rsysylog以文件的形式收录终端的日志信息

 作者:邓聪聪

 方法1;

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$template DynaFile,"/var/log/%FROMHOST-IP%/%syslogfacility-text%.log"  #收集的日志格式1
*.* -?DynaFile

  #$template IpTemplate,"/var/log/%FROMHOST-IP%.log"  #收集日志格式2
  #*.* ?IpTemplate
  #& ~


$WorkDirectory /var/lib/rsyslog
$template CustomFormat,"%$NOW% %TIMESTAMP:8:15% %HOSTNAME% %syslogtag% %msg%\n"  #修改时间格式
$ActionFileDefaultTemplate CustomFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

more /etc/rsyslog.d/syslog.conf
#### GLOBAL DIRECTIVES ####

# Use default timestamp format # 使用自定义的格式
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate myFormat 



# 根据客户端的IP单独存放主机日志在不同目录,rsyslog需要手动创建
$template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
# 排除本地主机IP日志记录,只记录远程主机日志
:fromhost-ip, !isequal, "127.0.0.1" ?RemoteLogs
# 忽略之前所有的日志,远程主机日志记录完之后不再继续往下记录
& ~


 




 方法2;




$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp 
$UDPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat                               
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state                     
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log





 


客户端:




info-center channel 7 name sw1
info-center loghost 1.1.1.1 channel sw1
info-center loghost 1.1.1.1 source-ip 2.2.2.2 channel sw1




 






            

            
posted @ 
2019-08-30 21:48 
邓聪聪 
阅读(401) 
评论(0编辑 
收藏 
举报