Rsyslog集中日志管理配置

节点服务器配置

Nginx配置:

access_log  syslog:server=127.0.0.1,facility=local1,severity=debug,tag=nginxaccess main;
error_log   syslog:server=127.0.0.1,facility=local1,severity=error,tag=nginxerror;

注意:为了防止阻塞Nginx的处理进程,Nginx选择了使用非阻塞UDP的方式实现了syslogd的支持

Web服务器rsyslog配置:

#### GLOBAL DIRECTIVES ####
$EscapeControlCharactersOnReceive on
$MaxMessageSize 64k # 默认4K
$imjournalRatelimitInterval 60
$imjournalRatelimitBurst 20000

# @表示udp @@表示tcp
# udp方式有丢消息的可能,如果消息每行大小超过了4k,只能用TCP
local1.=debug                                              @@118.24.52.232:514
local1.=error                                              @@118.24.52.232:514
local2.=debug                                              @@118.24.52.232:514

中心服务器配置:

rsyslog配置(/etc/rsyslog.conf)

# 开启接收远程服务器日志
$ModLoad imtcp
$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####
$EscapeControlCharactersOnReceive on
$MaxMessageSize 64k
$imjournalRatelimitInterval 60
$imjournalRatelimitBurst 20000

$FileOwner logman
$FileGroup logman
$DirOwner logman
$DirGroup logman
$FileCreateMode 0644
$DirCreateMode 0755
$Umask 0022

# "%hostname% %TIMESTAMP% %msg:2:$%\n"
$template NginxLogCont, "%hostname% %msg:2:$%\n"
$template NginxLogFile, "/data/logs/nginx/%syslogtag:F,58:1%/%$YEAR%%$MONTH%/%$DAY%.log"
local1.=debug                                            -?NginxLogFile; NginxLogCont
local1.=error                                            -?NginxLogFile; NginxLogCont

set $!usr!1 = field($msg, ' | ', 2);
$template PHPLogCont, "%hostname% %$!usr!1%\n"
$template PHPLogFile, "/data/logs/app/%msg:F,58:1%/%msg:F,58:3%"
local2.=debug                                            -?PHPLogFile; PHPLogCont

重启rsyslogd

systemctl restart rsyslog

journald配置(/etc/systemd/journald.conf)

发送端和接受端都要改,根据具体日志量修改

RateLimitInterval=30s # 限制时间段长度,默认30秒
RateLimitBurst=10000 # 时间段内允许的消息数

重启journald

systemctl restart systemd-journald

参考资料
日志集中化收集(一):rsyslog 配置