rsyslogのインストール
rsyslogは、正直言うと何に使うと用途が分からないまま、インストールしました。
色々とインターネットで検索して、「syslog-ng」、「rsyslog」をインストールするか迷って、「rsyslog」をインストールしてみました。
rsyslogをインストールして、気付いたですけど、HDD障害の時に/var/log/messagesに自分のホストには、書き出せないけど、ネットワークさえ生きていれば、他のサーバにログを書き出せて、障害後に、/var/log/messagesが他のサーバに書き出されて後で障害の原因を調査できる事気付きました。すごく便利じゃん。
お金があれば、ログをまとめる統計サーバが欲しいな〜。
データベースと連帯すれば、さらに便利だな〜。
rsyslogのシステム構成図
rsyslog(送信側)
- バージョン確認
yum info rsyslog
Name : rsyslog
Arch : i386
Version : 3.22.1
Release : 3.el5
Size : 999 k
(省略)
- rsyslogインストール
# yum install rsyslog
- 既存のsyslogの停止
# /etc/init.d/syslog stop
※rsyslogの起動前に、syslogを起動を停止する。
- syslogの自動起動停止
# chkconfig --level 123456 syslog off
- syslogのランレベルがOffになっているか確認
# chkconfig --list rsyslog
rsyslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off
- rsyslogの開始
# chkconfig --add rsyslog
# chkconfig rsyslog on
# chkconfig --list rsyslog
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
- rsyslogの設定
- vim /etc/rsyslog.conf
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # kernel logging (formerly provided by rklogd)
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
#------Start add by Ando Date 2010/09/28 ----------------
$WorkDirectory /var/spool/rsyslog
$ActionQueueFileName fsmainqueue
$ActionQueueMaxDiskSpace 2g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
*.* @@192.168.0.2
#------End add by Ando Date 2010/09/28 ------------------
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
#$ModLoad imtcp.so # load module
#$InputTCPServerRun 514 # start up TCP listener at port 514
# UDP Syslog Server:
#$ModLoad imudp.so # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514
-
- # vim /etc/sysconfig/rsyslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -rPortNumber Enables logging from remote machines. The listener will listen to the specified port.
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
#SYSLOGD_OPTIONS="-m 0"
SYSLOGD_OPTIONS="-c3"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
#KLOGD_OPTIONS="-x"
KLOGD_OPTIONS="-2"
- スプールディレクトリを作成する。
mkdir /var/spool/rsyslog
- rsyslogの起動
# /etc/init.d/rsyslog restart
システムロガーを停止中: [ OK ]
システムロガーを起動中: [ OK ]
- rsyslogの動作確認
# tail -f /var/log/messages
2010-09-28T13:35:11.117820+09:00 vps-1-55 kernel: imklog 3.22.1, log source = /proc/kmsg started.
2010-09-28T13:35:11.118055+09:00 vps-1-55 rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="11771" x-info="http://www.rsyslog.com"] (re)start
#logger test rsyslog
2010-09-28T15:21:41.729493+09:00 localhost Ando: hello test
rsyslog(受信側)
- バージョン確認
yum info rsyslog
Name : rsyslog
Arch : i386
Version : 3.22.1
Release : 3.el5
Size : 999 k
(省略)
- rsyslogインストール
# yum install rsyslog
- 既存のsyslogの停止
# /etc/init.d/syslog stop
※rsyslogの起動前に、syslogを起動を停止する。
- syslogの自動起動停止
# chkconfig --level 123456 syslog off
- syslogのランレベルがOffになっているか確認
# chkconfig --list rsyslog
rsyslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off
- rsyslogの開始
# chkconfig --add rsyslog
# chkconfig rsyslog on
# chkconfig --list rsyslog
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
- rsyslogの設定
- vim /etc/rsyslog.conf
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # kernel logging (formerly provided by rklogd)
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
$ModLoad imtcp.so # load module
$InputTCPServerRun 514 # start up TCP listener at port 514
$AllowedSender TCP, 127.0.0.1, 192.168.0.1
# UDP Syslog Server:
#$ModLoad imudp.so # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514
- rsyslogの起動
# /etc/init.d/rsyslog restart
システムロガーを停止中: [ OK ]
システムロガーを起動中: [ OK ]
- rsyslogの動作確認
# tail -f /var/log/messages
2010-09-28T13:35:11.117820+09:00 vps-1-55 kernel: imklog 3.22.1, log source = /proc/kmsg started.
2010-09-28T13:35:11.118055+09:00 vps-1-55 rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="11771" x-info="http://www.rsyslog.com"] (re)start
#logger test rsyslog
2010-09-28T15:21:41.729493+09:00 localhost Ando: hello test
送信側で、障害を起こさせて、受信側のサーバーでログが受信されるか確認する。
送信側
#echo h > /proc/sysrq-trigger
受信側
# tail -f /var/log/messages
2010-09-28T18:50:34.218631+09:00 vps-1-55 kernel: SysRq : HELP : loglevel0-8 reBoot Crashdump tErm Full kIll saK showMem Nice powerOff showPc unRaw Sync showTasks Unmount shoWcpus
