File format logs spit out from various servers are aggregated in remote syslog. As for the setting on the server side that spits out logs, as the minimum necessary setting, processing and other things should be performed remotely.
I wanted to transfer the apache syslog to another host. So a note.
In this case, from the server running the traffic collection tool cacti Transfers apache access logs and cacti logs to a remote syslog server.
Add to the rsyslog config file to send logs to them.
/etc/rsyslog.conf
--------8<----(snip)----8<--------
module(load="imfile")
input(type="imfile"
file="/var/log/httpd/access_log"
tag="pseudolog_httpd_access_log"
facility="local0"
severity="notice")
:syslogtag, isequal, "pseudolog_httpd_access_log" @syslog:514
& @10.254.10.112:514
input(type="imfile"
file="/usr/share/cacti/log/cacti.log"
tag="pseudolog_cacti_log"
facility="local0"
severity="notice")
:syslogtag, isequal, "pseudolog_cacti_log" @syslog:514
& @10.254.10.112:514
--------8<----(snip)----8<--------
In this example, it is sent at 514 / udp, but if you use @@ address: port (two @s side by side), it will be a TCP transfer.
Since it belongs to the same docker network, it can be transferred with the host name syslog.
Logs sent to other files can also be transferred by specifying the same as above.
rsyslog.How to write conf (configuration file)
#Load the module. This only needs to be stated once at the beginning.
module(load="imfile")
# input()Specify the source (imfile this time) to be input to syslog in the place of.
# type:The type of source. This time via imfile module
# file:Target file name to be detected by imfile
# tag:Specify the syslog tag when transferring
# facility:Specify facility when transferring
# severity:Specify severity when transferring
input(type="imfile" file="/var/log/httpd/access_log" tag="pseudolog_httpd_access_log" facility="local0" severity="notice")
#I will describe under what conditions and what kind of processing to do
#In the following cases
#Condition: syslogtag is pseudolog_httpd_access_For log
#Action: UDP for the hostname syslog:Forward on port 514
#If you want to perform multiple processes for a condition, put it on the line immediately after.&The process is described in.
:syslogtag, isequal, "pseudolog_httpd_access_log" @syslog:514
& @10.254.10.112:514
After setting, restart the service
systemctl rsyslog restart
Feb 11 21:58:22,Feb 11 21:58:22,VMinfraserv05,pseudolog_httpd_access_log,5,16, 10.254.10.11 - - [11/Feb/2020:21:58:19 +0900] "GET /cacti/graph_json.php?rra_id=0&local_graph_id=36&graph_start=1581339497&graph_end=1581425897&graph_height=200&graph_width=700 HTTP/1.1" 200 35392 "http://cacti/cacti/graph_view.php?action=tree&node=tbranch-5&host_id=3&site_id=-1&host_template_id=-1&hgd=&hyper=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
Feb 11 21:58:22,Feb 11 21:58:22,VMinfraserv05,pseudolog_httpd_access_log,5,16, 10.254.10.11 - - [11/Feb/2020:21:58:19 +0900] "GET /cacti/graph_json.php?rra_id=0&local_graph_id=151&graph_start=1581339497&graph_end=1581425897&graph_height=200&graph_width=700 HTTP/1.1" 200 53103 "http://cacti/cacti/graph_view.php?action=tree&node=tbranch-5&host_id=3&site_id=-1&host_template_id=-1&hgd=&hyper=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
Feb 11 21:58:32,Feb 11 21:58:32,VMinfraserv05,pseudolog_httpd_access_log,5,16, ::1 - - [11/Feb/2020:21:58:28 +0900] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) PHP/5.4.16 (internal dummy connection)"
Feb 11 22:00:12,Feb 11 22:00:12,VMinfraserv05,pseudolog_cacti_log,5,16, 2020/02/11 22:00:08 - SYSTEM STATS: Time:6.4693 Method:spine Processes:1 Threads:1 Hosts:15 HostsPerProcess:15 DataSources:271 RRDsProcessed:143
Feb 11 22:00:12,Feb 11 22:00:12,VMinfraserv05,pseudolog_cacti_log,5,16, 2020/02/11 22:00:08 - SNMPAGENT WARNING: No notification receivers configured for event: cactiNotifyDeviceFailedPoll (CACTI-MIB), severity: medium
Feb 11 22:00:12,Feb 11 22:00:12,VMinfraserv05,pseudolog_cacti_log,5,16, 2020/02/11 22:00:08 - POLLER: Poller[1] WARNING: You have 4 Devices with bad SNMP Indexes. Devices: Device[1], Device[4], Device[15], Device[17] totalling 17 Data Sources. Please Either Re-Index, Delete or Disable these Data Sources.
https://knowledge.sakura.ad.jp/8969/ https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-basic_configuration_of_rsyslog https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-using_rsyslog_modules
Recommended Posts