内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文档详细介绍Rsyslog日志服务器的安装、配置和管理方法。
风哥提示:
Part01-Rsyslog安装
1.1 安装Rsyslog服务
$ sudo dnf install -y rsyslog
Last metadata expiration check: 0:45:23 ago on Fri 04 Apr 2026 00:20:15 AM CST.
Package rsyslog-8.2310.0-3.el9.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
# 启动Rsyslog服务
$ sudo systemctl start rsyslog
# 设置开机自启动
$ sudo systemctl enable rsyslog
Created symlink /etc/systemd/system/multi-user.target.wants/rsyslog.service → /usr/lib/systemd/system/rsyslog.service.
# 查看服务状态
$ sudo systemctl status rsyslog
● rsyslog.service – System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
Active: active (running) since Fri 2026-04-04 00:20:00 CST; 10s ago
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Main PID: 12377 (rsyslogd)
Tasks: 3 (limit: 49152)
Memory: 2.5M
CPU: 20ms
CGroup: 学习交流加群风哥QQ113257174/system.slice/rsyslog.service
└─12377 /usr/sbin/rsyslogd -n
Apr 04 00:20:00 rhel10 rsyslogd[12377]: imjournal: journal files are not present, ignoring FileLimit [v8.2310.0]
Apr 04 00:20:00 rhel10 rsyslogd[12377]: [origin software=”rsyslogd” swVersion=”8.2310.0″ x-pid=”12377″ x-info=”https://www.rsyslog.com/”] start
Apr 04 00:20:00 rhel10 systemd[1]: Started System Logging Service.
# 配置防火墙
$ sudo firewall-cmd –permanent –add-port=514/tcp
success
$ sudo firewall-cmd –permanent –add-port=514/udp
success
$ sudo firewall-cmd –reload
success
# 查看日志文件
$ ls -l /var/log/
total 12345
-rw——-. 1 root root 12345 Apr 4 00:20 audit
-rw——-. 1 root root 123学习交流加群风哥微信: itpux-com456 Apr 4 00:20 boot.log
-rw——-. 1 root root 123456 Apr 4 00:20 cron
-rw-r–r–. 1 root root 12345 Apr 4 00:20 dmesg
-rw-r–r–. 1 root root 12345 Apr 4 00:20 lastlog
-rw——-. 1 root root 123456 Apr 4 00:20 maillog
-rw——-. 1 root root 123456 Apr 4 00:20 messages
-rw——-. 1 root root 123456 Apr 4 00:20 secure
-rw——-. 1 root root 12345 Apr 4 00:20 spooler
Part02-Rsyslog服务器配置
2.1 配置日志服务器
$ sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
# 编辑配置文件
$ sudo tee /etc/rsyslog.conf << EOF
# 加载模块
module(load="imuxsock")
module(load="imjournal")
module(load="imudp")
module(load="imtcp")
# 接收远程日志
input(type="imudp" port="514")
input(type="imtcp" port="514")
# 全局指令
global(workDirectory="/var/lib/rsyslog")
# 使用传统时间格式
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# 日志文件权限
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
# 日志轮转
$IncludeConfig /etc/rsyslog.d/*.conf
# 认证日志
auth,authpriv.* /var/log/auth.log
# 系统日志
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# 邮件日志
mail.* -/var/log/maillog
# 计划任务日志
cron.* /var/log/cron
# 紧急消息
*.emerg :omusrmsg:*
# 远程日志存储
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
# 停止处理远程日志
& ~
EOF
# 创建远程日志目录
$ sudo mkdir -p /var/log/remote
# 重启服务
$ sudo systemctl restart rsyslog
# 查看监听端口
$ sudo ss -tulpn | grep 514
tcp LISTEN 0 259 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=12377,fd=5))
udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=12377,fd=4))
Part03-Rsyslog客户端配置
3.1 配置客户端发送日志
$ sudo tee /etc/rsyslog.conf << EOF # 加载模块 module(load="imuxsock") module(load="imjournal") # 全局指令 global(workDirectory="/var/lib/rsyslog") # 使用传统时间格式 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # 日志文件权限 $FileOwner root $FileGroup root $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 # 本地日志 auth,authpriv.* /var/log/auth.log *.info;mail.none;authpriv.none;cron.none /var/log/messages mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* # 发送到远程日志服务器 *.* @@192.168.1.100:514 # 包含其他配置 $IncludeConfig /etc/rsyslog.d/*.conf EOF # 重启服务 $ sudo systemctl restart rsyslog # 测试日志发送 $ logger "Test message from client" # 在服务器端查看日志 $ sudo tail -f /var/log/remote/client1/logger.log Apr 4 00:25:00 client1 user1: Test message from client
更多学习教程公众号风哥教程itpux_com
Part04-日志轮转配置
4.1 配置logrotate
$ cat /etc/logrotate.conf
weekly
rotate 4
create
dateext
compress
include /etc/logrotate.d
# 配置日志轮转
$ sudo tee /etc/logrotate.d/rsyslog << EOF
/var/log/messages
/var/log/secure
/var/log/maillog
/var/log/cron
/var/log/spooler
/var/log/boot.log
{
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 0640 root root
sharedscripts
postrotate
/usr/bin/systemctl reload rsyslog.service > /dev/null 2>&1 || true
endscript
}
/var/log/remote/*/*.log
{
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 0640 root root
sharedscripts
postrotate
/usr/bin/systemctl reload rsyslog.service > /dev/null 2>&1 || true
endscript
}
EOF
# 测试配置
$ sudo logrotate -d /etc/logrotate.d/rsyslog
reading config file for /var/log/messages
Handling 7 logs
rotating pattern: /var/log/messages
after 1 days (30 rotations)
empty log files are not rotated, old logs are removed
considering log /var/log/messages
log does not need rotating (log has been rotated at 2026-04-04 00:00:00, which is less than a day ago)
# 手动轮转
$ sudo logrotate -f /etc/logrotate.d/rsyslog
# 查看轮转日志
$ ls -l /var/log/messages*
-rw——-. 1 root root 12345 Apr 4 00:30 /var/log/messages
-rw——-. 1 root root 12345 Apr 3 23:59 /var/log/messages-20260404.gz
Part05-日志分析
5.1 日志分析工具
$ sudo tail -f /var/log/messages
Apr 4 00:30:00 rhel10 systemd[1]: Started Session 123 of user root.
Apr 4 00:30:00 rhel10 sshd[12378]: Accepted publickey for root from 192.168.1.10 port 54321 ssh2
# 查看认证日志
$ sudo tail -f /var/log/secure
Apr 4 00:30:00 rhel10 sshd[12378]: Accepted publickey for root from 192.168.1.10 port 54321 ssh2
Apr 4 00:30:00 rhel10 sshd[12378]: pam_unix(sshd:session): session opened for user root by (uid=0)
# 搜索日志
$ sudo grep “Failed password” /var/log/secure
Apr 4 00:25:00 rhel10 sshd[12345]: Failed password for root from 192.168.1.10 port 54321 ssh2
# 统计登录失败次数
$ sudo grep “Failed password” /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr
5 192.168.1.10
3 192.168.1.11
# 查看内核日志
$ sudo dmesg | tail -20
[ 0.000000] Linux version 5.14.0-284.11.1.el9_2.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc (GCC) 11.3.1 20221121 (Red Hat 11.3.1-4), GNU ld version 2.35.2-37.el9) #1 SMP PREEMPT_DYNAMIC Thu Apr 3 00:00:00 UTC 2026
[ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-5.14.0-284.11.1.el9_2.x86_64 root=/dev/mapper/rhel-root ro crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet
# 使用journalctl查看日志
$ sudo journalctl -u sshd
— Logs begin at Thu 2026-04-03 00:00:00 CST, end at Fri 2026-04-04 00:30:00 CST. —
Apr 03 00:00:00 rhel10 systemd[1]: Starting OpenSSH server daemon…
Apr 03 00:00:00 rhel10 sshd[1234]: Server listening on 0.0.0.0 port 22.
Apr 03 00:00:00 rhel10 systemd[1]: Started OpenSSH server daemon.
# 实时查看日志
$ sudo journalctl -f
— Logs begin at Thu 2026-04-03 00:00:00 CST. —
Apr 04 00:30:00 rhel10 sshd[12378]: Accepted publickey for root from 192.168.1.10 port 54321 ssh2
# 按时间范围查看
$ sudo journalctl –since “2026-04-04 00:00:00” –until “2026-04-04 00:30:00”
# 按优先级查看
$ sudo journalctl -p err
— Logs begin at Thu 2026-04-03 00:00:00 CST, end at Fri 2026-04-04 00:30:00 CST. —
Apr 03 00:00:00 rhel10 kernel: EXT4-fs (dm-0): re-mounted. Opts: (null)
1. 配置集中日志服务器
2. 启用日志轮转防止磁盘满
3. 定期分析日志发现异常
4. 配置日志备份策略
5. 监控日志服务器性能
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
