Rsyslog遠端傳輸的幾種方式

基本介紹

Rsyslog是一個syslogd的多線程增強版，rsyslog vs. syslog-ng

rsyslog提供三個遠端日志傳輸方式：

• UDP: 資料包傳輸可信度不高
• TCP: 資料包傳輸可信度比較高
• RELP: 資料包傳輸可信度最高，避免資料丢失，比較新的協定，目前應用較少

以下為man手冊對RELP協定的一個介紹：

RELP can be used instead of UDP or plain TCP syslog to provide reliable delivery of syslog messages. Please note that plain TCP syslog does NOT provide truly reliable delivery, with it messages may be lost when there is a connection problem or the server shuts down. RELP prevents message loss in hose cases.

關于RELP的更進一步了解可以參考 Using TLS with RELP RELP Input Module RELP Output Module (omrelp)

相關配置

To forward messages to another host via UDP, prepend the hostname with the at sign (“@”). To forward it via plain tcp, prepend two at signs (“@@”). To forward via RELP, prepend the string “:omrelp:” in front of the hostname.

UDP傳輸

Server端配置

/etc/rsyslog.conf

# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 $AllowedSender UDP, 192.168.80.0/24 # This one is the template to generate the log filename dynamically, depending on the client's IP address. # 根據用戶端的IP單獨存放主機日志在不同目錄，syslog需要手動建立 $template Remote,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" # Log all messages to the dynamically formed file. :fromhost-ip, !isequal, "127.0.0.1" ?Remote # 排除本地主機IP日志記錄，隻記錄遠端主機日志 # 注意此規則需要在其它規則之前，否則配置沒有意義，遠端主機的日志也會記錄到Server的日志檔案中 & ~ # 忽略之前所有的日志，遠端主機日志記錄完之後不再繼續往下記錄

或者把以上配置單獨存放在​

​/etc/rsyslog.d/​

​中的xxx.conf配置檔案中，盡量避免修改主配置檔案，當然如果要獨立檔案主配置檔案中必須含有以下配置

# grep 'rsyslog.d' /etc/rsyslog.conf # Include all config files in /etc/rsyslog.d/ $IncludeConfig

Client端配置

/etc/rsyslog.conf

*.* @192.168.80.130

以上配置完成之後​

​/etc/init.d/rsyslog restart​

​

TCP傳輸

TCP配置和UDP類似，如下

Server端配置

/etc/rsyslog.conf

# Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 $AllowedSender TCP, 192.168.80.0/24 # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template Remote,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" # Log all messages to the dynamically formed file. :fromhost-ip, !isequal, "127.0.0.1"

Client端配置

/etc/rsyslog.conf

*.* @@192.168.80.130

用戶端和服務端重新開機相關服務即可

關于TCP和UDP的傳輸方式，rsyslog官方推薦使用TCP傳輸方式

In general, we suggest to use TCP syslog. It is way more reliable than UDP syslog and still pretty fast. The main reason is, that UDP might suffer of message loss. This happens when the syslog server must receive large bursts of messages. If the system buffer for UDP is full, all other messages will be dropped. With TCP, this will not happen. But sometimes it might be good to have a UDP server configured as well. That is, because some devices (like routers) are not able to send TCP syslog by design. In that case, you would need both syslog server types to have everything covered. If you need both syslog server types configured, please make sure they run on proper ports. By default UDP syslog is received on port 514. TCP syslog needs a different port because often the RPC service is using this port as well.

RELP傳輸

RELP需要安裝​

​rsyslog-relp​

​相應子產品

# yum install rsyslog-relp -y

Server端配置

/etc/rsyslog.conf

$ModLoad imrelp # 加載相應子產品 $InputRELPServerRun 20514 # 監聽端口 # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template Remote,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" # Log all messages to the dynamically formed file. :fromhost-ip, !isequal, "127.0.0.1"

Client端配置

$ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName srvrfwd # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

參考和拓展資料

• ​​Using TLS with RELP​​
• ​​RELP Input Module​​
• ​​RELP Output Module (omrelp)​​
• ​​Rsyslog remote logging using RELP​​
• ​​UDP Rsyslog​​
• ​​TCP Rsyslog​​