我正在尝试使用客户端上的以下配置将日志发送到远程系统:
module(load="imjournal" StateFile="imjournal.state")
module(load="omrelp")
template(name="FileFormat" type="list") {
property(name="timereported" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogfacility-text")
constant(value=" ")
property(name="syslogseverity-text")
constant(value=" ")
property(name="app-name")
constant(value=" PID ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data")
constant(value=" ")
property(name="msg")
constant(value=" ")
constant(value="\n")
}
kern.* action(type="omfile" file="/var/log/kern.log" template="FileFormat")
*.info;mail.none;authpriv.none;cron.none action(type="omfile" file="/var/log/messages" template="FileFormat")
authpriv.* action(type="omfile" file="/var/log/secure" template="FileFormat")
mail.* action(type="omfile" file="/var/log/maillog" template="FileFormat")
cron.* action(type="omfile" file="/var/log/cron" template="FileFormat")
*.emerg :omusrmsg:*
uucp,news.crit action(type="omfile" file="/var/log/spooler" template="FileFormat")
local7.* action(type="omfile" file="/var/log/boot.log" template="FileFormat")
*.* action(type="omrelp" target="10.0.20.30" port="2514" template="FileFormat")
本地日志格式正确,所有字段均必填,尤其是日期 (2022-07-26T07:06:25.723077+00:00)
远程所有字段均存在,但无法获得格式良好的日期(7 月 26 日 08:58:34)
我不知道为什么
如果我尝试在客户端的模板中添加日期自定义选项,例如
property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="23")
日志不再远程发送
如果我修改操作项而不使用以下模板格式:
*.* action(type="omrelp" target="10.0.20.30" port="2514")
我拥有更多远程日志文件。
我无法理解这些行为。有人已经遇到过这些问题吗?
答案1
终于找到了:
模板必须应用于目标服务器上的 rsyslog 配置(而不是源服务器上),这样才能正常工作
以下是客户端配置:
#Loading module for logs export with RELP Protocol
module(load="imjournal" StateFile="imjournal.state") # File to store the position in the journal
module(load="omrelp")
#Log Format Template as specified in RFC5424
template(name="FileFormat" type="list") {
property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="23")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogfacility-text")
constant(value=" ")
property(name="syslogseverity-text")
constant(value=" ")
property(name="app-name")
constant(value=" PID ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data")
constant(value=" ")
property(name="msg")
constant(value=" ")
constant(value="\n")
}
#Local Logging with templating
kern.* action(type="omfile" file="/var/log/kern.log" template="FileFormat")
*.info;mail.none;authpriv.none;cron.none action(type="omfile" file="/var/log/messages" template="FileFormat")
authpriv.* action(type="omfile" file="/var/log/secure" template="FileFormat")
mail.* action(type="omfile" file="/var/log/maillog" template="FileFormat")
cron.* action(type="omfile" file="/var/log/cron" template="FileFormat")
daemon.* action(type="omfile" file="/var/log/daemon.log" template="FileFormat")
syslog.* action(type="omfile" file="/var/log/syslog.log" template="FileFormat")
user.* action(type="omfile" file="/var/log/user.log" template="FileFormat")
*.emerg :omusrmsg:*
uucp,news.crit action(type="omfile" file="/var/log/spooler" template="FileFormat")
local7.* action(type="omfile" file="/var/log/boot.log" template="FileFormat")
#Export all systems logs to centralized server
*.* :omrelp:$Destination_server:2514
并在目标服务器上进行配置:
#Load Modules for centralized syslog reception
module(load="imrelp")
module(load="imtcp")
module(load="imudp")
input(type="imrelp" port="2514" maxDataSize="10k")
input(type="imtcp" port="514" )
input(type="imudp" port="514")
#Log Format Template as specified in RFC5424
template(name="FileFormat" type="list") {
property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="23")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogfacility-text")
constant(value=" ")
property(name="syslogseverity-text")
constant(value=" ")
property(name="app-name")
constant(value=" PID ")
property(name="procid")
constant(value=" ")
property(name="msgid")
constant(value=" ")
property(name="structured-data")
constant(value=" ")
property(name="msg")
constant(value=" ")
constant(value="\n")
}
#Template for Log hierarchy to build
template (name="RemoteStore" type="string" string="/var/log/epac_syslog/%HOSTNAME%/%PROGRAMNAME%.log")
#Local Logging with templating
kern.* action(type="omfile" file="/var/log/kern.log" template="FileFormat")
*.info;mail.none;authpriv.none;cron.none action(type="omfile" file="/var/log/messages" template="FileFormat")
authpriv.* action(type="omfile" file="/var/log/secure" template="FileFormat")
mail.* action(type="omfile" file="/var/log/maillog" template="FileFormat")
cron.* action(type="omfile" file="/var/log/cron" template="FileFormat")
daemon.* action(type="omfile" file="/var/log/daemon.log" template="FileFormat")
syslog.* action(type="omfile" file="/var/log/syslog.log" template="FileFormat")
user.* action(type="omfile" file="/var/log/user.log" template="FileFormat")
*.emerg :omusrmsg:*
uucp,news.crit action(type="omfile" file="/var/log/spooler" template="FileFormat")
local7.* action(type="omfile" file="/var/log/boot.log" template="FileFormat")
*.* :omrelp:10.0.20.30:2514
#Reception of all logs following templates from servers
*.* ?RemoteStore;FileFormat