<p>This article introduces the knowledge about how to configure syslog in Linux to realize log forwarding. In the operation process of actual cases, many people will encounter such a dilemma. Next, let the editor guide you to learn how to deal with it These situations! I hope you read it carefully and learn something!</p><h4 id="h0" data-id="h7f20189-OKJXJZBc">1. syslog protocol</h4><p data-id="p838747a-LADLnOBi"><strong> </strong>linux system Most logs are generated and maintained through a syslog mechanism. syslog is a protocol, divided into client and server. The client generates logs, and the server receives logs. And save the received log to a file or process it in other ways.</p><p data-id="p838747a-7RMIXPdJ">In Linux, the common syslog server-side program is the syslogd daemon process. This program receives logs from three places</p><p data-id="p838747a-ZN7fbXoL">【1】: unix domain socket /dev/log</p><p data-id="p838747a- oH3b20nq">【2】: udp port 514</p><p data-id="p838747a-FA2pJBeq">【3】: special device /dev/klog</p><p data-id="p838747a- nFmdkOXb">Correspondingly, the program that generates log messages needs to write messages in the above three ways. For most programs, it is to send log messages to the /dev/log socket.</p><p data-id="p838747a-QhCGDi0X">On unix operating systems, syslog is widely used for system logs. Syslog log messages can be recorded in local files or sent to syslog servers over the network. The server receiving syslog can uniformly store the syslog messages of multiple devices. Or parse the content and do corresponding processing. Common application scenarios are network management tools, security management systems, and log management systems. The complete syslog log includes</p><p data-id="p838747a-e7gXoJ77">【1】: Program module that generates logs</p><p data-id="p838747a-sCaoclds">【2】: Severity</p><p data-id="p838747a-GTf8hCsO">【3】: Time</p><p data-id="p838747a-leeQV1L2">【4】: Host name or IP</p><p data-id="p838747a-T5QN8mCc">[5]: Process name</p><p data-id="p838747a-FUmrexly">[6]: Process ID</p><p>< p data-id="p838747a-rl1vugfE"> 【7】: Text</p><p data-id="p838747a-ZuEhuyPb">In RFC3164 defined in 2001, the BSD syslog protocol is described: http:// www.ietf.org/rfc/rfc3164.txt, but many contents of this specification are not mandatory, they are often suggestions or conventions, and because this specification was published relatively late, many devices do not comply with or do not fully comply with this specification . Next, we will introduce this specification.</p><p data-id="p838747a-SAEvUtrg">It is agreed that the device that sends syslog is Device, the device that forwards syslog is Relay, and the device that receives syslog is Collector. Relay itself can also send its own syslog to Collector, at this time it acts as a Device. Relay can also only forward part of the received syslog messages. At this time, it acts as Relay and Collector at the same time.</p><p data-id="p838747a-TECK4iFJ">The syslog message is sent to the UDP port 514 of the Collector, and no response from the receiver is required. RFC3164 suggests that the Device also use 514 as the source port. It is stipulated that the UDP packet of the syslog message cannot exceed 1024 bytes, and all of them are composed of printable characters. A complete syslog message consists of 3 parts, namely PRI, HEADER and MSG. Most syslogs contain PRI and MSG sections, while HEADER may not.</p><h4 id="h2" data-id="h7f20189-0B8ZMkTd">Second, configure the syslog server and client to realize log forwarding</h4><p data-id="p838747a-hSeDpl07"><strong> Environment: ubantu16.04</strong></p><p data-id="p838747a-Zx8vtyk3"><strong> 1. Server</strong></p><p data-id="p838747a -EsyYliip"><strong> <1>modify /etc/default/rsyslog<!--1--></strong></p><p data-id="p838747a-2r4XEuvt"><strong> </strong> <strong> > modify/ etc/sysconf/syslog modify SYSLOGD_OPTIONS to "-r -x -m 0" </strong></p><p data-id="p838747a-lVKeaP8s"> -r indicates that it is allowed to receive external messages</p><p>< p data-id="p838747a-lmBauOEk"> -x means not to resolve DNS,</p><p data-id="p838747a-w10guaMP"> -m 0 means time stamp mark interval,</p><p data="" -id="p838747a-Cc7o66aB"><strong> </strong> If you specify to only accept logs from one or more ip, for example "-s 168.1.1.1:168.1.1.2"</p><p data-="" id="p838747a-s4xWY1fD"><strong> > Modify /etc/rsyslog.conf</strong></p><p data-id="p838747a-L14vAJ2H"> Uncomment:</p><p>$ ModLoad imudp.so
$UDPServerRun 514</p><p data-id="p838747a-VlPVK1m2">Add these two sentences at the end of the file</p><p>syslog.info;syslog.!err;syslog.!crit;syslog.! alert /var/log/mylog #info information is recorded in /var/log/mylog of the log server
syslog.err /var/log/testerror #error information is recorded in /var/log/testerror of the log server 2. Client</p><p data-id="p838747a-DVfsys0xK5A">Modify / etc /log conf add</p><p data-id="p838747a-xbA900CH">uncomment:</p><p>$ModLoad imudp.so
$UDPServerRun 514</p><p data-id="p838747a-QfLuFte8">Add these two sentences at the end<br/> syslog.info @IP (IP is the IP address of the server)</p><p data-="" id="p838747a-azEELhkZ"><strong>3. Service restart</strong></p><p data-id="p838747a-vzvuMrfN"><strong>4. Test</strong></p><p><strong> Run the following code on the client side, you can see that the log has been saved to the server side in /var/log/mylog on the server side</strong></p><stdio.h><pre class="hljs cpp" style="margin-top: 8px; margin-bottom: 8px; padding: 15px; box-sizing: border-box; overflow-x: auto; background-color: rgb(240, 242, 245); color: rgb(45, 48, 55); font-size: 14px; border: 1px solid rgb(219, 225, 232); border-radius: 4px; white-space: pre-wrap; overflow-wrap: break-word; word-break: break-all;">#include <stdio.h>#include <syslog.h>int main(int argc, char* argv[]){
//openlog(argv[0], LOG_CONS | LOG_PID, LOG_USER); int count = 0;
while(count<5){
syslog(LOG_SYSLOG|LOG_INFO, "%d:, syslog user test", count);
count++;
}
//closelog(); return 0;
}</pre><syslog.h><p><br/></p></syslog.h></stdio.h>
