Rsyslog的一些特殊用法

Rsyslog的模板文件按日期存放：

1$template 10.161.54.11,"/var/log/rsyslog/%fromhost-ip%/netflow_%$YEAR%-%$MONTH%-%$DAY%.log"
2$template 10.161.50.5,"/var/log/rsyslog/%fromhost-ip%/xdns_webeng_%$YEAR%-%$MONTH%-%$DAY%.log"
3$template 10.161.50.7,"/var/log/rsyslog/%fromhost-ip%/xdns_webeng_%$YEAR%-%$MONTH%-%$DAY%.log"
4
5#从特定ip来的日志发到特定rsyslog服务器上去
6#:fromhost-ip, !isequal, "127.0.0.1" ?Remote
7:fromhost-ip, isequal, "10.161.54.11" ?10.161.54.11
8:fromhost-ip, isequal, "10.161.50.5" ?10.161.50.5
9:fromhost-ip, isequal, "10.161.50.7" ?10.161.50.7

Rsyslog打出所有调试信息：

*.* /var/log/debugfmt;RSYSLOG_DebugFormat

调试信息:

1FROMHOST: '172.18.18.9', fromhost-ip: '172.18.18.9', HOSTNAME: '172.18.18.9', PRI: 5,
2syslogtag 'time:', programname: 'time', APP-NAME: 'time', PROCID: '-', MSGID: '-',
3TIMESTAMP: 'Mar  4 09:04:45', STRUCTURED-DATA: '-',
4msg: '2021-03-04 09:04:45;danger_degree:1;breaking_sighn:0;event:[50556]MySQL登录认证成功;src_addr:172.18.5.65;src_port:57953;dst_addr:172.18.20.52;dst_port:3306;user:;smt_user:;proto:MYSQL'
5escaped msg: '2021-03-04 09:04:45;danger_degree:1;breaking_sighn:0;event:[50556]MySQL登录认证成功;src_addr:172.18.5.65;src_port:57953;dst_addr:172.18.20.52;dst_port:3306;user:;smt_user:;proto:MYSQL'
6inputname: imudp rawmsg: '<5>time:2021-03-04 09:04:45;danger_degree:1;breaking_sighn:0;event:[50556]MySQL登录认证成功;src_addr:172.18.5.65;src_port:57953;dst_addr:172.18.20.52;dst_port:3306;user:;smt_user:;proto:MYSQL'
7$!:
8$.:
9$/:

Rsyslog的isequal，不建议，建议用==

if $fromhost isequal 172.18.18.9 then /var/log/nips.log

1if $fromhost-ip ==  '172.18.18.9' then  {
2  action(type="ommysql" server="localhost" db="Syslog" uid="nips" pwd="xxxxxxxx")
3}

Rsyslog的ommysql用法

 1$ModLoad ommysql
 2
 3*.info;mail.none;authpriv.none;cron.none               :ommysql:localhost,Syslog,nips,xxxxxxxx
 4
 5*.info;mail.none;authpriv.none;cron.none               action(type="ommysql" server="localhost" db="Syslog" uid="nips" pwd="xxxxxxxx")
 6
 7$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%fromhost-ip%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
 8action(type="ommysql" server="localhost" serverport="3306" db="Syslog" uid="nips" pwd="xxxxxxxx" template="dbFormat")
 9
10#172.18.31.34上的实际用法：
11if $fromhost-ip ==  '172.18.18.9' then  {
12    if $syslogpriority == 7 then  {
13        $template dbFormat1,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', 10, '%fromhost-ip%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, 'nips')",sql
14        action(type="ommysql" server="localhost" serverport="3306" db="Syslog" uid="nips" pwd="xxxxxxxx" template="dbFormat1")
15    }
16    else {
17        $template dbFormat2,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('time:%msg%', 10, '%fromhost-ip%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, 'nips')",sql
18        action(type="ommysql" server="localhost" serverport="3306" db="Syslog" uid="nips" pwd="xxxxxxxx" template="dbFormat2")
19    }
20}
21& ~

Rsyslog中& ~的用法

1:fromhost-ip,startswith,’192.168.1.’ /var/log/remote-devs.log
2& ~

(The next line (“& ~”) is important: it tells rsyslog to stop processing the message after it was written to the log. As such, these messages will not reach the local part. Without that “& ~”, messages would also be written to the local files.

Facility的级别：

Serverity的级别Serverity的级别

Rsyslog的一些特殊用法

相关文章