我有以下 rsyslog 配置。
系统日志主控(centos 7.x):
[root@SYSLOGMASTER ~]# egrep -i "UDP|TCP|template" /etc/rsyslog.conf -A3
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$template remote-incoming-logs, "/var/log/RemoteLogs/%HOSTNAME%/%PROGRAMNAME%.log"
if $fromhost !='SYSLOGMASTER' then -?remote-incoming-logs
& stop
系统日志客户端
[root@SYSLOG-CLIENT ~]# egrep -v "^$|^#" /etc/rsyslog.conf
$PreserveFQDN on
$template FileFormatMillisec,"%TIMESTAMP%%TIMESTAMP:20:23:date-rfc3339% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
$ActionFileDefaultTemplate FileFormatMillisec
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$WorkDirectory /var/lib/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging off
*.info;mail.none;authpriv.none;cron.none;local0.none;local1.none;local2.none -/var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local0.* -/var/log/app/app.log
$SystemLogRateLimitInterval 0
$EscapeControlCharactersOnReceive off
local1.* -/var/log/app/api.http.log
local2.* -/var/log/app/app.http.log
*.* @@172.24.34.118:514
[root@SYSLOG-CLIENT ~]#
/etc/rsyslog.d/* 内没有任何配置。
这里的问题是,rsyslog 在“/var/log/RemoteLogs”路径内创建奇怪的目录。我发现,这些目录名称来自日志文件,这些文件从客户端服务器发送到主服务器。下面是示例目录(09-01,09-02,129,138,147,165 等):
[root@SYSLOGMASTER RemoteLogs]# ll
total 4
drwx------ 2 root root 34 Sep 1 23:08 09-01
drwx------ 2 root root 146 Sep 2 09:08 09-02
drwx------ 2 root root 19 Sep 1 23:18 129
drwx------ 2 root root 19 Sep 1 23:33 138
drwx------ 2 root root 19 Sep 1 23:48 147
drwx------ 2 root root 19 Sep 2 00:18 165
drwx------ 2 root root 4096 Sep 2 08:48 172.24.34.104
drwx------ 2 root root 118 Sep 1 20:12 172.24.34.108
非常感谢对此的任何建议。