Rsyslog的一些特殊用法

Rsyslog的模板文件按日期存放：

$template 10.161.54.11,"/var/log/rsyslog/%fromhost-ip%/netflow_%$YEAR%-%$MONTH%-%$DAY%.log"
$template 10.161.50.5,"/var/log/rsyslog/%fromhost-ip%/xdns_webeng_%$YEAR%-%$MONTH%-%$DAY%.log"
$template 10.161.50.7,"/var/log/rsyslog/%fromhost-ip%/xdns_webeng_%$YEAR%-%$MONTH%-%$DAY%.log"

#从特定ip来的日志发到特定rsyslog服务器上去
#:fromhost-ip, !isequal, "127.0.0.1" ?Remote
:fromhost-ip, isequal, "10.161.54.11" ?10.161.54.11
:fromhost-ip, isequal, "10.161.50.5" ?10.161.50.5
:fromhost-ip, isequal, "10.161.50.7" ?10.161.50.7

Rsyslog打出所有调试信息：

*.* /var/log/debugfmt;RSYSLOG_DebugFormat

调试信息:

FROMHOST: '172.18.18.9', fromhost-ip: '172.18.18.9', HOSTNAME: '172.18.18.9', PRI: 5,
syslogtag 'time:', programname: 'time', APP-NAME: 'time', PROCID: '-', MSGID: '-',
TIMESTAMP: 'Mar  4 09:04:45', STRUCTURED-DATA: '-',
msg: '2021-03-04 09:04:45;danger_degree:1;breaking_sighn:0;event:[50556]MySQL登录认证成功;src_addr:172.18.5.65;src_port:57953;dst_addr:172.18.20.52;dst_port:3306;user:;smt_user:;proto:MYSQL'
escaped msg: '2021-03-04 09:04:45;danger_degree:1;breaking_sighn:0;event:[50556]MySQL登录认证成功;src_addr:172.18.5.65;src_port:57953;dst_addr:172.18.20.52;dst_port:3306;user:;smt_user:;proto:MYSQL'
inputname: imudp rawmsg: '<5>time:2021-03-04 09:04:45;danger_degree:1;breaking_sighn:0;event:[50556]MySQL登录认证成功;src_addr:172.18.5.65;src_port:57953;dst_addr:172.18.20.52;dst_port:3306;user:;smt_user:;proto:MYSQL'
$!:
$.:
$/:

Rsyslog的isequal，不建议，建议用==

if $fromhost isequal 172.18.18.9 then /var/log/nips.log

if $fromhost-ip ==  '172.18.18.9' then  {
  action(type="ommysql" server="localhost" db="Syslog" uid="nips" pwd="xxxxxxxx")
}

Rsyslog的ommysql用法

$ModLoad ommysql

*.info;mail.none;authpriv.none;cron.none               :ommysql:localhost,Syslog,nips,xxxxxxxx

*.info;mail.none;authpriv.none;cron.none               action(type="ommysql" server="localhost" db="Syslog" uid="nips" pwd="xxxxxxxx")

$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%fromhost-ip%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
action(type="ommysql" server="localhost" serverport="3306" db="Syslog" uid="nips" pwd="xxxxxxxx" template="dbFormat")

#172.18.31.34上的实际用法：
if $fromhost-ip ==  '172.18.18.9' then  {
    if $syslogpriority == 7 then  {
        $template dbFormat1,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', 10, '%fromhost-ip%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, 'nips')",sql
        action(type="ommysql" server="localhost" serverport="3306" db="Syslog" uid="nips" pwd="xxxxxxxx" template="dbFormat1")
    }
    else {
        $template dbFormat2,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('time:%msg%', 10, '%fromhost-ip%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, 'nips')",sql
        action(type="ommysql" server="localhost" serverport="3306" db="Syslog" uid="nips" pwd="xxxxxxxx" template="dbFormat2")
    }
}
& ~

Rsyslog中& ~的用法

:fromhost-ip,startswith,’192.168.1.’ /var/log/remote-devs.log
& ~

(The next line (“& ~”) is important: it tells rsyslog to stop processing the message after it was written to the log. As such, these messages will not reach the local part. Without that “& ~”, messages would also be written to the local files.

Facility的级别：

Serverity的级别Serverity的级别