Rsyslog集中日志管理配置
节点服务器配置
Nginx配置:
access_log syslog:server=127.0.0.1,facility=local1,severity=debug,tag=nginxaccess main;
error_log syslog:server=127.0.0.1,facility=local1,severity=error,tag=nginxerror;
注意:为了防止阻塞Nginx的处理进程,Nginx选择了使用非阻塞UDP的方式实现了syslogd的支持
Web服务器rsyslog配置:
#### GLOBAL DIRECTIVES ####
$EscapeControlCharactersOnReceive on
$MaxMessageSize 64k # 默认4K
$imjournalRatelimitInterval 60
$imjournalRatelimitBurst 20000
# @表示udp @@表示tcp
# udp方式有丢消息的可能,如果消息每行大小超过了4k,只能用TCP
local1.=debug @@118.24.52.232:514
local1.=error @@118.24.52.232:514
local2.=debug @@118.24.52.232:514
中心服务器配置:
rsyslog配置(/etc/rsyslog.conf)
# 开启接收远程服务器日志
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
$EscapeControlCharactersOnReceive on
$MaxMessageSize 64k
$imjournalRatelimitInterval 60
$imjournalRatelimitBurst 20000
$FileOwner logman
$FileGroup logman
$DirOwner logman
$DirGroup logman
$FileCreateMode 0644
$DirCreateMode 0755
$Umask 0022
# "%hostname% %TIMESTAMP% %msg:2:$%\n"
$template NginxLogCont, "%hostname% %msg:2:$%\n"
$template NginxLogFile, "/data/logs/nginx/%syslogtag:F,58:1%/%$YEAR%%$MONTH%/%$DAY%.log"
local1.=debug -?NginxLogFile; NginxLogCont
local1.=error -?NginxLogFile; NginxLogCont
set $!usr!1 = field($msg, ' | ', 2);
$template PHPLogCont, "%hostname% %$!usr!1%\n"
$template PHPLogFile, "/data/logs/app/%msg:F,58:1%/%msg:F,58:3%"
local2.=debug -?PHPLogFile; PHPLogCont
重启rsyslogd
systemctl restart rsyslog
journald配置(/etc/systemd/journald.conf)
发送端和接受端都要改,根据具体日志量修改
RateLimitInterval=30s # 限制时间段长度,默认30秒
RateLimitBurst=10000 # 时间段内允许的消息数
重启journald
systemctl restart systemd-journald