部署 服务器 配置rsyslog
1、安装,导入数据库结构,及配置mysql帐号
cd /etc/yum.repos.d/
wget /v8-stable/rsyslog.repo
yum install rsyslog
yum install rsyslog-mysql -y
source /usr/share/doc/rsyslog-mysql-8..0/createDB.sql
grant all privileges on syslog_db.* to Syslog@'localhost' identified by 'passowrd';
flush privileges;
rsyslog.conf底部增加
$template Remote,"insert into SystemEvents (Message, Facility, FromHost, FromIP, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', '%fromhost-ip%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL
$ModLoad ommysql
*.*:ommysql:localhost,Syslog,syslog,passowrd
$ModLoad immark
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
2、配置需要记录的服务器【客户端】
配置记录命令
/etc/profile 底部添加
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "
export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,logintime=$(who am i |awk "{print \$3\" \"\$4}"),from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'
source /etc/profile 执行使上面增加的配置生效
rsyslog.conf 接收数据的服务端的ip及端口信息
local5.* @10.13.1.91:514
修改完需要重启rsyslog
配置过渡不需要的参数
vi /etc/rsyslog.d/ignore-systemd-session-slice.conf
#cron定时任务,会生成,很多无用数据
if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of") then stop
#aws的会有这个垃圾数据
if $programname == "dhclient" and ($msg contains "XMT: Solicit on eth0") then stop
#cron 定时任务
if $programname == "crond" and ($msg contains "sendmail: fatal: parameter inet_interfaces: no local interface found for ::1") then stop
