---

1. rsyslog 介绍

  rsyslog 是一个快速处理收集系统日志的开源程序，提供了高性能、安全功能和模块化设计。rsyslog 是 syslog 的升级版，它将多种来源输入输出转换结果到目的地， rsyslog 被广泛用于 Linux 系统以通过 TCP/UDP 协议转发或接收日志消息。

  rsyslog 守护进程可以被配置成两种环境，一种是配置成日志收集服务器，rsyslog 进程可以从网络中收集其它主机上的日志数据，这些主机会将日志配置为发送到另外的远程服务器。rsyslog 的另外一个用法，就是可以配置为客户端，用来过滤和发送内部日志消息到本地文件夹（如 /var/log）或一台可以路由到的远程 rsyslog 服务器上。

2. 实验目的

  实现 Client 主机通过 rsyslog 发送自身的系统日志到 Rsyslog Server 服务器，服务器端将该主机系统日志存放到一个指定的目录里面，进行按 IP 和日志简单分类存储。

3. 实验环境

• 服务端和客户端系统都为 Centos7.7
• 服务端 IP：10.0.0.120　　客户端 IP：10.0.0.100
• 服务端和客户端关闭防火墙和 selinux

systemctl stop firewalld
setenforce 0

• 服务端和客户端都安装 rsyslog 服务

yum -y install rsyslog　　#无网络自行配置 yum 源

4. 配置服务端

vim /etc/rsyslog.conf　　#修改rsyslog配置文件，标蓝的即为需要的内容，标红的为解释说明# rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES ##### The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514#### GLOBAL DIRECTIVES ##### Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
$AllowedSender udp, 10.0.0.0/24
#收集的IP网段# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template Remote,"/opt/n9e/rsyslog/logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log" 　　#定义模板，接受日志文件路径，区分了不同主机的日志，日志目录自行指定
:fromhost-ip, !isequal, "127.0.0.1" ?Remote　　# 过滤服务端本机的日志# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on# File to store the position in the journal
$IMJournalStateFile imjournal.state#### RULES ####
# 添加创建目录的注释
$CreateDirs on
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages# The authpriv file has restricted access.
authpriv.* /var/log/secure# Log all the mail messages in one place.
mail.* -/var/log/maillog# Log cron stuff
cron.* /var/log/cron# Everybody gets emergency messages
*.emerg :omusrmsg:*# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler# Save boot messages also to boot.log
local7.* /var/log/boot.log# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
# *.* @@192.168.44.212:514
# ### end of the forwarding rule ###systemctl restart rsyslog　　#重启rsyslog服务

5. 配置客户端

vim /etc/rsyslog.conf　　#修改rsyslog配置文件，标蓝的即为需要的内容，标红的为解释说明# rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES ##### The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514#### GLOBAL DIRECTIVES ##### Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on# File to store the position in the journal
$IMJournalStateFile imjournal.state#### RULES ##### Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages# The authpriv file has restricted access.
authpriv.* /var/log/secure# Log all the mail messages in one place.
mail.* -/var/log/maillog# Log cron stuff
cron.* /var/log/cron# Everybody gets emergency messages
*.emerg :omusrmsg:*# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler# Save boot messages also to boot.log
local7.* /var/log/boot.log# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
*.* @10.0.0.120　　#指定服务端IPsystemctl restart rsyslog　　#重启rsyslog服务

6. 在服务端验证效果

切换到服务端存放日志文件的路径，可以看到已经生成了日志，rsyslog 日志服务配置成功。

---

配置文件详解：
https://www.cnblogs.com/shu-sheng/p/13275474.html