rsyslog通过发送者来源ip区分日志路径

[root@localhost ~]# cat /etc/rsyslog.conf | grep -Ev "^#|^$"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

# 定义一个模版
$template IpTemplate,"/var/log/usg/%FROMHOST-IP%/%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?IpTemplate
& ~  # &符号表示已经匹配处理的内容,~符号表示再也不进行其余处理

这样客户端发送过来的日志,rsyslog会根据源ip创建一个文件夹来保存日志。

测试:
通过logger命令测试发送日志
机器1:
logger -n 192.168.6.205 -p user.info "from server 1"

机器2:
logger -n 192.168.6.205 -p user.info "from server 2"

适合多个网络设备集中收集日志。

华为usg6000防火墙发送日志到rsyslog

日志服务器:192.168.6.205

# rsyslog配置
[root@localhost log]# cat /etc/rsyslog.conf | grep -Ev "^#|^$"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp # 开启udp接收
$UDPServerRun 514 # udp端口
$ModLoad imtcp # 开启tcp接收
$InputTCPServerRun 514 # tcp端口
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local6.*						                        /var/log/usg6000.log # usg设备发送过来的设施代码为local6,将所有日志级别(.*)写到配置的日志路径
# 重启rsyslog
[root@localhost log]# systemctl restart rsyslog
# usg配置
[USG6300]info-center enable 

[USG6300]info-center source default channel 2 log level informational 

[USG6300]info-center loghost 192.168.6.205 facility local6 port 514 channel 2 language English source-ip 192.168.12.45
Warning: There is security risk as this operation enables a non secure syslog protocol.

facility 为对应 rsyslog 中的设施代码,usg中支持0-7
[USG6300]info-center loghost 192.168.6.205 facility ?
  local0  Logging host facility 
  local1  Logging host facility 
  local2  Logging host facility 
  local3  Logging host facility 
  local4  Logging host facility 
  local5  Logging host facility 
  local6  Logging host facility 
  local7  Logging host facility 
# rsyslog配置发送者白名单,允许来源ip
$AllowedSender UDP, 192.168.222.10/24, 10.0.0.0/8
# 通过shell命令测试发送日志消息
logger -n 192.168.6.205 -p user.info "aaaaaaaaaaaa"