rpm -qa |grep rsyslog yum install -y rsyslog vi /etc/rsyslog.conf #service rsyslog restart systemctl restart rsyslog systemctl status rsyslog =============================================7 #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal $ModLoad imklog # reads kernel messages (the same are read from journald) $ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 5047 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 5047 =============================================8 #### MODULES #### module(load="imuxsock" # provides support for local system logging (e.g. via logger command) SysSock.Use="off") # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. module(load="imjournal" # provides access to the systemd journal StateFile="imjournal.state") # File to store the position in the journal module(load="imklog") # reads kernel messages (the same are read from journald) module(load="immark") # provides --MARK-- message capability # Provides UDP syslog reception # for parameters see http://www.rsyslog.com/doc/imudp.html module(load="imudp") # needs to be done just once input(type="imudp" port="5047") # Provides TCP syslog reception # for parameters see http://www.rsyslog.com/doc/imtcp.html module(load="imtcp") # needs to be done just once input(type="imtcp" port="5047") ============================================= 根据客户端的IP单独存放主机日志在不同目录 # This one is the template to generate the log filename dynamically, depending on the client's IP address. # 根据客户端的IP单独存放主机日志在不同目录,syslog需要手动创建 $template Remote,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" # Log all messages to the dynamically formed file. :fromhost-ip, !isequal, "127.0.0.1" ?Remote # 排除本地主机IP日志记录,只记录远程主机日志 # 注意此规则需要在其它规则之前,否则配置没有意义,远程主机的日志也会记录到Server的日志文件中 & ~ # 忽略之前所有的日志,远程主机日志记录完之后不再继续往下记录 ============================================= #:fromhost-ip, isequal, "192.168.120.1" /var/log/rsyslog/120.1.log #:fromhost-ip, isequal, "192.168.120.2" /var/log/rsyslog/120.2.log #:fromhost-ip, isequal, "192.168.120.10" /var/log/rsyslog/120.10.log