEN tcp 0 0 *:22 *:* LISTEN tcp 0 0 localhost:25 *:* LISTEN tcp 0 0 *:514 *:* LISTENTCP port 514 is generally remote shell (rsh) is defined in the application
$ grep ' 514/' /etc/services shell 514/tcp cmd # no passwords used syslog 514/udp
netstat
if you did not output the numeric port number at the output of the shell
and is output. Client Setting
Transfer via TCP syslog to (192.168.0.1) server log.If the destination log server does not respond, is set to spool (disk queue) to the local disk.
That's legacy format
$WorkDirectory /var/lib/rsyslog # where to place spool files $ActionQueueFileName fwdRule1 # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down *.* @@192.168.0.1:514I write and so on. @ UDP transport is to be just one.
I write the following in the new format
$WorkDirectory /var/lib/rsyslog *.* action(type="omfwd" protocol="tcp" target="cent64a" port="514" queue.FileName="fwdRule1" queue.MaxDiskSpace="1g" queue.SaveOnShutdown="on" queue.size="1000" queue.Type="LinkedList" action.resumeretrycount="-1" )Instead to line up with the soggy global variables, and clarity on how it is defined for any action.
Stop the rsyslog process on the destination server log, and then trying a lot of log output,,,
# ls -l /var/lib/rsyslog/ total 7696 -rw-------. 1 root root 1048882 Dec 24 03:21 fwdRule1.00000001 -rw-------. 1 root root 1048924 Dec 24 03:21 fwdRule1.00000002 -rw-------. 1 root root 1048944 Dec 24 03:21 fwdRule1.00000003 -rw-------. 1 root root 1048950 Dec 24 03:21 fwdRule1.00000004 -rw-------. 1 root root 1048880 Dec 24 03:21 fwdRule1.00000005 -rw-------. 1 root root 1048938 Dec 24 03:22 fwdRule1.00000006 -rw-------. 1 root root 1048728 Dec 24 03:22 fwdRule1.00000007 -rw-------. 1 root root 510460 Dec 24 03:22 fwdRule1.00000008 # tail -n 20 /var/lib/rsyslog/fwdRule1.00000008 +pszRcvFromIP:1:9:127.0.0.1: +offMSG:2:2:25: >End . <Obj:1:msg:1: +iProtocolVersion:2:1:0: +iSeverity:2:1:5: +iFacility:2:1:1: +msgFlags:2:1:4: +ttGenTime:2:10:1387822923: +tRcvdAt:3:34:2:2013:12:24:3:22:3:550422:6:+:9:0: +tTIMESTAMP:3:34:2:2013:12:24:3:22:3:550422:6:+:9:0: +pszTAG:1:5:root:: +pszRawMsg:1:27:Dec 24 03:22:03 root: 1: +pszInputName:1:8:imuxsock: +pszRcvFrom:1:7:cent64b: +pszRcvFromIP:1:9:127.0.0.1: +offMSG:2:2:25: >End .It is spooled and so on.
in-memory (default), and direct queue can be selected also in other disk queue. Details of the queue, see the following URL:
Sample Logging
I try to syslog output actuallyclient server
$ logger test logginglogging server
$ tail -f /var/log/rsyslog/cent64b/syslog.log 2013-12-24T03:38:09+09:00 cent64b root: test loggingIt has been successfully log transfer mean that.
References
- TCP transport General of rsyslog
http://www.rsyslog.com/doc/imtcp.html - Ubuntu for installation, see the following URL:
http://www.rsyslog.com/ubuntu-repository/ - Setting language RainerScript of rsyslog (name of the author of rsyslog is Rainer Gerhards)
http://www.rsyslog.com/doc/rainerscript.html