ログサーバに各ログを集約させるためにrsyslogで検証してみた。
設定が結構ややこしく大変だったので結局不採用。
fluentdで集約することにしたがせっかく検証したのでメモを残しておく。
送信側 ※10.0.0.108
/etc/httpd/conf/httpd.conf
#出力するログのファシリティとタグを設定
CustomLog "|/usr/bin/logger -p local6.info -t http-access" combined
ErrorLog "|/usr/bin/logger -p local6.info -t http-error"
/etc/httpd/conf.d/site.conf
CustomLog "|/usr/bin/logger -p local6.info -t http-access-default" combined
ErrorLog "|/usr/bin/logger -p local6.info -t http-error-default"
/etc/rsyslog.conf
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
*.info;mail.none;authpriv.none;cron.none;local6.none; @@10.0.0.191:514
authpriv.* @@10.0.0.191:514
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
local6.* @@10.0.0.191:514
$WorkDirectory /var/lib/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
$ sudo /etc/rc.d/init.d/rsyslog restart
受信側 ※10.0.0.191
/etc/rsyslog.conf
$ sudo vi /etc/rsyslog.conf
#### MODULES ####
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24
#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
$template access_log, "%msg:2:$%\n"
$template error_log, "%fromhost-ip%%msg%\n"
$template access_log_file, "/var/log/rsyslog/httpd/%hostname%_%$year%%$month%%$day%_access_log"
$template error_log_file, "/var/log/rsyslog/httpd/%hostname%_%$year%%$month%%$day%_error_log"
if $syslogfacility-text == 'local6' and $syslogtag == 'http-access:' then ?access_log_file;access_log
if $syslogfacility-text == 'local6' and $syslogtag == 'http-error:' then ?error_log_file;error_log
*.info;mail.none;authpriv.none;cron.none ?Messages_log
authpriv.* ?Secure_log
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$ sudo /etc/rc.d/init.d/rsyslog restart
/etc/sysconfig/iptables
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
$ sudo service iptables restart
こんな感じで出力される
$ sudo ls -l /var/log/rsyslog/httpd/
-rw-------. 1 root root 494 Jun 29 12:18 ip-10-0-0-108_20160629_access_log
-rw-------. 1 root root 1901 Jun 29 12:58 ip-10-0-0-108_20160629_error_log