Linux操作系统的日志管理之rsyslog实战案例

　　　　　　　　　　　　　　Linux操作系统的日志管理之rsyslog实战案例

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　作者：尹正杰

一.日志介绍

1>.什么是日志

历史事件:
　　时间，地点，人物，事件 

日志级别:
　　事件的关键性程度，Loglevel

2>.常见的系统日志服务

sysklogd日志服务(CentOS 5及之前版本使用)
　　syslogd: 
　　　　system application 记录应用日志
　　klogd: 
　　　　linux kernel 记录内核日志
　　事件记录格式:
　　　　日期时间 主机 进程[pid]: 事件内容
　　C/S架构:
　　　　通过TCP或UDP协议的服务完成日志记录传送，将分布在不同主 机的日志实现集中管理

rsyslog日志服务(CentOS6和7版本使用),其主要特性如下所示:
　　多线程
　　UDP, TCP, SSL, TLS, RELP
　　MySQL, PGSQL, Oracle实现日志存储
　　强大的过滤器，可实现过滤记录日志信息中任意部分
　　自定义输出格式

ELK(elasticsearch, logstash, kibana)
　　非关系型分布式数据库 
　　基于apache软件基金会jakarta项目组的项目lucene 
　　Elasticsearch是个开源分布式搜索引擎
　　Logstash对日志进行收集、分析，并将其存储供以后使用 
　　kibana 可以提供的日志分析友好的 Web 界面

3>.博主推荐阅读

　　https://www.cnblogs.com/yinzhengjie/p/7745560.html

二.rsyslog介绍

1>.常见术语

[root@node101.yinzhengjie.org.cn ~]# man logger
LOGGER(1) User Commands LOGGER(1)

NAME
logger - a shell command interface to the syslog(3) system log module

SYNOPSIS
logger [options] [message]

DESCRIPTION
logger makes entries in the system log. It provides a shell command interface to the syslog(3) system log module.

OPTIONS
-n, --server server
Write to the specified remote syslog server instead of to the builtin syslog routines. Unless --udp or --tcp is
specified the logger will first try to use UDP, but if it fails a TCP connection is attempted.

-d, --udp
Use datagram (UDP) only. By default the connection is tried to syslog port defined in /etc/services, which is
often 514.

-T, --tcp
Use stream (TCP) only. By default the connection is tried to syslog-conn port defined in /etc/services, which is
often 601.

-P, --port port
Use the specified port. When this option is not specified, the port defaults to syslog for udp and to syslog-
conn for tcp connections.

-i, --id
Log the process ID of the logger process with each line.

-f, --file file
Log the contents of the specified file. This option cannot be combined with a command-line message.

-h, --help
Display a help text and exit.

-p, --priority priority
Enter the message into the log with the specified priority. The priority may be specified numerically or as a
facility.level pair. For example, -p local3.info logs the message as informational in the local3 facility. The
default is user.notice.

-S, --size size
Sets the maximum permitted message size. The default is 1KiB, which is the limit traditionally used and specified
in RFC 3164. When selecting a maximum message size, it is important to ensure that the receiver supports the max
size as well, otherwise messages may become truncated.

-s, --stderr
Output the message to standard error as well as to the system log.

-t, --tag tag
Mark every line to be logged with the specified tag. The default tag is the name of the user logged in on the
terminal (or a user name based on effective user ID).

-u, --socket socket
Write to the specified socket instead of to the builtin syslog routines.

-V, --version
Display version information and exit.

-- End the argument list. This is to allow the message to start with a hyphen (-).

message
Write the message to log; if not specified, and the -f flag is not provided, standard input is logged.

The logger utility exits 0 on success, and >0 if an error occurs.

FACILITIES AND LEVELS
Valid facility names are:

auth
authpriv for security information of a sensitive nature
cron
daemon
ftp
kern cannot be generated from userspace process, automatically converted to user
lpr
mail
news
syslog
user
uucp
local0
to
local7
security deprecated synonym for auth

Valid level names are:

emerg
alert
crit
err
warning
notice
info
debug
panic deprecated synonym for emerg
error deprecated synonym for err
warn deprecated synonym for warning

For the priority order and intended purposes of these facilities and levels, see syslog(3).

EXAMPLES
logger System rebooted
logger -p local0.notice -t HOSTIDM -f /dev/idmc
logger -n loghost.example.com System rebooted