主页 / server / 问题 / 788592
Accepted
Sammitch
Asked: 2016-07-08 14:51:19 +0800 CST

Rsyslog 不记录事件

  • 772

我试图建立一个系统日志服务器来接收来自网络设备的事件,但我似乎无法让它真正将事件记录到磁盘。我可以确认连接已成功建立,并且 rsyslogd 正在获取事件,我只是无法弄清楚为什么它没有对它任何事情。唯一被记录的是 rsyslogd 本身的启动。

下面的配置和调试输出,这最初是从 rsyslog chef cookbook 生成的,但我添加了一些调整来修复它抱怨的超级弃用语法。

rsyslog.conf

$MaxMessageSize 2k
$PreserveFQDN off
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imtcp
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$WorkDirectory /var/spool/rsyslog
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$IncludeConfig /etc/rsyslog.d/*.conf

rsyslog.d/*

$DirGroup root
$DirCreateMode 0755
$FileGroup root
$template PerHostAuth,"/var/log/rsyslog/%HOSTNAME%/auth.log"
$template PerHostCron,"/var/log/rsyslog/%HOSTNAME%/cron.log"
$template PerHostSyslog,"/var/log/rsyslog/%HOSTNAME%/syslog"
$template PerHostDaemon,"/var/log/rsyslog/%HOSTNAME%/daemon.log"
$template PerHostKern,"/var/log/rsyslog/%HOSTNAME%/kern.log"
$template PerHostLpr,"/var/log/rsyslog/%HOSTNAME%/lpr.log"
$template PerHostUser,"/var/log/rsyslog/%HOSTNAME%/user.log"
$template PerHostMail,"/var/log/rsyslog/%HOSTNAME%/mail.log"
$template PerHostMailInfo,"/var/log/rsyslog/%HOSTNAME%/mail.info"
$template PerHostMailWarn,"/var/log/rsyslog/%HOSTNAME%/mail.warn"
$template PerHostMailErr,"/var/log/rsyslog/%HOSTNAME%/mail.err"
$template PerHostNewsCrit,"/var/log/rsyslog/%HOSTNAME%/news.crit"
$template PerHostNewsErr,"/var/log/rsyslog/%HOSTNAME%/news.err"
$template PerHostNewsNotice,"/var/log/rsyslog/%HOSTNAME%/news.notice"
$template PerHostDebug,"/var/log/rsyslog/%HOSTNAME%/debug"
$template PerHostMessages,"/var/log/rsyslog/%HOSTNAME%/messages"
auth,authpriv.*         ?PerHostAuth
*.*;auth,authpriv.none  -?PerHostSyslog
cron.*                  ?PerHostCron
daemon.*                -?PerHostDaemon
kern.*                  -?PerHostKern
lpr.*                   -?PerHostLpr
mail.*                  -?PerHostMail
user.*                  -?PerHostUser
mail.info               -?PerHostMailInfo
mail.warn               ?PerHostMailWarn
mail.err                ?PerHostMailErr
news.crit               ?PerHostNewsCrit
news.err                ?PerHostNewsErr
news.notice             -?PerHostNewsNotice
*.=debug;\
  auth,authpriv.none;\
  news.none;mail.none   -?PerHostDebug
*.=info;*.=notice;*.=warn;\
  auth,authpriv.none;\
  cron,daemon.none;\
  mail,news.none        -?PerHostMessages
:fromhost-ip,!isequal,"127.0.0.1" stop
*.info;mail.none;authpriv.none;cron.none    /var/log/messages
authpriv.*    /var/log/secure
mail.*    -/var/log/maillog
cron.*    /var/log/cron
*.emerg    :omusrmsg:*
uucp,news.crit    /var/log/spooler
local7.*    /var/log/boot.log
$SystemLogSocketName /run/systemd/journal/syslog

测试事件:

logger --server 127.0.0.1 --tcp --port 514 -p user.info test

strace -frsyslogd 接收事件,但什么也不做:

[pid 32310] accept(5, {sa_family=AF_INET, sin_port=htons(59755), sin_addr=inet_addr("127.0.0.1")}, [16]) = 11
[pid 32310] rt_sigprocmask(SIG_BLOCK, [HUP], ~[KILL STOP TTIN RTMIN RT_1], 8) = 0
[pid 32310] open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 12
[pid 32310] fstat(12, {st_mode=S_IFREG|0644, st_size=451, ...}) = 0
[pid 32310] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb290d18000
[pid 32310] read(12, "#\n# This file is managed by Chef"..., 4096) = 451
[pid 32310] close(12)                   = 0
[pid 32310] munmap(0x7fb290d18000, 4096) = 0
[pid 32310] rt_sigprocmask(SIG_SETMASK, ~[KILL STOP TTIN RTMIN RT_1], NULL, 8) = 0
[pid 32310] fcntl(11, F_GETFL)          = 0x2 (flags O_RDWR)
[pid 32310] fcntl(11, F_SETFL, O_RDWR|O_NONBLOCK) = 0
[pid 32310] epoll_ctl(10, EPOLL_CTL_ADD, 11, {EPOLLIN, {u32=2147497424, u64=140404628403664}}) = 0
[pid 32310] epoll_wait(10, {{EPOLLIN, {u32=2147497424, u64=140404628403664}}}, 128, -1) = 1
[pid 32310] recvfrom(11, "<14>Jul  7 22:41:54 stack: test\0", 131072, MSG_DONTWAIT, NULL, NULL) = 32
[pid 32310] gettimeofday({1467931314, 137777}, NULL) = 0
[pid 32310] epoll_wait(10, {{EPOLLIN, {u32=2147497424, u64=140404628403664}}}, 128, -1) = 1
[pid 32310] recvfrom(11, "", 131072, MSG_DONTWAIT, NULL, NULL) = 0
[pid 32310] epoll_ctl(10, EPOLL_CTL_DEL, 11, {EPOLLIN, {u32=2147497424, u64=140404628403664}}) = 0
[pid 32310] close(11)                   = 0
[pid 32310] epoll_wait(10,
linux centos syslog centos7 rsyslog

1 个回答

  1. Best Answer

    你知道问题是什么吗?logger.

    但是logger,尝试格式化它通过网络发送的消息被破坏了。

    我无法理解这样一个简单的实用程序是如何被破坏的。

    我浪费了一整天的时间来调试一个完全有效的配置

    这是一个没有破坏并且不会浪费你生命的测试:

    echo "<165>1 2003-08-24T05:14:15.000003-07:00 192.0.2.1 myproc 8710 - - %% It's time to make the do-nuts." | nc 127.0.0.1 514

    编辑:现在已经过了一天,我不再明显不高兴了,我回去比较了发送的消息logger和上面我从RFC中提取的消息。logger生成的消息是:

    <14>Jul  8 16:39:08 user: test

    这是非常可笑的错误。正确的等效消息是:

    <14>1 2016-07-08T16:39:08.000000-07:00 syslog-01 myproc - - - user: test
    • 1

相关问题