我正在尝试从 journalctl 中过滤出日志,以便匹配的日志可以转发到远程 rsys 服务器。
/var/log/custom日志从文件管理器中正确构建,但无法将其转发到远程服务器。
我提到了以下链接
https://stackoverflow.com/questions/37034439/rsyslog-filtering-and-forwarding
如何使用 rsyslog 将 /var/log 之外的特定日志文件转发到远程服务器? 和
但却无法达成我的目标。
这是我的 rsyslog.conf,我遗漏了什么吗?
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
# Configure the LocalHostName, so that syslogs carry the hostname instead of the alias.
$LocalHostName nd2bwa4drc01v.eng.mobilephone.net
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
###########################
#### GLOBAL DIRECTIVES ####
###########################
# Use traditional timestamp format.
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
# Set the default permissions for all log files.
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
# Where to place spool and state files
$WorkDirectory /var/spool/rsyslog
######################
#### Ad-Hoc rules ####
######################
# Log anything [except kern/mail/cron/local2(snmp)/local7(boot)/local5(calea)]
# of level info or higher.
# Don't log private authentication messages!
#
# Filtering out harmless but repetitive messages
#
:msg, contains, "shim containerd-shim started" stop
:msg, contains, "shim reaped" stop
:msg, contains, "ignoring event" stop
:msg, contains, "DEBUG" stop
# Logging rule
#
#:msg, contains, "logged in over ssh from" @192.168.11.71:6514
#:msg, contains, "Logged out ssh" @192.168.11.71:6514
#if $msg contains 'logged in over ssh from' then @192.168.11.71:6514
:msg, contains, "logged in over ssh from" /var/log/custom
:msg, contains, "Logged out ssh" /var/log/custom
*.info;auth.none;authpriv.none;kern.none;mail.none;cron.none;local2.none;local7.none;local5.none /var/log/syslog
daemon.* -/var/log/daemon.log
mail.* -/var/log/mail.log
mail.warn /var/log/mail.warn
#kern.* -/var/log/kern.log
kern.debug stop
*.=debug;\
auth,authpriv.none;\
news.none;mail.none /var/log/debug
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# capture WARN logs in a separate file
#*.warn;local5.none /var/log/warn.log
###############################
##### Begin forwarding rule ###
###############################
# Forward to contol-0/1 (rsylog-proxy) VIP
#
auth.info,authpriv.* /var/log/secure
auth.info,authpriv.* @192.168.11.71:6514
#:msg, contains, "logged in over ssh from" @192.168.11.71:6514
*.info;auth.none;authpriv.none;mail.none;cron.none;local2.none;local7.debug;local5.none @192.168.11.71:6514
##### End of the forwarding rule ###