logo头像

越努力越幸运

Rsyslog log forwarding

wriren by: CQ
https://www.920430.com

rsyslog 日志转发

前言

使用rsyslog日志收集是尽量保证日志的原始性不去做任何处理 ,直接收集入到队列,如kafka、redis,这样做的的好处时,减少日志客户端rsyslog的性能压力,从而不影响所在服务器上正常业务,并且保持原始日志也便于各自业务方处理,自己写的日志自己最熟悉。

日志收集客户端rsyslog 可以使用守护进程的工具做守护,如supervisor、monit等

rsyslog提供三个远程日志传输方式:

UDP: 数据包传输可信度不高
TCP: 数据包传输可信度比较高
RELP: 数据包传输可信度最高,避免数据丢失,比较新的协议,目前应用较少

下面介绍的RELP方式

rsyslog client:

查看rsyslog版本

$ sudo rsyslogd -v
    rsyslogd 7.4.4, compiled with:
        FEATURE_REGEXP:                Yes
        FEATURE_LARGEFILE:            No
        GSSAPI Kerberos 5 support:        Yes
        FEATURE_DEBUG (debug build, slow code):    No
        32bit Atomic operations supported:    Yes
        64bit Atomic operations supported:    Yes
        Runtime Instrumentation (slow code):    No
        uuid support:                Yes

备份原先的配置

$ sudo cp -pv /etc/rsyslog.conf{,.old}
$ sudo cp -pv /etc/rsyslog.d/20-ufw.conf{,.old}
$ sudo cp -pv /etc/rsyslog.d/50-default.conf{,.old}

安装rsyslog-relp

# CentOS
# yum install rsyslog-relp

# Ubuntu
$ sudo apt-get install rsyslog-relp

修改rsyslog.conf

CentOS

$ sudo vim /etc/rsyslog.conf
$ModLoad omrelp

$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0

$MaxMessageSize 16k
# $MaxOpenFiles 5000

Ubuntu

$ sudo vim /etc/rsyslog.conf
$ModLoad omrelp

$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0

$ActionQueueFileName locals      # unique name prefix for spool files
$ActionQueueMaxDiskSpace 15g     # 15gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on    # save messages to disk on shutdown
$ActionQueueType LinkedList      # run asynchronously
$ActionResumeRetryCount -1       # infinite retries if host is down
$ActionQueueTimeoutEnqueue 0     # discard messages instead of throttling the log emitter when the queue has reached its limit
$ActionQueueDequeueSlowdown 0    # no slowdown of the log emitter
$ActionQueueDiscardSeverity 6    # discard info level messages when reaching discard mark

$MaxMessageSize 16k
# $MaxOpenFiles 5000

禁止日志写到/var/log/syslog,同时启用local3。 none表示什么都不记录

ubuntu:

$ sudo vim /etc/rsyslog.d/50-default.conf
#*.*;auth,authpriv.none     -/var/log/syslog
*.*;auth,authpriv.none,local3.none      -/var/log/syslog

# local3.*                         @@192.168.99.200:514
local3.*                           :omrelp:192.168.99.200:20514

centos:

*.info;mail.none;authpriv.none;cron.none,local3.none                 /var/log/messages
# local3.*                         @@x.x.243.239:514
local3.*                           :omrelp:x.x.243.239:20514

验证rsyslog配置

$ sudo rsyslogd -N 1
rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye

重启rsyslogd

$ sudo service rsyslog restart

rsyslog server:

查看rsyslog版本

$ sudo rsyslogd -v
    rsyslogd 7.4.4, compiled with:
        FEATURE_REGEXP:                Yes
        FEATURE_LARGEFILE:            No
        GSSAPI Kerberos 5 support:        Yes
        FEATURE_DEBUG (debug build, slow code):    No
        32bit Atomic operations supported:    Yes
        64bit Atomic operations supported:    Yes
        Runtime Instrumentation (slow code):    No
        uuid support:                Yes

备份原先的配置

$ sudo cp -pv /etc/rsyslog.conf{,.old}
$ sudo cp -pv /etc/rsyslog.d/20-ufw.conf{,.old}
$ sudo cp -pv /etc/rsyslog.d/50-default.conf{,.old}

安装rsyslog-relp

# CentOS
# yum install rsyslog-relp

# Ubuntu
$ sudo apt-get install rsyslog-relp

修改rsyslog.conf

$ sudo vim /etc/rsyslog.conf

# provides UDP syslog reception
# $ModLoad imudp
# $UDPServerRun 514

$ModLoad imrelp
$InputRELPServerRun 20514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

$MaxMessageSize 16k
# $MaxOpenFiles 5000
$InputTCPMaxSessions 1024
$EscapeControlCharactersOnReceive off

禁止日志写到/var/log/syslog,同时启用local3, none表示什么都不记录

$ sudo vim /etc/rsyslog.d/50-default.conf
#*.*;auth,authpriv.none     -/var/log/syslog
*.*;auth,authpriv.none,local3.none      -/var/log/syslog

自定义配置文件

$ sudo vim /etc/rsyslog.d/51-gamelog.conf

$template cocsFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg%\n"
$template COCS, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/cocs_%$year%%$month%%$day%.log
$template BUGS, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/bug_%$year%%$month%%$day%.log
$template UNKNOWN, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/unknown_%$year%%$month%%$day%.log"

# http://www.rsyslog.com/doc/master/configuration/properties.html
if $programname startswith 'cocs' then ?COCS;cocsFormat
& stop
if $programname startswith 'bugs' then ?BUGS
& stop

if $syslogfacility-text == 'local3' then ?UNKNOWN

验证rsyslog配置

$ sudo rsyslogd -N 1
rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye

目录权限

sudo chown -R syslog.syslog /data/rsyslog

重启rsyslogd

$ sudo service rsyslog restart

测试

logger命令

可以使用系统自带的logger命令来测试

$ logger -it bugs  -p local3.info '{"@timestamp":"2017-2-22T15:40:53.820Z","beat":{"hostname":"12.10.x.x","name":"x.x.231.98","version":"5.0.2"},"category":"game_user_rank_record","db_name":"androidxxx","input_type":"log","level":"ERROR","log":"{\"i_user_id\":1432320,\"i_ser_id\":8012,\"gamekey\":\"210_16_3_33\",\"account_id\":145439,\"user_name\":\"时间歌声\",\"user_level\":1,\"vip_level\":0,\"user_power\":331792,\"rank_type\":3,\"rank\":140,\"add_time\":1490716793,\"parama\":\"342\"}","offset":75196044,"source":"/data/xxxx/logs/game_user_rank_record_2017-03-28.log","time":"2017-03-28 23:59:53","type":"22222"}'

logger命令解释

-i 在每行都记录进程ID
-t bugs 每行记录都加上“bugs”这个标签,即syslogtag
-p local3.notice 设置记录的设备和级别

调试模式

$ sudo rsyslogd -nd

配置列子

# $template cocsFormat, "%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg%\n"
# $template DEBUG, "/data/rsyslog/%fromhost-ip%/DEBUG_%$year%%$month%%$day%.log"

$template USER_ONLINE_AMOUNT_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_user_online_amount_%$year%%$month%%$day%.log"
$template ACTION_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_action_%$year%%$month%%$day%.log"
$template LOGIN_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_login_%$year%%$month%%$day%.log"
$template PAYMENT_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_payment_%$year%%$month%%$day%.log"
$template RESOURCE_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_resource_%$year%%$month%%$day%.log"
$template REGISTER_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_register_%$year%%$month%%$day%.log"
$template PETS_EDIT_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_pets_edit_%$year%%$month%%$day%.log"
$template PROPS_EDIT_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_props_edit_%$year%%$month%%$day%.log"
$template CURRENCY_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_currency_%$year%%$month%%$day%.log"
$template HERO_EDIT_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_hero_edit_%$year%%$month%%$day%.log"
$template EQUIPMENT_EDIT_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_equipment_edit_%$year%%$month%%$day%.log"
$template MSG_PROCESS_TIME_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_msg_process_time_%$year%%$month%%$day%.log"
$template GAMEKEY_STATIC_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_gamekey_static_%$year%%$month%%$day%.log"
$template SERVER_ID_STATIC_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_server_id_static_%$year%%$month%%$day%.log"

$template UNKNOWN_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_unknown_%$year%%$month%%$day%.log"
$template BUGS_LOG, "/data/rsyslog/%fromhost-ip%/%$year%%$month%%$day%/xxxgame_bugs_%$year%%$month%%$day%.log"


if $programname startswith 'xxx' and $msg contains 'register_log' then ?REGISTER_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'login_log' then ?LOGIN_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'resource_log' then ?RESOURCE_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'payment_log' then ?PAYMENT_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'action_log' then ?ACTION_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'online_amount_log' then ?USER_ONLINE_AMOUNT_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'pets_edit_log' then ?PETS_EDIT_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'props_edit_log' then ?PROPS_EDIT_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'currency_log' then ?CURRENCY_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'hero_edit_log' then ?HERO_EDIT_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'equipment_edit_log' then ?EQUIPMENT_EDIT_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'msg_process_time' then ?MSG_PROCESS_TIME_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'gamekey_static_log' then ?GAMEKEY_STATIC_LOG
& stop
if $programname startswith 'xxx' and $msg contains 'server_id_static_log' then ?SERVER_ID_STATIC_LOG
& stop

if $syslogfacility-text == 'local3' and $syslogseverity <= '5' then ?BUGS_LOG
& stop
if $syslogfacility-text == 'local3' then ?UNKNOWN_LOG
微信打赏

赞赏是不耍流氓的鼓励