728x90
728x170
rsyslog
시스템 로그의 개요
- 로그(Log) : 시스템에서 일어나는 모든 사건이나 이벤트 등이 각 서비스별로 기록된 것
- 로그 분석은 시스템 관리에 상당히 중요한 역할을 한다.
- 로그 기록과 관련된 패키지
- 리눅스 초기 : syslog 패키지
- syslogd 데몬이 /etc/syslog.conf 설정 파일을 기반으로 서비스별 로그 파일을 /var/log 디렉터리에 생성하였다.
- 최근 리눅스 배포판 : rsyslog 패키지
- Rocket-Fast System for Log Processing
- 기존 syslog와 유사하게 rsyslogd 데몬이 /etc/rsyslog.conf 설정 파일을 기반으로 서비스별 로그 파일을 /var/log 디렉터리에 생성한다.
- rsyslog
- syslog 의 성능을 대폭 강화한 패키지
- 다양한 기능 지원
- 멀티 스레드(Multi-Thread) 지원
- TCP 지원
- SSL 및 TLS 지원
- RELP(Reliable Event Logging Protocol) 지원
- 메시지 일부 필터링
- 출력 포맷 제어
- 리눅스 초기 : syslog 패키지
- CentOS 7의 /var/log 디렉터리
# ls /var/log더보기
Xorg.0.log glusterfs spooler
Xorg.0.log.old grubby spooler-20210221
Xorg.1.log grubby_prune_debug spooler-20210228
Xorg.9.log lastlog spooler-20210307
anaconda libvirt swtpm
audit mail tallylog
boot.log maillog tuned
boot.log-20210228 maillog-20210221 vmware-network.1.log
boot.log-20210301 maillog-20210228 vmware-network.2.log
boot.log-20210302 maillog-20210307 vmware-network.3.log
boot.log-20210306 messages vmware-network.4.log
boot.log-20210307 messages-20210221 vmware-network.5.log
boot.log-20210309 messages-20210228 vmware-network.6.log
boot.log-20210310 messages-20210307 vmware-network.7.log
btmp ntpstats vmware-network.8.log
btmp-20210301 pluto vmware-network.9.log
chrony ppp vmware-network.log
cron qemu-ga vmware-vgauthsvc.log.0
cron-20210221 rhsm vmware-vmsvc-root.log
cron-20210228 sa vmware-vmtoolsd-root.log
cron-20210307 samba vmware-vmusr-root.log
cups secure wpa_supplicant.log
dmesg secure-20210221 wtmp
dmesg.old secure-20210228 yum.log
firewalld secure-20210307
gdm speech-dispatcher
rsyslog
(1) rsyslog의 개요
- rsyslog
- rsyslogd 데몬이 동작하면서 로그를 기록한다.
- 관련 환경 설정 파일 : /etc/rsyslog.conf
① 주요 파일
- /etc/rsyslog.conf : rsyslogd 데몬의 환경 설정 파일
- /etc/sysconfig/rsyslog : rsyslogd 데몬의 실행과 관련된 옵션이 설정되는 파일
- /sbin/rsyslogd : 실제 rsyslogd 데몬 실행 명령어
- /usr/lib/systemd/system/rsyslog.service : systemctl 명령어에 의해 제어되는 유닛 파일
② 주요 동작 명령어
- rsyslog 데몬의 동작을 중단시킴.
# systemctl stop rsyslog
- rsyslog 데몬을 시작함.
# systemctl start rsyslog
- rsyslog 데몬의 상태 정보를 확인함.
# systemctl -l status rsyslog
③ rsyslog 데몬 동작의 확인
- ps 명령으로 rsyslog 데몬이 동작 중인지 확인
# ps aux | grep rsyslogroot 1224 0.0 0.2 216400 4616 ? Ssl 18:52 0:00 /usr/sbin/rsyslogd -n
root 3664 0.0 0.0 116976 1020 pts/0 R+ 19:33 0:00 grep --color=auto rsyslog
④ rsyslog 데몬의 재시작
- rsyslog 관련 설정을 변경했을 경우, 관련 데몬을 재시작하면 된다.
# systemctl restart rsyslog
⑤ 부팅 시 rsyslog 데몬의 활성화
# systemctl enable rsyslog
(2) /etc/rsyslog.conf 파일
기본 구성 형식
facility.priority action| 형식 | 설명 |
| facility | - 일종의 서비스를 의미 - 메시지를 발생시키는 프로그램의 유형이라고 볼 수 있다. |
| priority | - 위험의 정도를 나타내며, 설정한 수준을 포함해서 높으면 메시지를 보낸다. - 설정 앞에 =을 사용할 경우 : 해당 수준(priority)의 위험도와 같은 경우에만 메시지 기록 - 설정 앞에 !을 사용할 경우 : 해당 수준(priority)만 제외시킬 때 사용 |
| action | - 메시지를 보낼 목적지나 행동들에 관한 설정 - 보통 파일명이나 아이디 등을 적는다. |
| 나열 | - facility : 콤마(,) 사용 - facility.priority 의 조합 : 세미콜론(;) 사용 |
facility 의 종류
| facility | 설명 |
| cron | cron, at 과 같은 스케줄링 프로그램이 발생시킨 메시지 |
| auth, security | login 과 같은 인증 프로그램 유형이 발생시킨 메시지 |
| authpriv | - ssh 와 같이 인증을 필요로 하는 프로그램 유형이 발생시킨 메시지 - 사용자 추가 시에도 메시지가 발생함. |
| daemon | telnet, ftp 등과 같이 여러 데몬이 발생시킨 메시지 |
| kern | 커널이 발생시킨 메시지 |
| lpr | 프린트 유형이 발생시킨 메시지 |
| mail 시스템이 발생시킨 메시지 | |
| mark | syslogd 에 의해 만들어지는 날짜 유형 |
| news | 유즈넷 뉴스 프로그램 유형이 발생시킨 메시지 |
| syslog | syslog 프로그램 유형이 발생시킨 메시지 |
| user | 사용자 프로세스 |
| uucp | UUCP(UNIX to UNIX Copy Protocol) 시스템이 발생시킨 메시지 |
| local0 ~ local7 | 여분으로 남겨둔 유형 |
| * | 모든 facility를 의미 |
priority 의 종류
| priority | 설명 |
| none | - 지정한 facility를 제외 - 보통 앞에 다른 facility에 대한 설정을 하고, ; 뒤에 특정한 facility 를 제외할 때 사용 |
| debug | 프로그램을 디버깅할 때 발생하는 메시지 |
| info | 통계, 기본 정보 메시지 |
| notice | 특별히 주의를 필요로 하나 에러는 아닌 메시지 |
| warning, warn | 주의가 필요한 경고 메시지 |
| error, err | 에러가 발생하는 경우의 메시지 |
| crit | 크게 급하지는 않지만, 시스템에 문제가 생기는 단계의 메시지 |
| alert | 즉각적인 조정을 해야 하는 상황 |
| emerg, panic | 모든 사용자들에게 전달해야 할 위험한 상황 |
action 의 종류
| action | 설명 |
| file | - 지정한 파일에 로그 기록 - 예) /var/log/messages |
| @host | - 지정한 호스트로 메시지를 UDP 기반으로 전달 - 예) *.* @192.168.12.22 |
| @@host | - 지정한 호스트로 메시지를 TCP 기반으로 전달 - 예) *.* @@192.168.12.22 |
| user | - 지정한 사용자가 로그인한 경우, 해당 사용자의 터미널로 전달 - 예) :omusrmsg:root,starrykss,selina |
| * | - 현재 로그인되어 있는 모든 사용자의 화면으로 전달 - 예) :omusrmsg:* |
| 콘솔 또는 터미널 | - 지정한 터미널로 메시지 전달 - 예) /dev/tty2 |
사용 예
- 모든 facility가 발생시키는 메시지 중에 crit 수준의 메시지만 /var/log/critical 파일에 기록함.
- 커널이 발생시키는 메시지는 제외함.
*.=crit;kern.none /var/log/critical
- 모든 emerge 수준 이상의 문제가 발생하면 모든 사용자에게 메시지를 전달함.
*.emerg :omusrmsg:*
- 인증 관련 로그를 root 및 starrykss 사용자의 터미널로 전송
authpriv.* :omusrmsg:root,starrykss
- 인증 관련 로그를 /dev/tty2로 전송
authpriv.* /dev/tty2
- mail과 관련된 모든 정보는 /var/log/maillog에 기록하는데, info 수준의 로그는 제외함.
mail.*;mail.!=info /var/log/maillog
- uucp 및 news에서 발생하는 crit 수준 이상의 메시지는 /var/log/news에 기록함.
uucp,news.crit /var/log/news
(참고) rsyslog와 관련 모듈
- rsyslog는 모듈식 디자인으로 다양한 모듈을 제공하고 있다.
- om(Output Module)로 시작하는 출력 모듈
- omsnmp, ommysql, omrelp 등
- im(Input Module)로 시작하는 입력 모듈
- imfile, imudp, imtcp 등
- om(Output Module)로 시작하는 출력 모듈
- 관련 정보 확인 : man rsyslog.conf
문제 해결 전략
- man rsyslog.conf 명령을 입력하여 메뉴얼을 확인해가면서 문제를 해결한다.
$ man rsyslog.conf더보기
RSYSLOG.CONF(5) Linux System Administration RSYSLOG.CONF(5)
NAME
rsyslog.conf - rsyslogd(8) configuration file
DESCRIPTION
The rsyslog.conf file is the main configuration file for the rsyslogd(8) which logs system mes‐
sages on *nix systems. This file specifies rules for logging. For special features see the rsys‐
logd(8) manpage. Rsyslog.conf is backward-compatible with sysklogd's syslog.conf file. So if you
migrate from sysklogd you can rename it and it should work.
Note that this version of rsyslog ships with extensive documentation in html format. This is pro‐
vided in the ./doc subdirectory and probably in a separate package if you installed rsyslog via a
packaging system. To use rsyslog's advanced features, you need to look at the html documentation,
because the man pages only cover basic aspects of operation.
MODULES
Rsyslog has a modular design. Consequently, there is a growing number of modules. See the html
documentation for their full description.
omsnmp SNMP trap output module
omgssapi
Output module for GSS-enabled syslog
ommysql
Output module for MySQL
omrelp Output module for the reliable RELP protocol (prevents message loss). For details, see
below at imrelp and the html documentation. It can be used like this:
*.* :omrelp:server:port
*.* :omrelp:192.168.0.1:2514 # actual sample
ompgsql
Output module for PostgreSQL
omlibdbi
Generic database output module (Firebird/Interbase, MS SQL, Sybase, SQLite, Ingres, Oracle,
mSQL)
imfile Input module for text files
imudp Input plugin for UDP syslog. Replaces the deprecated -r option. Can be used like this:
$ModLoad imudp
$UDPServerRun 514
imtcp Input plugin for plain TCP syslog. Replaces the deprecated -t option. Can be used like
this:
$ModLoad imtcp
$InputTCPServerRun 514
imrelp Input plugin for the RELP protocol. RELP can be used instead of UDP or plain TCP
syslog to provide reliable delivery of syslog messages. Please note that plain TCP
syslog does NOT provide truly reliable delivery, with it messages may be lost when
there is a connection problem or the server shuts down. RELP prevents message loss
in those cases. It can be used like this:
$ModLoad imrelp
$InputRELPServerRun 2514
imgssapi
Input plugin for plain TCP and GSS-enable syslog
immark Support for mark messages
imklog Kernel logging. To include kernel log messages, you need to do
$ModLoad imklog
Please note that the klogd daemon is no longer necessary and consequently no longer
provided by the rsyslog package.
imuxsock
Unix sockets, including the system log socket. You need to specify
$ModLoad imuxsock
in order to receive log messages from local system processes. This config directive
should only left out if you know exactly what you are doing.
BASIC STRUCTURE
Lines starting with a hash mark ('#') and empty lines are ignored. Rsyslog.conf should
contain following sections (sorted by recommended order in file):
Global directives
Global directives set some global properties of whole rsyslog daemon, for example
size of main message queue ($MainMessageQueueSize), loading external modules ($Mod‐
Load) and so on. All global directives need to be specified on a line by their own
and must start with a dollar-sign. The complete list of global directives can be
found in html documentation in doc directory or online on web pages.
Templates
Templates allow you to specify format of the logged message. They are also used for
dynamic file name generation. They have to be defined before they are used in rules.
For more info about templates see TEMPLATES section of this manpage.
Output channels
Output channels provide an umbrella for any type of output that the user might want.
They have to be defined before they are used in rules. For more info about output
channels see OUTPUT CHANNELS section of this manpage.
Rules (selector + action)
Every rule line consists of two fields, a selector field and an action field. These
two fields are separated by one or more spaces or tabs. The selector field specifies
a pattern of facilities and priorities belonging to the specified action.
SELECTORS
The selector field itself again consists of two parts, a facility and a priority, separated
by a period ('.'). Both parts are case insensitive and can also be specified as decimal
numbers, but don't do that, you have been warned. Both facilities and priorities are
described in syslog(3). The names mentioned below correspond to the similar LOG_-values in
/usr/include/syslog.h.
The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr,
mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7.
The keyword security should not be used anymore and mark is only for internal use and
therefore should not be used in applications. Anyway, you may want to specify and redirect
these messages here. The facility specifies the subsystem that produced the message, i.e.
all mail programs log with the mail facility (LOG_MAIL) if they log using syslog.
The priority is one of the following keywords, in ascending order: debug, info, notice,
warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same
as emerg). The keywords error, warn and panic are deprecated and should not be used any‐
more. The priority defines the severity of the message.
The behavior of the original BSD syslogd is that all messages of the specified priority and
higher are logged according to the given action. Rsyslogd behaves the same, but has some
extensions.
In addition to the above mentioned names the rsyslogd(8) understands the following exten‐
sions: An asterisk ('*') stands for all facilities or all priorities, depending on where it
is used (before or after the period). The keyword none stands for no priority of the given
facility.
You can specify multiple facilities with the same priority pattern in one statement using
the comma (',') operator. You may specify as much facilities as you want. Remember that
only the facility part from such a statement is taken, a priority part would be skipped.
Multiple selectors may be specified for a single action using the semicolon (';') separa‐
tor. Remember that each selector in the selector field is capable to overwrite the preced‐
ing ones. Using this behavior you can exclude some priorities from the pattern.
Rsyslogd has a syntax extension to the original BSD source, that makes its use more intu‐
itively. You may precede every priority with an equals sign ('=') to specify only this sin‐
gle priority and not any of the above. You may also (both is valid, too) precede the prior‐
ity with an exclamation mark ('!') to ignore all that priorities, either exact this one or
this and any higher priority. If you use both extensions than the exclamation mark must
occur before the equals sign, just use it intuitively.
ACTIONS
The action field of a rule describes what to do with the message. In general, message con‐
tent is written to a kind of "logfile". But also other actions might be done, like writing
to a database table or forwarding to another host.
Regular file
Typically messages are logged to real files. The file has to be specified with full path‐
name, beginning with a slash ('/').
Example:
*.* /var/log/traditionalfile.log;RSYSLOG_TraditionalFileFormat # log to a
file in the traditional format
Note: if you would like to use high-precision timestamps in your log files, just remove the
";RSYSLOG_TraditionalFormat". That will select the default template, which, if not changed,
uses RFC 3339 timestamps.
Example:
*.* /var/log/file.log # log to a file with RFC3339 timestamps
By default, files are not synced after earch write. To enable syncing of log files glob‐
ally, use either the "$ActionFileEnableSync" directive or the "sync" parameter to omfile.
Enabling this option degrades performance and it is advised not to enable syncing unless
you know what you are doing. To selectively disable syncing for certain files, you may
prefix the file path with a minus sign ("-").
Named pipes
This version of rsyslogd(8) has support for logging output to named pipes (fifos). A fifo
or named pipe can be used as a destination for log messages by prepending a pipe symbol
('|') to the name of the file. This is handy for debugging. Note that the fifo must be cre‐
ated with the mkfifo(1) command before rsyslogd(8) is started.
Terminal and console
If the file you specified is a tty, special tty-handling is done, same with /dev/console.
Remote machine
There are three ways to forward message: the traditional UDP transport, which is extremely
lossy but standard, the plain TCP based transport which loses messages only during certain
situations but is widely available and the RELP transport which does not lose messages but
is currently available only as part of rsyslogd 3.15.0 and above.
To forward messages to another host via UDP, prepend the hostname with the at sign ("@").
To forward it via plain tcp, prepend two at signs ("@@"). To forward via RELP, prepend the
string ":omrelp:" in front of the hostname.
Example:
*.* @192.168.0.1
In the example above, messages are forwarded via UDP to the machine 192.168.0.1, the desti‐
nation port defaults to 514. Due to the nature of UDP, you will probably lose some messages
in transit. If you expect high traffic volume, you can expect to lose a quite noticeable
number of messages (the higher the traffic, the more likely and severe is message loss).
If you would like to prevent message loss, use RELP:
*.* :omrelp:192.168.0.1:2514
Note that a port number was given as there is no standard port for relp.
Keep in mind that you need to load the correct input and output plugins (see "Modules"
above).
Please note that rsyslogd offers a variety of options in regarding to remote forwarding.
For full details, please see the html documentation.
List of users
Usually critical messages are also directed to ``root'' on that machine. You can specify a
list of users that shall get the message by simply writing ":omusrmsg:" followed by the
login name. You may specify more than one user by separating them with commas (','). If
they're logged in they get the message (for example: ":omusrmsg:root,user1,user2").
Everyone logged on
Emergency messages often go to all users currently online to notify them that something
strange is happening with the system. To specify this wall(1)-feature use an ":omusrmsg:*".
Database table
This allows logging of the message to a database table. By default, a MonitorWare-compati‐
ble schema is required for this to work. You can create that schema with the createDB.SQL
file that came with the rsyslog package. You can also use any other schema of your liking -
you just need to define a proper template and assign this template to the action.
See the html documentation for further details on database logging.
Discard
If the discard action is carried out, the received message is immediately discarded. Dis‐
card can be highly effective if you want to filter out some annoying messages that other‐
wise would fill your log files. To do that, place the discard actions early in your log
files. This often plays well with property-based filters, giving you great freedom in
specifying what you do not want.
Discard is just the single tilde character with no further parameters.
Example:
*.* ~ # discards everything.
Output channel
Binds an output channel definition (see there for details) to this action. Output channel
actions must start with a $-sign, e.g. if you would like to bind your output channel defi‐
nition "mychannel" to the action, use "$mychannel". Output channels support template defi‐
nitions like all all other actions.
Shell execute
This executes a program in a subshell. The program is passed the template-generated message
as the only command line parameter. Rsyslog waits until the program terminates and only
then continues to run.
Example:
^program-to-execute;template
The program-to-execute can be any valid executable. It receives the template string as a
single parameter (argv[1]).
FILTER CONDITIONS
Rsyslog offers three different types "filter conditions":
* "traditional" severity and facility based selectors
* property-based filters
* expression-based filters
Selectors
Selectors are the traditional way of filtering syslog messages. They have been kept in
rsyslog with their original syntax, because it is well-known, highly effective and also
needed for compatibility with stock syslogd configuration files. If you just need to filter
based on priority and facility, you should do this with selector lines. They are not sec‐
ond-class citizens in rsyslog and offer the best performance for this job.
Property-Based Filters
Property-based filters are unique to rsyslogd. They allow to filter on any property, like
HOSTNAME, syslogtag and msg.
A property-based filter must start with a colon in column 0. This tells rsyslogd that it is
the new filter type. The colon must be followed by the property name, a comma, the name of
the compare operation to carry out, another comma and then the value to compare against.
This value must be quoted. There can be spaces and tabs between the commas. Property names
and compare operations are case-sensitive, so "msg" works, while "MSG" is an invalid prop‐
erty name. In brief, the syntax is as follows:
:property, [!]compare-operation, "value"
The following compare-operations are currently supported:
contains
Checks if the string provided in value is contained in the property
isequal
Compares the "value" string provided and the property contents. These two
values must be exactly equal to match.
startswith
Checks if the value is found exactly at the beginning of the property value
regex
Compares the property against the provided regular expression.
Expression-Based Filters
See the html documentation for this feature.
TEMPLATES
Every output in rsyslog uses templates - this holds true for files, user messages and so
on. Templates compatible with the stock syslogd formats are hardcoded into rsyslogd. If no
template is specified, we use one of these hardcoded templates. Search for "template_" in
syslogd.c and you will find the hardcoded ones.
A template consists of a template directive, a name, the actual template text and optional
options. A sample is:
$template MyTemplateName,"\7Text %property% some more text\n",<options>
The "$template" is the template directive. It tells rsyslog that this line contains a tem‐
plate. The backslash is an escape character. For example, \7 rings the bell (this is an
ASCII value), \n is a new line. The set in rsyslog is a bit restricted currently.
All text in the template is used literally, except for things within percent signs. These
are properties and allow you access to the contents of the syslog message. Properties are
accessed via the property replacer and it can for example pick a substring or do date-spe‐
cific formatting. More on this is the PROPERTY REPLACER section of this manpage.
To escape:
% = \%
\ = \\ --> '\' is used to escape (as in C)
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg%\n"
Properties can be accessed by the property replacer (see there for details).
Please note that templates can also by used to generate selector lines with dynamic file
names. For example, if you would like to split syslog messages from different hosts to
different files (one per host), you can define the following template:
$template DynFile,"/var/log/system-%HOSTNAME%.log"
This template can then be used when defining an output selector line. It will result in
something like "/var/log/system-localhost.log"
Template options
The <options> part is optional. It carries options influencing the template as whole. See
details below. Be sure NOT to mistake template options with property options - the later
ones are processed by the property replacer and apply to a SINGLE property, only (and not
the whole template).
Template options are case-insensitive. Currently defined are:
sql format the string suitable for a SQL statement in MySQL format. This will
replace single quotes ("'") and the backslash character by their backslash-
escaped counterpart ("´" and "\") inside each field. Please note that in
MySQL configuration, the NO_BACKSLASH_ESCAPES mode must be turned off for
this format to work (this is the default).
stdsql format the string suitable for a SQL statement that is to be sent to a stan‐
dards-compliant sql server. This will replace single quotes ("'") by two sin‐
gle quotes ("''") inside each field. You must use stdsql together with MySQL
if in MySQL configuration the NO_BACKSLASH_ESCAPES is turned on.
Either the sql or stdsql option MUST be specified when a template is used for writing to a
database, otherwise injection might occur. Please note that due to the unfortunate fact
that several vendors have violated the sql standard and introduced their own escape meth‐
ods, it is impossible to have a single option doing all the work. So you yourself must
make sure you are using the right format. If you choose the wrong one, you are still vul‐
nerable to sql injection.
Please note that the database writer *checks* that the sql option is present in the tem‐
plate. If it is not present, the write database action is disabled. This is to guard you
against accidental forgetting it and then becoming vulnerable to SQL injection. The sql
option can also be useful with files - especially if you want to import them into a data‐
base on another machine for performance reasons. However, do NOT use it if you do not have
a real need for it - among others, it takes some toll on the processing time. Not much, but
on a really busy system you might notice it ;)
The default template for the write to database action has the sql option set.
Template examples
Please note that the samples are split across multiple lines. A template MUST NOT actually
be split across multiple lines.
A template that resembles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME%
%syslogtag%%msg:::drop-last-lf%\n"
A template that tells you a little more about the message:
$template precise,"%syslogpriority%,%syslogfacility%,%timegenerated%,%HOSTNAME%,
%syslogtag%,%msg%\n"
A template for RFC 3164 format:
$template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
A template for the format traditionally used for user messages:
$template usermsg," XXXX%syslogtag%%msg%\n\r"
And a template with the traditional wall-message format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated%"
A template that can be used for writing to a database (please note the SQL template option)
$template MySQLInsert,"insert iut, message, receivedat values ('%iut%',
'%msg:::UPPERCASE%', '%timegenerated:::date-mysql%') into systemevents\r\n", SQL
NOTE 1: This template is embedded into core application under name StdDBFmt , so you
don't need to define it.
NOTE 2: You have to have MySQL module installed to use this template.
OUTPUT CHANNELS
Output Channels are a new concept first introduced in rsyslog 0.9.0. As of this writing, it
is most likely that they will be replaced by something different in the future. So if you
use them, be prepared to change you configuration file syntax when you upgrade to a later
release.
Output channels are defined via an $outchannel directive. It's syntax is as follows:
$outchannel name,file-name,max-size,action-on-max-size
name is the name of the output channel (not the file), file-name is the file name to be
written to, max-size the maximum allowed size and action-on-max-size a command to be issued
when the max size is reached. This command always has exactly one parameter. The binary is
that part of action-on-max-size before the first space, its parameter is everything behind
that space.
Keep in mind that $outchannel just defines a channel with "name". It does not activate it.
To do so, you must use a selector line (see below). That selector line includes the channel
name plus ":omfile:$" in front of it. A sample might be:
*.* :omfile:$mychannel
PROPERTY REPLACER
The property replacer is a core component in rsyslogd's output system. A syslog message has
a number of well-defined properties (see below). Each of this properties can be accessed
and manipulated by the property replacer. With it, it is easy to use only part of a prop‐
erty value or manipulate the value, e.g. by converting all characters to lower case.
Accessing Properties
Syslog message properties are used inside templates. They are accessed by putting them
between percent signs. Properties can be modified by the property replacer. The full syntax
is as follows:
%propname:fromChar:toChar:options%
propname is the name of the property to access. It is case-sensitive.
Available Properties
msg the MSG part of the message (aka "the message" ;))
rawmsg the message exactly as it was received from the socket. Should be useful for debug‐
ging.
HOSTNAME
hostname from the message
FROMHOST
hostname of the system the message was received from (in a relay chain, this is the
system immediately in front of us and not necessarily the original sender)
syslogtag
TAG from the message
programname
the "static" part of the tag, as defined by BSD syslogd. For example, when TAG is
"named[12345]", programname is "named".
PRI PRI part of the message - undecoded (single value)
PRI-text
the PRI part of the message in a textual form (e.g. "syslog.info")
IUT the monitorware InfoUnitType - used when talking to a MonitorWare backend (also for
phpLogCon)
syslogfacility
the facility from the message - in numerical form
syslogfacility-text
the facility from the message - in text form
syslogseverity
severity from the message - in numerical form
syslogseverity-text
severity from the message - in text form
timegenerated
timestamp when the message was RECEIVED. Always in high resolution
timereported
timestamp from the message. Resolution depends on what was provided in the message
(in most cases, only seconds)
TIMESTAMP
alias for timereported
PROTOCOL-VERSION
The contents of the PROTOCOL-VERSION field from IETF draft draft-ietf-syslog-proto‐
col
STRUCTURED-DATA
The contents of the STRUCTURED-DATA field from IETF draft draft-ietf-syslog-protocol
APP-NAME
The contents of the APP-NAME field from IETF draft draft-ietf-syslog-protocol
PROCID The contents of the PROCID field from IETF draft draft-ietf-syslog-protocol
MSGID The contents of the MSGID field from IETF draft draft-ietf-syslog-protocol
$NOW The current date stamp in the format YYYY-MM-DD
$YEAR The current year (4-digit)
$MONTH The current month (2-digit)
$DAY The current day of the month (2-digit)
$HOUR The current hour in military (24 hour) time (2-digit)
$MINUTE
The current minute (2-digit)
Properties starting with a $-sign are so-called system properties. These do NOT stem from
the message but are rather internally-generated.
Character Positions
FromChar and toChar are used to build substrings. They specify the offset within the string
that should be copied. Offset counting starts at 1, so if you need to obtain the first 2
characters of the message text, you can use this syntax: "%msg:1:2%". If you do not wish to
specify from and to, but you want to specify options, you still need to include the colons.
For example, if you would like to convert the full message text to lower case, use
"%msg:::lowercase%". If you would like to extract from a position until the end of the
string, you can place a dollar-sign ("$") in toChar (e.g. %msg:10:$%, which will extract
from position 10 to the end of the string).
There is also support for regular expressions. To use them, you need to place a "R" into
FromChar. This tells rsyslog that a regular expression instead of position-based extrac‐
tion is desired. The actual regular expression must then be provided in toChar. The regular
expression must be followed by the string "--end". It denotes the end of the regular
expression and will not become part of it. If you are using regular expressions, the prop‐
erty replacer will return the part of the property text that matches the regular expres‐
sion. An example for a property replacer sequence with a regular expression is:
"%msg:R:.*Sev:. \(.*\) \[.*--end%"
Also, extraction can be done based on so-called "fields". To do so, place a "F" into From‐
Char. A field in its current definition is anything that is delimited by a delimiter char‐
acter. The delimiter by default is TAB (US-ASCII value 9). However, if can be changed to
any other US-ASCII character by specifying a comma and the decimal US-ASCII value of the
delimiter immediately after the "F". For example, to use comma (",") as a delimiter, use
this field specifier: "F,44". If your syslog data is delimited, this is a quicker way to
extract than via regular expressions (actually, a *much* quicker way). Field counting
starts at 1. Field zero is accepted, but will always lead to a "field not found" error. The
same happens if a field number higher than the number of fields in the property is
requested. The field number must be placed in the "ToChar" parameter. An example where the
3rd field (delimited by TAB) from the msg property is extracted is as follows: "%msg:F:3%".
The same example with semicolon as delimiter is "%msg:F,59:3%".
Please note that the special characters "F" and "R" are case-sensitive. Only upper case
works, lower case will return an error. There are no white spaces permitted inside the
sequence (that will lead to error messages and will NOT provide the intended result).
Property Options
Property options are case-insensitive. Currently, the following options are defined:
uppercase
convert property to lowercase only
lowercase
convert property text to uppercase only
drop-last-lf
The last LF in the message (if any), is dropped. Especially useful for PIX.
date-mysql
format as mysql date
date-rfc3164
format as RFC 3164 date
date-rfc3339
format as RFC 3339 date
escape-cc
replace control characters (ASCII value 127 and values less then 32) with an escape
sequence. The sequence is "#<charval>" where charval is the 3-digit decimal value of
the control character. For example, a tabulator would be replaced by "#009".
space-cc
replace control characters by spaces
drop-cc
drop control characters - the resulting string will neither contain control charac‐
ters, escape sequences nor any other replacement character like space.
QUEUED OPERATIONS
Rsyslogd supports queued operations to handle offline outputs (like remote syslogd's or
database servers being down). When running in queued mode, rsyslogd buffers messages to
memory and optionally to disk (on an as-needed basis). Queues survive rsyslogd restarts.
It is highly suggested to use remote forwarding and database writing in queued mode, only.
To learn more about queued operations, see the html documentation.
FILES
/etc/rsyslog.conf
Configuration file for rsyslogd
SEE ALSO
rsyslogd(8), logger(1), syslog(3)
The complete documentation can be found in the doc folder of the rsyslog distribution or
online at
http://www.rsyslog.com/doc
Please note that the man page reflects only a subset of the configuration options. Be sure
to read the html documentation for all features and details. This is especially vital if
you plan to set up a more-then-extremely-simple system.
AUTHORS
rsyslogd is taken from sysklogd sources, which have been heavily modified by Rainer Ger‐
hards (rgerhards@adiscon.com) and others.
Version 7.2.0 22 October 2012 RSYSLOG.CONF(5)
문제 유형
① 텔넷(Telnet) 또는 SSH와 같은 인증 서비스와 관련하여 facility, priority, action 부분을 조건에 맞게 채워넣는 문제
# vi /etc/rsyslog.conf
( authpriv.* ) ( root,ihduser )
728x90
그리드형(광고전용)
'Certificate > Linux Master' 카테고리의 다른 글
| [리눅스마스터 1급 실기] 프록시(Proxy) 서버 관리 (squid) (0) | 2022.05.10 |
|---|---|
| [리눅스마스터 1급 실기] 커널 컴파일 (0) | 2022.05.10 |
| [리눅스마스터 1급 실기] 삼바(SAMBA) 서버 (0) | 2022.05.09 |
| [리눅스마스터 1급 실기] SSH(Secure Shell) (0) | 2022.05.09 |
| [리눅스마스터 1급 실기] 디스크 확장 (마운트) (0) | 2022.05.08 |
| [리눅스마스터 1급 실기] TCP Wrapper (0) | 2022.05.08 |
| [리눅스마스터 1급 실기] NTP 서버 설정 (0) | 2022.04.10 |
| [리눅스마스터 1급 실기] KVM 서비스 구축 (0) | 2022.04.10 |
starrykss
별의 공부 블로그 🧑🏻💻
