Rsyslog配置不同端口收集不同设备日志

Rsyslog默认只有514端口,收集来的不同设备日志,无法根据:fromhost-ip, startswith等匹配条件拆分不同目录存放.
目录层级:
/data
-/data/IDC_Linux #收集linux日志存放
-/data/IDC_Windows #收集windows日志存放
-/Office_Network_FW #收集network device日志存放

]# cat default.conf
# 根据客户端的IP单独存放主机日志在不同目录,目录需要手动创建
$template NetworkLogs,"/data/Network_rsyslog/%fromhost-ip%/%$YEAR%-%$MONTH%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
$template LinuxLogs,"/data/Linux_rsyslog/%fromhost-ip%/%$YEAR%-%$MONTH%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"

if prifilt("*.*") then {
    :fromhost-ip, startswith, "10.11" ?NetworkLogs
    :fromhost-ip, startswith, "10.12" ?LinuxLogs
}
*.*  stop

以上Rsyslog规则,如果多个不同设备在一个网段,则无法实现拆分目录. 如果根据hostname则需要统一修改不同设备的hostname.
考虑使用不同端口收集不同设备日志,规则改进为如下.

~]# cat /etc/rsyslog.conf
......
# Include all config files in /etc/rsyslog.d/
#include(file="/etc/rsyslog.d/*.conf" mode="optional")  #注释

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")   #可注释

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")   #可注释


# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")   #放到模块规则后
.....

~]# cat /etc/rsyslog.d/multi-port.conf
#### GLOBAL DIRECTIVES ####
# Use default timestamp format  # 使用自定义的日志格式
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#$template myFormat,"%timestamp% %fromhost-ip% %syslogtag% %msg%\n"
#$ActionFileDefaultTemplate myFormat

# 根据客户端的IP单独存放主机日志在不同目录,目录需要手动创建

~]# cat /etc/rsyslog.d/multi-port.conf
template(name="IDC_Linux_Msg" type="string"
         string="/data/IDC_Linux/%fromhost-ip%/%$YEAR%-%$MONTH%/message_%$YEAR%-%$MONTH%-%$DAY%.log"
        )

template(name="IDC_Windows_Msg" type="string"
         string="/data/IDC_Windows/%fromhost-ip%/%$YEAR%-%$MONTH%/message_%$YEAR%-%$MONTH%-%$DAY%.log"
        )

template(name="Office_Network_FW_Msg" type="string"
         string="/data/Office_Network_FW/%fromhost-ip%/%$YEAR%-%$MONTH%/message_%$YEAR%-%$MONTH%-%$DAY%.log"
        )

ruleset(name="officenetworkfw") {
    action(type="omfile" DynaFile="Office_Network_FW_Msg")
    stop
}


ruleset(name="idclinux") {
    action(type="omfile" DynaFile="IDC_Linux_Msg")
    stop
}

ruleset(name="idcwindows") {
    action(type="omfile" DynaFile="IDC_Linux_Msg")
    stop
}

input(type="imudp" port="10516" ruleset="officenetworkfw")
input(type="imudp" port="10520" ruleset="idclinux")
input(type="imudp" port="10521" ruleset="idcwindows")

input(type="imtcp" port="10516" ruleset="officenetworkfw")
input(type="imtcp" port="10520" ruleset="idclinux")
input(type="imtcp" port="10521" ruleset="idcwindows")

*.* stop
posted @ 2024-10-08 10:44  彬彬l  阅读(115)  评论(0编辑  收藏  举报