最简单的客户端配置
cat /etc/rsyslog.d/linux-log.conf 
$template BiglogFormatLinux,"%msg%\n"
*.*  @192.168.1.52:514;BiglogFormatLinux
从文件读取数据
[root@log01 rsyslog.d]# cat tomcat.conf 
$ModLoad imfile
$InputFilePollInterval 10
$WorkDirectory /var/spool/rsyslog
$PrivDropToGroup adm

## Apache访问日志文件路径,根据实际情况修改:
$InputFileName /var/log/apache2/access.log* 支持通配符
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 25000
$InputRunFileMonitor

## Apache错误日志文件路径,根据实际情况修改:
$InputFileName /var/log/apache2/error.log
$InputFileTag apache-error:
$InputFileStateFile stat-apache-error
$InputFileSeverity error
$InputFilePersistStateInterval 25000
$InputRunFileMonitor

## 指定日志格式模板:
$template BiglogFormatApache,"%msg%\n"

## 注意syslog日志服务器接收地址,根据实际情况修改:
if $programname == 'apache-access' then @@192.168.1.52:514;BiglogFormatApache
if $programname == 'apache-access' then ~
if $programname == 'apache-error' then @@192.168.1.52:514;BiglogFormatApache
if $programname == 'apache-error' then ~ 服务端具体怎么存要看服务端配置 服务端过滤条件可以看 https://www.rsyslog.com/doc/v8-stable/configuration/filters.html 配置1: cat /etc/rsyslog.d/rsyslog_nginx_kafka_cluster.conf module(load="imudp") input(type="imudp" port="514")
module(load="omkafka") template(name="nginxLog" type="string" string="%msg%") if $inputname == "imudp" then { if ($programname == "nginx_access_log") then action(type="omkafka" template="nginxLog" broker=["10.82.9.202:9092","10.82.9.203:9092","10.82.9.204:9092"] topic="rsyslog_nginx" partitions.auto="on" confParam=[ "socket.keepalive.enable=true" ] ) } :rawmsg, contains, "nginx_access_log" ~
服务端配置
cat /etc/rsyslog.d/rsyslog_nginx_kafka_cluster.conf 
module(load="imudp")
input(type="imudp" port="514")

module(load="omkafka")

template(name="nginxLog" type="string" string="%msg%")

if $inputname == "imudp" then {
    if ($programname == "nginx_access_log") then
        action(type="omkafka"
            template="nginxLog"
            broker=["10.82.9.202:9092","10.82.9.203:9092","10.82.9.204:9092"]
            topic="rsyslog_nginx"
            partitions.auto="on"
            confParam=[
                "socket.keepalive.enable=true"
            ]
        )
}

programname为nginx_access_log(就是我们上边nginx配置里边的tag) :rawmsg, contains, "nginx_access_log" ~

发表评论

邮箱地址不会被公开。 必填项已用*标注