読者です 読者をやめる 読者になる 読者になる

rsyslogのインストール

rsyslogは、正直言うと何に使うと用途が分からないまま、インストールしました。
色々とインターネットで検索して、「syslog-ng」、「rsyslog」をインストールするか迷って、「rsyslog」をインストールしてみました。

rsyslogをインストールして、気付いたですけど、HDD障害の時に/var/log/messagesに自分のホストには、書き出せないけど、ネットワークさえ生きていれば、他のサーバにログを書き出せて、障害後に、/var/log/messagesが他のサーバに書き出されて後で障害の原因を調査できる事気付きました。すごく便利じゃん。
お金があれば、ログをまとめる統計サーバが欲しいな〜。
データベースと連帯すれば、さらに便利だな〜。

rsyslogのシステム構成図

f:id:ando_ando_ando:20101006005127j:image

rsyslog(送信側)

  • バージョン確認


yum info rsyslog
Name : rsyslog
Arch : i386
Version : 3.22.1
Release : 3.el5
Size : 999 k
(省略)

  • rsyslogインストール


# yum install rsyslog

  • 既存のsyslogの停止


# /etc/init.d/syslog stop

※rsyslogの起動前に、syslogを起動を停止する。

  • syslogの自動起動停止


# chkconfig --level 123456 syslog off


# chkconfig --list rsyslog
rsyslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off

  • rsyslogの開始


# chkconfig --add rsyslog
# chkconfig rsyslog on
# chkconfig --list rsyslog
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off

  • rsyslogの設定
    • vim /etc/rsyslog.conf


# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.

$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # kernel logging (formerly provided by rklogd)

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514

#------Start add by Ando Date 2010/09/28 ----------------

$WorkDirectory /var/spool/rsyslog
$ActionQueueFileName fsmainqueue
$ActionQueueMaxDiskSpace 2g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
*.* @@192.168.0.2

#------End add by Ando Date 2010/09/28 ------------------

# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
#$ModLoad imtcp.so # load module
#$InputTCPServerRun 514 # start up TCP listener at port 514

# UDP Syslog Server:
#$ModLoad imudp.so # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514

    • # vim /etc/sysconfig/rsyslog


# Options to syslogd
# -m 0 disables 'MARK' messages.
# -rPortNumber Enables logging from remote machines. The listener will listen to the specified port.
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
#SYSLOGD_OPTIONS="-m 0"
SYSLOGD_OPTIONS="-c3"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
#KLOGD_OPTIONS="-x"
KLOGD_OPTIONS="-2"

  • スプールディレクトリを作成する。


mkdir /var/spool/rsyslog

  • rsyslogの起動


# /etc/init.d/rsyslog restart
システムロガーを停止中: [ OK ]
システムロガーを起動中: [ OK ]

  • rsyslogの動作確認


# tail -f /var/log/messages
2010-09-28T13:35:11.117820+09:00 vps-1-55 kernel: imklog 3.22.1, log source = /proc/kmsg started.
2010-09-28T13:35:11.118055+09:00 vps-1-55 rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="11771" x-info="http://www.rsyslog.com"] (re)start


#logger test rsyslog
2010-09-28T15:21:41.729493+09:00 localhost Ando: hello test

rsyslog(受信側)

  • バージョン確認


yum info rsyslog
Name : rsyslog
Arch : i386
Version : 3.22.1
Release : 3.el5
Size : 999 k
(省略)

  • rsyslogインストール


# yum install rsyslog

  • 既存のsyslogの停止


# /etc/init.d/syslog stop

※rsyslogの起動前に、syslogを起動を停止する。

  • syslogの自動起動停止


# chkconfig --level 123456 syslog off


# chkconfig --list rsyslog
rsyslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off

  • rsyslogの開始


# chkconfig --add rsyslog
# chkconfig rsyslog on
# chkconfig --list rsyslog
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off

  • rsyslogの設定
    • vim /etc/rsyslog.conf


# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.

$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # kernel logging (formerly provided by rklogd)

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* -/var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514

# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
$ModLoad imtcp.so # load module
$InputTCPServerRun 514 # start up TCP listener at port 514
$AllowedSender TCP, 127.0.0.1, 192.168.0.1

# UDP Syslog Server:
#$ModLoad imudp.so # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514

  • rsyslogの起動


# /etc/init.d/rsyslog restart
システムロガーを停止中: [ OK ]
システムロガーを起動中: [ OK ]

  • rsyslogの動作確認


# tail -f /var/log/messages
2010-09-28T13:35:11.117820+09:00 vps-1-55 kernel: imklog 3.22.1, log source = /proc/kmsg started.
2010-09-28T13:35:11.118055+09:00 vps-1-55 rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="11771" x-info="http://www.rsyslog.com"] (re)start


#logger test rsyslog
2010-09-28T15:21:41.729493+09:00 localhost Ando: hello test

送信側で、障害を起こさせて、受信側のサーバーでログが受信されるか確認する。

送信側
#echo h > /proc/sysrq-trigger
受信側
# tail -f /var/log/messages
2010-09-28T18:50:34.218631+09:00 vps-1-55 kernel: SysRq : HELP : loglevel0-8 reBoot Crashdump tErm Full kIll saK showMem Nice powerOff showPc unRaw Sync showTasks Unmount shoWcpus