我正在尝试在 Debian 机器上使用 rsyslog 将日志数据发送到外部服务器。
我感兴趣的日志文件有大约 10GB 的历史数据。
当我开始配置 rsyslog 时,我以为它会开始将所有新日志条目发送到服务器,但目标服务器的维护人员告诉我,我已经发送了超过 10GB 的数据。我重启了 rsyslogd 几次。
我想知道它是否默认发送从一开始的所有日志而不是仅发送新的日志?
以下是我的配置文件
$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog
####################
# Nginx Access Log #
####################
# Input for Nginx Access Log
$InputFileName /var/log/nginx/myapp.access.log
$InputFileTag nginx-access
$InputFileStateFile stat-nginx-access #this must be unique for each file being polled
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
# Add a tag for file events
$template NginxAccessFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %hostname% %app-name% %procid% %msgid% [SecretKey@41058 tag=\"myapp-nginx-access\"] %msg%\n"
# Send to Loggly then discard
if $programname == 'nginx-access' then @@server.loggly.com:514;NginxAccessFormat
if $programname == 'nginx-access' then ~
######################
# Nginx Access Error #
######################
# Input for Nginx Error Log
#$InputFileName /var/log/nginx/myapp.error.log
#$InputFileTag nginx-error
#$InputFileStateFile stat-nginx-error #this must be unique for each file being polled
#$InputFileSeverity info
#$InputFilePersistStateInterval 20000
#$InputRunFileMonitor
# Add a tag for file events
#$template NginxErrorFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %hostname% %app-name% %procid% %msgid% [SecretKey@41058 tag=\"myapp-nginx-error\"] %msg%\n"
# Send to Loggly then discard
#if $programname == 'nginx-error' then @@server.loggly.com:514;NginxErrorFormat
#if $programname == 'nginx-error' then ~
#############
# PHP Error #
#############
# Input for PHP Error Log
#$InputFileName /var/log/hhvm/error.log
#$InputFileTag php-error
#$InputFileStateFile stat-php-error #this must be unique for each file being polled
#$InputFileSeverity info
#$InputFilePersistStateInterval 20000
#$InputRunFileMonitor
# Add a tag for file events
#$template PhpErrorFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %hostname% %app-name% %procid% %msgid% [SecretKey@41058 tag=\"myapp-hhvm-error\"] %msg%\n"
# Send to Loggly then discard
#if $programname == 'php-error' then @@server.loggly.com:514;PhpErrorFormat
#if $programname == 'php-error' then ~
这是 rsyslogd 的版本信息
rsyslogd -v
rsyslogd 8.4.2, compiled with:
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 64
See http://www.rsyslog.com for more information.
答案1
是的,默认情况下,它会从头开始获取日志,但它会写入一个状态文件来记住它停止的位置。我假设您可以删除状态文件,轮换相关文件,然后重新开始,如果您只想要新日志的话。
另外,我建议将 rsyslog 升级到最新的稳定版本(现在为 8.14.0),因为自 8.4.2 以来添加了许多与 imfile 相关的修复(请参阅变更日志更多细节)。