rsyslog相關:
一般系統默認安裝的都是舊版本,如果不升級,使用v5版本的配置語法
v5配置參照:https://www.rsyslog.com/doc/v5-stable/
監聽端口:514(使用UDP協議,減少系統負載)
自定義設備號使用約定:local0 ~ local7
local0:代碼直接發送syslog
local1:nginx使用
local6:文本收集使用
Nginx日誌處理:
nginx支持將日誌直接發送給rsyslog,文檔鏈接:http://nginx.org/en/docs/syslog.html
使用tag約定:格式統一(站點名+分隔符+日誌類型+分隔符)
tag中可使用的標點符號有限,這裏使用"-"代替站點名中的".";tag標識中字符長度有限,珍惜每一位;每條日誌只能定義一個tag,需要區別nginx類別,只能再想辦法:將類別放入tag的特殊部分,寫入文件時再處理(rsyslog提供字符串截斷功能)
配置實例:
Nginx配置:
access_log syslog:server=127.0.0.1:514,facility=local1,tag=www_forver_comBaccessB,severity=info main;
error_log syslog:server=127.0.0.1:514,facility=local1,tag=www_forver_comBerrorB,severity=debug;
rsyslog本地轉發配置:
if $syslogfacility-text == 'local1' then @@(z5)10.10.10.10:514
彙總端配置:保存到本地文件
$template fileLnginx,"/ehr-log/rsyslogs/nginx/%syslogtag:F,66:1%/%$year%-%$month%-%$day%_%fromhost-ip%_%syslogtag:F,66:2%.log"
local1.* -?fileLnginx;msg效果:
代碼直接發送
本地收集(防止rsyslog彙總端問題造成日誌丟失)與轉發:
$template msgTime,"%timegenerated:8:15% %msg:2:$%\n"
$template fileLprog,"/data/rsyslogs/%HOSTNAME%/%syslogtag%/%$year%-%$month%-%$day%.log"
local0.* -?fileLprog;msgTime
if $syslogfacility-text == 'local0' then @@(z5)10.10.10.10:514
彙總端配置:
$template msgTime,"%timegenerated:8:15% %msg:2:$%\n"
$template fileLprog,"/ehr-log/rsyslogs/%HOSTNAME%/%syslogtag%/%$year%-%$month%-%$day%_%fromhost-ip%.log"
local0.* -?fileLprog;msgTime文本內容收集
也是使用tag區分項目和類型,接受端再通過匹配tag寫入到目標文件
採集端配置:
$InputFileName /var/log/nginx/ehr-analysis-api/eebo-ehr-analysis-gunicorn-error.log
$InputFileTag G+eebo.ehr.analysis+PE
$InputFileSeverity debug
$InputFileStateFile G+eebo.ehr.analysis+PE
$InputFilePersistStateInterval 25000
$InputFileFacility local6
$InputRunFileMonitor
本地轉發處理:
if $syslogfacility-text == 'local6' then @@(z5)10.10.10.10:514
接受端彙總:
$template gunPacs,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/production/gunicorn/%$year%-%$month%-%$day%_%hostname%-access.log"
$template gunPerr,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/production/gunicorn/%$year%-%$month%-%$day%_%hostname%-error.log"
$template gunTacs,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/test/gunicorn/%$year%-%$month%-%$day%_%hostname%-access.log"
$template gunTerr,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/test/gunicorn/%$year%-%$month%-%$day%_%hostname%-error.log"
$template gunDacs,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/dev/gunicorn/%$year%-%$month%-%$day%_%hostname%-access.log"
$template gunDerr,"/ehr-log/rsyslogs/%syslogtag:F,43:2%/dev/gunicorn/%$year%-%$month%-%$day%_%hostname%-error.log"
if $syslogfacility-text == 'local6' and $syslogtag startswith 'G+' and $syslogtag contains '+PA' then -?gunPacs;msg
if $syslogfacility-text == 'local6' and $syslogtag startswith 'G+' and $syslogtag contains '+PE' then -?gunPerr;msg
if $syslogfacility-text == 'local6' and $syslogtag startswith 'G+' and $syslogtag contains '+TA' then -?gunTacs;msg
if $syslogfacility-text == 'local6' and $syslogtag startswith 'G+' and $syslogtag contains '+TE' then -?gunTerr;msg
if $syslogfacility-text == 'local6' and $syslogtag startswith 'G+' and $syslogtag contains '+DA' then -?gunDacs;msg
if $syslogfacility-text == 'local6' and $syslogtag startswith 'G+' and $syslogtag contains '+DE' then -?gunDerr;msg效果:
日誌位置:
/data/log_ftp/rsyslogs/項目名/環境/代碼日誌
/data/log_ftp/rsyslogs/項目名/環境/celeryd/celery日誌
/data/log_ftp/rsyslogs/項目名/環境/gunicorn/gunicorn日誌
其他全局配置
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imfile
$ModLoad imudp
$UDPServerRun 514
$MaxMessageSize 256k
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$WorkDirectory /var/lib/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
$EscapeControlCharactersOnReceive off
$FileOwner root
$FileGroup root
$DirOwner root
$DirGroup root
$FileCreateMode 0644
$DirCreateMode 0755
$Umask 0022