CENTOS9+RSYSLOG+LOGROTATE收集日志

系统版版本为CentOS Stream release 9

rsyslog和lograte通常系统已经安装了。

#rpm -qa | grep rsyslog
rsyslog-logrotate-8.2310.0-4.el9.x86_64
rsyslog-8.2310.0-4.el9.x86_64
rsyslog-gnutls-8.2310.0-4.el9.x86_64
rsyslog-gssapi-8.2310.0-4.el9.x86_64
rsyslog-relp-8.2310.0-4.el9.x86_64
rsyslog-mysql-8.2310.0-4.el9.x86_64
#
rpm -qa | grep logrotate
logrotate-3.18.0-8.el9.x86_64
rsyslog-logrotate-8.2310.0-4.el9.x86_64

rsyslog高配本支持低版本的配置语法，下面附上我的配置

cat /etc/rsyslog.conf | egrep -v "^#|^$"
global(workDirectory="/var/lib/rsyslog")
$template myformat,"%$NOW% %TIMESTAMP:8:15% %hostname% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate myformat
module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket; 
			  # local messages are retrieved through imjournal now.
module(load="imjournal" 	    # provides access to the systemd journal
       UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
       FileCreateMode="0644" # Set the access permissions for the state file
       StateFile="imjournal.state") # File to store the position in the journal
module(load="ommysql")
$ModLoad ommysql
include(file="/etc/rsyslog.d/*.conf" mode="optional")
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
127.0.0.1.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
$template NetworkDevices,"/data/logs/network-devices/%FROMHOST-IP%.log"
*.* ?NetworkDevices
*.* :ommysql:127.0.0.1,Syslog,rsyslog,dbpasswd

其中

$template myformat,"%$NOW% %TIMESTAMP:8:15% %hostname% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate myformat

rsylog传过来的时间差8小时的问题，我一直接没解决，传过来的timestamp使用的就是utc时间格式，所以时间就是差8小时，反正记录中另有时间就略过这个问题，能用就好。

下面这二行的使用是接收网络设备log

$template NetworkDevices,"/data/logs/network-devices/%FROMHOST-IP%.log"
*.* ?NetworkDevices

还有

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

被我改成，避免local7的日志发到message文件里。

127.0.0.1.info;mail.none;authpriv.none;cron.none                /var/log/messages

 bootlog的一行给我删除了，没什么意义。

在/etc/logrotate.d下添加一个lograte配置 

# cat network-devices 
# Note that logs are not compressed unless "compress" is configured,
# which can be done either here or globally in /etc/logrotate.conf.
/data/logs/network-devices/*log {
    daily
    rotate 180
    dateext
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /bin/systemctl reload rsyslog.service > /dev/null 2>/dev/null || true
    endscript
}

参数dateext的作用是在文件名结尾添加日期。 

手动验证下 

cd /etc/logrotate.d
logrotate -f network-devices

检验效果

在防墙配置syslog发送到日志服务器，防火墙是华为的，日志类型为local7，日志的量比较大，一天有20G左右，所以配置按天生成日志。

不使用elk和数据库是因为需要统一记录日志的设备不多，在命令行下查找更快

如下

 cat 172.18.5.1.log | egrep "172.18.111.160" | more

 

参考文档：Linux日志切割工具Logrotate_logrotate日志切割-CSDN博客 

                  Rsyslog发送日志时间转化_rsyslog时间格式-CSDN博客

                  https://www.cnblogs.com/ggngggg/articles/17170721.html

                  CentOS7下日志轮转logrotate简单入门与实践-腾讯云开发者社区-腾讯云