How to configure syslog in linux to implement log forwarding

1. Syslog protocol

Most logs in the Linux system are generated and maintained through a syslog mechanism. Syslog is a protocol that is divided into client and server. The client generates logs and the server receives logs. And save the received log to a file or process it in other ways.

In Linux, the common syslog server-side program is the syslogd daemon. This program receives logs from three places

[1]: unix domain socket /dev/log

[2]: udp port 514

[3]: Special device /dev/klog

Correspondingly, the program that generates log messages needs to write messages through the above three methods. For most programs, log messages are sent to the /dev/log socket.

On Unix operating systems, syslog is widely used for system logs. Syslog log messages can be recorded in local files or sent to the syslog server over the network. The server that receives syslog can uniformly store syslog messages from multiple devices. Or parse the content and process it accordingly. Common application scenarios are network management tools, security management systems, and log management systems. The complete syslog log contains

# [1]: The program module of the log

[2]: Severe

[3]: Time

## [ 4】: Host name or IP

【5】: Process name

【6】: Process ID

【7】: Text

In 2001 The BSD syslog protocol is described in RFC3164 defined in 2017: http://www.ietf.org/rfc/rfc3164.txt. However, many contents of this specification are not mandatory, and are often "suggestions" or "conventions". Also because this specification came out relatively late, many devices do not comply or do not fully comply with this specification. Next, we will introduce this specification.

It is agreed that the device that sends syslog is Device, the device that forwards syslog is Relay, and the device that receives syslog is Collector. Relay itself can also send its own syslog to the Collector, at which time it appears as a Device. Relay can also forward only part of the received syslog messages. At this time, it behaves as both Relay and Collector.

Syslog messages are sent to the UDP 514 port of the Collector without requiring a response from the receiver. RFC3164 recommends that Device also use 514 as the source port. It is specified that the UDP packet of the syslog message cannot exceed 1024 bytes and must be composed entirely of printable characters. The complete syslog message consists of 3 parts, namely PRI, HEADER and MSG. Most syslogs contain PRI and MSG sections, while HEADER may not.

2. Configure syslog server and client to implement log forwarding

Environment: ubantu16.04

1. Server

              <1> Modify /etc/default/rsyslog

##                                         <1>      SYSLOGD_OPTIONS is "-r -x -m 0"

                -r means to allow receiving external messages                     -x means not to parse DNS,

               -m 0 Indicates the timestamp mark interval,

                 

If you specify to only accept logs from one or more ips, for example "-s 168.1.1.1:168.1.1.2"

& gt; Modify /etc/rsyslog.conf

# completely Nance:

$ModLoad imudp.so
                          $UDPServerRun 514

add these two sentences at the end of the file

syslog.info;syslog.!err;syslog.!crit;syslog.!alert       /var/log/mylog      #info信息记录到日志服务器的/var/log/mylog中
                         syslog.err                                           /var/log/testerror    #error信息记录到日志服务器的/var/log/testerror中  2 、客户端

Modify /etc/syslog.conf Add

Cancellation Note:

$ModLoad imudp.so
                          $UDPServerRun 514

r r r r r r r

#                                                                                                                                                                                                               syslog.info     @IP (IP is the server IP address)

3. Service restart

4. Test

##### #### Run the following code on the client, and you can see in the server/var/log/mylog that the log has been saved to the server######

#include <stdio.h>
#include <syslog.h>
int main(int argc, char* argv[])
{
        //openlog(argv[0], LOG_CONS | LOG_PID, LOG_USER);
        int count = 0;
        while(count<5){
                syslog(LOG_SYSLOG|LOG_INFO, "%d:, syslog user test", count);
                count++;
        }
        //closelog();
        return 0;
}

The above is the detailed content of How to configure syslog in linux to implement log forwarding. For more information, please follow other related articles on the PHP Chinese website!