Reference:
環境:
CentOS Linux release 7.9.2009 (Core) / Rocky Linux 9.1 (不同的部分用藍色)
Software Selection: Server with GUI
防火牆修改:
firewall-cmd --zone=public --permanent --add-service=syslog
firewall-cmd --reload
firewall-cmd --reload
/etc/rsyslog.conf 設定:
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$ModLoad imudp
$UDPServerRun 514
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
執行 systemctl restart rsyslog
到這一步已經可以收到 remote log,但是全部都會放到 /var/log/messages。
如果要把 log 按照來源分開放,必須再做以下設定。
建立目錄
mkdir /var/log/hosts
在 RULES 增加這一段,請注意這一段設定的位置,要放在 local log setting 上面。
如果放在 local log setting 下面,/var/log/messages 也會存一份。
# Remote Logging
# log every host in its own directory
$template RemoteHost,"/var/log/hosts/%FROMHOST-IP%.log"
if ($fromhost-ip != "127.0.0.1" ) then {
*.* ?RemoteHost
& ~
}
# log every host in its own directory
$template RemoteHost,"/var/log/hosts/%FROMHOST-IP%.log"
if ($fromhost-ip != "127.0.0.1" ) then {
*.* ?RemoteHost
& ~
}
執行 systemctl restart rsyslog
設定 logrotate
方法一:
修改 /etc/logrotate.d/syslog
修改 /etc/logrotate.d/rsyslog
新增一行 /var/log/hosts/*.log,比照 /var/log/messages 的 logrotate 規則。
方法二:
cp /etc/logrotate.d/syslog /etc/logrotate.d/remote-log
cp /etc/logrotate.d/rsyslog /etc/logrotate.d/remote-log
修改 /etc/logrotate.d/remote-log
/var/log/hosts/*.log
{
{
# keep 2 weeks worth of backlogs
rotate 2
rotate 2
missingok
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
沒有留言:
張貼留言