rsyslog の出力項目と書式を変更

timestamp の書式を 'yyyy/MM/dd hh:mm:ss' に変更
ログの分析用に CSV チックに出力
fromhost を出力
ホスト名(fromhosthostname)を大文字で出力
syslogfacility-textsyslogpriority-text を出力

#  Default rules for rsyslog.
#
#                       For more information see rsyslog.conf(5) and /etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog;tmp_syslog
#cron.*                         /var/log/cron.log
#daemon.*                       -/var/log/daemon.log
kern.*                          -/var/log/kern.log
#lpr.*                          -/var/log/lpr.log
mail.*                          -/var/log/mail.log
#user.*                         -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info                      -/var/log/mail.info
#mail.warn                      -/var/log/mail.warn
mail.err                        /var/log/mail.err

#
# Some "catch-all" log files.
#
#*.=debug;\
#       auth,authpriv.none;\
#       news.none;mail.none     -/var/log/debug
#*.=info;*.=notice;*.=warn;\
#       auth,authpriv.none;\
#       cron,daemon.none;\
#       mail,news.none          -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       /dev/tty8

vi /etc/rsyslog.d/50-default.conf

#  Default rules for rsyslog.
#
#                       For more information see rsyslog.conf(5) and /etc/rsyslog.conf

# Template
$template tmp_syslog, "%timestamp:1:4:date-rfc3339%/%timestamp:6:7:date-rfc3339%/%timestamp:9:10:date-rfc3339% %timestamp:12:19:date-rfc3339%,%fromhost:::uppercase%,%hostname:::uppercase%,{%syslogfacility-text%.%syslogpriority-text%},%syslogtag%,\"%msg:::drop-last-lf%\"\n"

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog;tmp_syslog
#cron.*                         /var/log/cron.log
#daemon.*                       -/var/log/daemon.log
kern.*                          -/var/log/kern.log
#lpr.*                          -/var/log/lpr.log
mail.*                          -/var/log/mail.log
#user.*                         -/var/log/user.log

systemctl restart rsyslog

コメントを入力:
 
  • linux/operation/rsyslog
  • 最終更新: 2019/11/04
  • by chibatono