# 日志收集端，存放客户端发送过来的日志

1、开启tcp接收
[root@localhost ~]# cat /etc/rsyslog.conf |grep -vE "^#|^$" | grep 514
$InputTCPServerRun 514

2、创建配置文件，定义存储路径。
[root@localhost ~]# cat /etc/rsyslog.d/119.conf 
$template NginxLog, "/var/log/nginx/%FROMHOST-IP%/%$YEAR%-%$MONTH%-%$DAY%/%PROGRAMNAME%.log"
if $programname == 'nginx-access' then -?NginxLog
if $programname == 'nginx-error' then -?NginxLog

%FROMHOST-IP% 以客户端ip命名目录
%$YEAR%-%$MONTH%-%$DAY% 年月日命名目录
%PROGRAMNAME%.log" 等于客户端中InputFileTag的值

最终效果如下：
[root@localhost ~]# ll /var/log/nginx/192.168.6.119/2024-04-07/*
-rw------- 1 root root 1997 Apr  7 02:10 /var/log/nginx/192.168.6.119/2024-04-07/nginx-access.log
-rw------- 1 root root 1694 Apr  7 02:10 /var/log/nginx/192.168.6.119/2024-04-07/nginx-error.log
目录会自动创建，不需要手动提前建好。

[root@localhost ~]# systemctl restart rsyslog

# 日志发送端

[root@localhost ~]# cat /etc/rsyslog.d/nginx.conf 
$ModLoad imfile
$InputFilePollInterval 5
$WorkDirectory /var/spool/rsyslog
$PrivDropToGroup root

$InputFileName /var/log/nginx/access.log
$InputFileTag nginx-access:
$InputFileStateFile stat-nginx-access
$InputFileSeverity info
$InputFilePersistStateInterval 25000
$InputRunFileMonitor

$InputFileName /var/log/nginx/error.log
$InputFileTag nginx-error:
$InputFileStateFile stat-nginx-error
$InputFileSeverity info
$InputFilePersistStateInterval 25000
$InputRunFileMonitor
*.* @@192.168.6.114:514

# @@是以tcp方式发送到目标ip的514端口。