\u914d\u7f6e\u6587\u4ef6<\/strong><\/div>\n
\u5c31\u4e0d\u505a\u8fc7\u591a\u7684\u4ecb\u7ecd\u4e86\u76f4\u63a5\u8d34\u6d4b\u8bd5\u901a\u8fc7\u7684rsyslog.conf\u914d\u7f6e\u6587\u4ef6\u8be5\u914d\u7f6e\u6587\u4ef6\u7684\u76ee\u5f55\u4e3a\uff1a\/etc\/rsyslog.conf<\/p>\n
\r\n# rsyslog v5 configuration file\r\n\r\n# For more information see \/usr\/share\/doc\/rsyslog-*\/rsyslog_conf.html\r\n# If you experience problems, see http:\/\/www.rsyslog.com\/doc\/troubleshoot.html\r\n\r\n#### MODULES ####\r\n\r\n$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)\r\n$ModLoad imklog # provides kernel logging support (previously done by rklogd)\r\n#$ModLoad immark # provides --MARK-- message capability\r\n\r\n# Provides UDP syslog reception\r\n#$ModLoad imudp\r\n#$UDPServerRun 514\r\n\r\n# Provides TCP syslog reception\r\n#$ModLoad imtcp\r\n#$InputTCPServerRun 514\r\n\r\n\r\n#### GLOBAL DIRECTIVES ####\r\n\r\n# Use default timestamp format\r\n$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat\r\n\r\n# File syncing capability is disabled by default. This feature is usually not required,\r\n# not useful and an extreme performance hit\r\n#$ActionFileEnableSync on\r\n\r\n# Include all config files in \/etc\/rsyslog.d\/\r\n$IncludeConfig \/etc\/rsyslog.d\/*.conf\r\n\r\n\r\n#### RULES ####\r\n\r\n# Log all kernel messages to the console.\r\n# Logging much else clutters up the screen.(\u5185\u6838)\r\nkern.* \/dev\/console\r\n\r\n# Log anything (except mail) of level info or higher.\r\n# Don't log private authentication messages!(\u8bb0\u5f55\u7684\u5185\u6838\u6d88\u606f\u3001\u5404\u79cd\u670d\u52a1\u7684\u516c\u5171\u6d88\u606f\uff0c\u62a5\u9519\u4fe1\u606f\u7b49)\r\n*.info;mail.none;authpriv.none;cron.none \/var\/log\/messages\r\n\r\n# The authpriv file has restricted access.(\u5305\u542b\u9a8c\u8bc1\u548c\u6388\u6743\u65b9\u9762\u4fe1\u606f)\r\nauthpriv.* \/var\/log\/secure\r\n\r\n# Log all the mail messages in one place.(\u5305\u542b\u6765\u7740\u7cfb\u7edf\u8fd0\u884c\u7535\u5b50\u90ae\u4ef6\u670d\u52a1\u5668\u7684\u65e5\u5fd7\u4fe1\u606f)\r\nmail.* -\/var\/log\/maillog\r\n\r\n\r\n# Log cron stuff(\u6bcf\u5f53cron\u8fdb\u7a0b\u5f00\u59cb\u4e00\u4e2a\u5de5\u4f5c\u65f6\uff0c\u5c31\u4f1a\u5c06\u76f8\u5173\u4fe1\u606f\u8bb0\u5f55\u5728\u8fd9\u4e2a\u6587\u4ef6\u4e2d)\r\ncron.* \/var\/log\/cron\r\n\r\n# Everybody gets emergency messages\r\n*.emerg *\r\n\r\n# Save news errors of level crit and higher in a special file.\r\nuucp,news.crit \/var\/log\/spooler\r\n\r\n# Save boot messages also to boot.log(\u81ea\u5b9a\u4e49\u7684\u6d88\u606f)\r\nlocal7.* \/var\/log\/boot.log\r\n\r\n$ModLoad imfile #\u88c5\u8f7dimfile\u6a21\u5757\r\n$InputFileName \/opt\/tomcat\/apache-tomcat-8.5.15\/logs\/catalina.out #\u8bfb\u53d6\u65e5\u5fd7\u6587\u4ef6\r\n$InputFileTag catalina: #\u65e5\u5fd7\u5199\u5165\u65e5\u5fd7\u9644\u52a0\u6807\u7b7e\u5b57\u7b26\u4e32\r\n$InputFileFacility local5 #\u65e5\u5fd7\u7c7b\u578b\r\n$InputFileSeverity info #\u65e5\u5fd7\u7b49\u7ea7\r\n$InputFileStateFile ssologs.log_state #\u5b9a\u4e49\u8bb0\u5f55\u504f\u79fb\u91cf\u6570\u636e\u6587\u4ef6\u540d\r\n$InputFilePollInterval 1 #\u68c0\u67e5\u65e5\u5fd7\u6587\u4ef6\u95f4\u9694\uff08\u79d2\uff09\r\n$InputFilePersistStateInterval 1 #\u56de\u5199\u504f\u79fb\u91cf\u6570\u636e\u5230\u6587\u4ef6\u95f4\u9694\u65f6\u95f4\uff08\u79d2\uff09\r\n$InputRunFileMonitor #\u6fc0\u6d3b\u8bfb\u53d6\uff0c\u53ef\u4ee5\u8bbe\u7f6e\u591a\u7ec4\u65e5\u5fd7\u8bfb\u53d6\uff0c\u6bcf\u7ec4\u7ed3\u675f\u65f6\u8bbe\u7f6e\u672c\u53c2\u6570\u3002\u4ee5\u793a\u751f\u6548\u3002\r\n\r\n\r\n\r\n$InputFileName \/opt\/tomcat\/apache-tomcat-8.5.15\/logs\/localhost_access_log.%$year%-%$month%-%$day%.txt #\u8bfb\u53d6\u65e5\u5fd7\u6587\u4ef6\r\n$InputFileTag access: #\u65e5\u5fd7\u5199\u5165\u65e5\u5fd7\u9644\u52a0\u6807\u7b7e\u5b57\u7b26\u4e32\r\n$InputFileFacility local6 #\u65e5\u5fd7\u7c7b\u578b\r\n$InputFileSeverity info #\u65e5\u5fd7\u7b49\u7ea7\r\n$InputFileStateFile sssologs.log_state #\u5b9a\u4e49\u8bb0\u5f55\u504f\u79fb\u91cf\u6570\u636e\u6587\u4ef6\u540d\r\n$InputFilePollInterval 1 #\u68c0\u67e5\u65e5\u5fd7\u6587\u4ef6\u95f4\u9694\uff08\u79d2\uff09\r\n$InputFilePersistStateInterval 1 #\u56de\u5199\u504f\u79fb\u91cf\u6570\u636e\u5230\u6587\u4ef6\u95f4\u9694\u65f6\u95f4\uff08\u79d2\uff09\r\n$InputRunFileMonitor #\u6fc0\u6d3b\u8bfb\u53d6\uff0c\u53ef\u4ee5\u8bbe\u7f6e\u591a\u7ec4\u65e5\u5fd7\u8bfb\u53d6\uff0c\u6bcf\u7ec4\u7ed3\u675f\u65f6\u8bbe\u7f6e\u672c\u53c2\u6570\u3002\u4ee5\u793a\u751f\u6548\u3002\r\n\r\n\r\n# ### begin forwarding rule ###\r\n\r\n\r\n# The statement between the begin ... end define a SINGLE forwarding\r\n# rule. They belong together, do NOT split them. If you create multiple\r\n# forwarding rules, duplicate the whole block!\r\n# Remote Logging (we use TCP for reliable delivery)\r\n#\r\n# An on-disk queue is created for this action. If the remote host is\r\n# down, messages are spooled to disk and sent when it is up again.\r\n#$WorkDirectory \/var\/lib\/rsyslog # where to place spool files\r\n#$ActionQueueFileName fwdRule1 # unique name prefix for spool files\r\n#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)\r\n#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown\r\n#$ActionQueueType LinkedList # run asynchronously\r\n#$ActionResumeRetryCount -1 # infinite retries if host is down\r\n# remote host is: name\/ip:port, e.g. 192.168.0.1:514, port optional\r\n*.* @10.255.0.167:514\r\n# ### end of the forwarding rule ###\r\n\r\n# A template to for higher precision timestamps + severity logging\r\n$template SpiceTmpl,\"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\\n\"\r\n\r\n:programname, startswith, \"spice-vdagent\" \/var\/log\/spice-vdagent.log;SpiceTmpl\r\n<\/pre>\n
\u4e0a\u9762\u6587\u4ef6\u4e2d\uff1a<\/p>\n
#*.* @remote-host:514<\/strong>
\n*.*\u5373\u8868\u793a\u8f6c\u53d1\u6240\u6709\u8bbe\u5907\u7684\u65e5\u5fd7\u4fe1\u606f
\n@\u8868\u793a\u4f7f\u7528UDP\u534f\u8bae\u4f20\u8f93
\n@@\u8868\u793a\u4f7f\u7528TCP\u534f\u8bae\u4f20\u8f93
\n\u627e\u5230\u4e0a\u9762\u8fd9\u53e5\u53bb\u6389\u524d\u9762\u7684#\u53f7\u7136\u540e\u6dfb\u52a0\u5bf9\u5e94\u7684IP\u548c\u7aef\u53e3\u5373\u53ef\u3002
\n\u4f8b\uff1a
\n*.* @10.255.0.165:514<\/p>\n
\u5982\u679c\u4f60\u53ea\u60f3\u8981\u8f6c\u53d1\u670d\u52a1\u5668\u4e0a\u7684\u6307\u5b9a\u8bbe\u5907\u7684\u65e5\u5fd7\u6d88\u606f\uff0c\u6bd4\u5982\u8bf4\u5185\u6838\u8bbe\u5907\uff0c\u90a3\u4e48\u4f60\u53ef\u4ee5\u5728rsyslog\u914d\u7f6e\u6587\u4ef6\u4e2d\u4f7f\u7528\u4ee5\u4e0b\u58f0\u660e\u3002
\nkern.* @10.255.0.165:514\u00a0<\/p>\n
\u4fee\u6539\u5b8c\u6210\u540e\u6267\u884cservice rsyslog restart \u91cd\u65b0\u542f\u52a8rsyslong \u5373\u53ef\u3002<\/p>\n
Logstash\u914d\u7f6e<\/strong><\/div>\n
\r\ninput {\r\n udp {\r\n port => 514\r\n type => syslog\r\n }\r\n}\r\n\r\nfilter {\r\n\r\n if [type] == \"syslog\" {\r\n grok {\r\n patterns_dir => \"\/opt\/logstash\/logstash-5.2.2\/patterns\"\r\n match => { \"message\" => \"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\\[%{POSINT:syslog_pid}\\])?: %{GREEDYDATA:syslog_message}\" }\r\n }\r\n }\r\n\r\n}\r\n\r\noutput{\r\n elasticsearch { \r\n hosts => [\"10.255.0.167\"]\r\n index => \"rsyslog_test\"\r\n }\r\n stdout{\r\n codec => rubydebug\r\n }\r\n}\r\n<\/pre>\n
\u6700\u540e\u66f4\u65b0\u914d\u7f6e\uff1a\/etc\/init.d\/rsyslog restart
\n\u9644\uff1aLogstash\u7684\u914d\u7f6e\u5f88\u7b80\u5355\u53ea\u662f\u76d1\u542c514\u7aef\u53e3\u5c31\u53ef\u4ee5\u4e86\uff0c\u4f46\u662f\u4f7f\u7528grok\u5207\u65e5\u5fd7\u624d\u662f\u9ebb\u70e6\u7684\uff0c\u6bd5\u7adf\u90a3\u4e48\u591a\u79cd\u7684\u65e5\u5fd7\u6bcf\u79cd\u90fd\u8981\u5199\u5bf9\u5e94\u7684\u6b63\u5219\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u7248\u672c\uff1a Rsyslog V5 Logstash 5.2.2 \u5c31\u4e0d\u505a\u8fc7\u591a\u7684\u4ecb\u7ecd\u4e86\u76f4\u63a5\u8d34\u6d4b\u8bd5\u901a\u8fc7\u7684rsyslog. […]<\/p>\n","protected":false},"author":317,"featured_media":169014,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[55],"tags":[],"class_list":["post-169012","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-thread"],"acf":[],"_links":{"self":[{"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/posts\/169012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/users\/317"}],"replies":[{"embeddable":true,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/comments?post=169012"}],"version-history":[{"count":2,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/posts\/169012\/revisions"}],"predecessor-version":[{"id":169016,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/posts\/169012\/revisions\/169016"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/media\/169014"}],"wp:attachment":[{"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/media?parent=169012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/categories?post=169012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lrxjmw.cn\/wp-json\/wp\/v2\/tags?post=169012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}