我正在将 rsyslog 配置从旧服务器迁移到新服务器,我想借此机会整理一下我们的配置。旧配置使用了“旧”模板定义,而 rsyslog 模板文档建议用新模板语法替换此类定义,所以我尝试这样做。
我根本无法让它工作,而且尝试启动 rsyslog 时收到的错误毫无意义。因此,似乎我从根本上误解了 rsyslog 文档,或者 RHEL6 中包含的 rsyslog 包存在一些问题。
这是我正在尝试更新的旧模板:
$template secureTemplate,"INSERT INTO var_log_secure (received_at, source_ip, source_hostname, logged_at, severity, service, message, severity_int, syslogtag) VALUES ('%timegenerated:::date-rfc3339%', '%fromhost-ip%', '%hostname%', '%timereported:::date-rfc3339%', '%syslogseverity-text%', '%programname%', '%msg%', '%syslogseverity%', '%syslogtag%')",STDSQL
这是我阅读 rsyslog 文档后尝试使用新语法的相同模板:
template(name="secureTemplate" type="string" option.stdsql="on"
string="INSERT INTO var_log_secure (received_at, source_ip, source_hostname, logged_at, severity, service, message, severity_int, syslogtag) values ('%timegenerated:::date-rfc3339%', '%fromhost-ip%', '%hostname%', '%timereported:::date-rfc3339%', '%syslogseverity-text%', '%programname%', '%msg%', '%syslogseverity%', '%syslogtag%')"
)
这些是我在 rsyslog 启动时遇到的错误:
rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="4491" x-info="http://www.rsyslog.com"] start
rsyslogd-3000:unknown priority name "stdsql="on"" [try http://www.rsyslog.com/e/3000 ]
rsyslogd:the last error occured in /etc/rsyslog.conf, line 49:"template(name="secureTemplate" type="string" option.stdsql="on""
rsyslogd:warning: selector line without actions will be discarded
rsyslogd-3000:unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
rsyslogd:the last error occured in /etc/rsyslog.conf, line 50:" string="INSERT INTO var_log_secure (received_at, source_ip, source_hostname, logged_at, severity, service, message, severity_int, syslogtag) values ('%timegenerated:::date-rfc3339%', '%fromhost-ip%', '%hostname%', '%timereported:::date-rfc3339%', '%syslogseverity-text%', '%programname%', '%msg%', '%syslogseverity%', '%syslogtag%')""
rsyslogd:warning: selector line without actions will be discarded
rsyslogd-3000:unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
rsyslogd:the last error occured in /etc/rsyslog.conf, line 51:")"
rsyslogd:warning: selector line without actions will be discarded
rsyslogd-3003: Could not find template 'secureTemplate' - action disabled
[try http://www.rsyslog.com/e/3003 ]
rsyslogd:the last error occured in /etc/rsyslog.conf, line 55:"then :ompgsql:127.0.0.1,rsyslog,rsyslog,+Without-Goodbye-22+;secureTemplate"
rsyslogd:warning: selector line without actions will be discarded
rsyslogd-2124:CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
rsyslogd:EMERGENCY CONFIGURATION ACTIVATED - fix rsyslog config file!
答案1
答案很简单(而且可能不令人满意)。旧版本不支持新语法。您至少需要 v6,但要使用所有功能,则需要 v7。到目前为止,Red Hat 尚未为 RHEL 提供这些功能。作为替代方案,您可以使用 rsyslog rpm 包:http://www.rsyslog.com/rhelcentos-rpms/
另请注意,文档http://www.rsyslog.com/doc始终适用于最新版本。但是,每个版本都有自己的文档集。显然,最好参考随您的版本附带的文档集。大多数发行版默认不安装它,但通常会有一个名为 rsyslog-doc 的包。
答案2
截至 2015 年 9 月,RHEL6 中已提供 rsyslog7 软件包。rsyslog 的当前版本是 8.11,但此版本至少更接近当前版本。
要安装,您首先必须删除 rsyslog 包:
# rpm -e --nodeps rsyslog
# yum -y install rsyslog7
答案3
您可以添加 rsyslog yum repo,然后直接更新 rsyslog,这样就不必卸载它。
cd /etc/yum.repos.d/
wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
yum update rsyslog
...
Updating:
rsyslog x86_64 8.35.0-2.el6
参考Repo文件:
cat rsyslog.repo
[rsyslog_v8]
name=Adiscon CentOS-$releasever - local packages for $basearch
baseurl=http://rpms.adiscon.com/v8-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
gpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
protect=1
致谢:
http://osengineer.blogspot.com/2014/01/install-rsyslog7-to-centos6.html https://www.rsyslog.com/rhelcentos-rpms/