rsyslog の出力項目と書式を変更
変更の方針
timestamp の書式を 'yyyy/MM/dd hh:mm:ss' に変更
ログの分析用に CSV チックに出力
fromhost を出力
ホスト名(fromhost と hostname)を大文字で出力
syslogfacility-text と syslogpriority-text を出力
/etc/rsyslog.d/50-default.conf の中身
# Default rules for rsyslog. # # For more information see rsyslog.conf(5) and /etc/rsyslog.conf # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog;tmp_syslog #cron.* /var/log/cron.log #daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log #user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # #mail.info -/var/log/mail.info #mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # # Some "catch-all" log files. # #*.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug #*.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg :omusrmsg:* # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8
/etc/rsyslog.d/50-default.conf を修正(抜粋)
vi /etc/rsyslog.d/50-default.conf
# Default rules for rsyslog. # # For more information see rsyslog.conf(5) and /etc/rsyslog.conf # Template $template tmp_syslog, "%timestamp:1:4:date-rfc3339%/%timestamp:6:7:date-rfc3339%/%timestamp:9:10:date-rfc3339% %timestamp:12:19:date-rfc3339%,%fromhost:::uppercase%,%hostname:::uppercase%,{%syslogfacility-text%.%syslogpriority-text%},%syslogtag%,\"%msg:::drop-last-lf%\"\n" # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog;tmp_syslog #cron.* /var/log/cron.log #daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log #user.* -/var/log/user.log
サービスの再起動
systemctl restart rsyslog
コメント