[root@localhost ~]# vi /etc/rsyslog.conf #查看配置文件的内容 # rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES #### #加载模块
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) #加载imuxsock模块,为本地系统登录提供支持 $ModLoad imklog # provides kernel logging support (previously done by rklogd) #加载imklog模块,为内核登录提供支持 #$ModLoad immark # provides --MARK-- message capability #加载immark模块,提供标记信息的能力
# Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat #定义日志的时间使用默认的时间戳格式
# File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on #文件同步功能。默认没有开启,是注释的。
# Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf #包含/etc/rsyslog.d/目录中所有的“.conf”子配置文件。也就是说这个目录中的所有 #子配置文件也同时生效。
#### RULES #### #日志文件保存规则
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console #kern服务.所有日志级别 保存在/dev/console #这个日志默认没有开启,如果需要,则取消注释
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages #所有服务.info以上级别的日志保存在/var/log/messages日志中。 #mail,authpriv,cron的日志不记录在/var/log/messages日志文件中,因为它们都有自己的日志文件。 #所以/var/log/messages日志是最重要的系统日志文件,需要经常查看!
# The authpriv file has restricted access. authpriv.* /var/log/secure #用户认证服务所有级别的日志保存在/var/log/secure日志中
# Log all the mail messages in one place. mail.* -/var/log/maillog #mail服务的所有级别的日志保存在/var/log/maillog日志中。 #“-”号的含义是日志先在内存之中保存,当日志够多之后,再向文件中保存。
# Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler #uucp和news日志服务的crit以上的日志保存在/var/log/sppoler日志文件中。
# Save boot messages also to boot.log local7.* /var/log/boot.log #loacl7日志服务的所有日志写入/var/log/boot.log日志中。 #会把开机时的检测信息在显示到屏幕的同时,写入/var/log/boot.log日志中
# ### begin forwarding rule ### #定义转发规则 # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ##
3)、定义自己的日志
1 2 3 4 5 6 7 8 9 10 11 12
[root@localhost ~]# vi /etc/rsyslog.conf #写入一下一句话 *.crit /var/log/alert.log #把所有服务的“临界点”以上的错误都保存在/var/log/alert.log日志中
# RPM packages drop log rotation information into this directory include /etc/logrotate.d #包含/etc/logrotate.d/目录中所有的子配置文件。也就是说会把这个目录中所有子配置文件读取进来,进行日志轮替。
# no packages own wtmp and btmp -- we'll rotate them here #以下两个轮替日志有自己的独立参数,如果和默认的参数冲突,则独立参数生效。 /var/log/wtmp { #以下参数仅对此目录有效 monthly #每月对日志文件进行一次轮替 create 0664 root utmp #建立的新日志文件,权限是0664,所有者是root,所属组是utmp组 minsize 1M #日志文件最小轮替大小是1MB。也就是日志一定要超过1MB才会轮替,否则就算时间达到一个月,也不进行日志转储 rotate 1 #仅保留一个日志备份。也就是只有wtmp和wtmp.1日志保留而已 }