Monday, June 20, 2011

於RHEL6配置Log receive server

RHEL6預設的log server由syslog改換成rsyslog,於是乎以往RHEL3/4/5的配置方法可能已經不適用了(也許有人還是習慣用syslog,那麼方法應該就一樣),不過不用擔心萬變不離其宗正是Linux的教條,只要理論有了,配置不過是理論的實現罷了,以下就簡單的說明一下怎麼改變吧。

1. Enable UDP port 514:
rsyslog預設上把port 514關掉了,請手動將它打開。
- Configure /etc/rsyslog.conf:
Unmark UDP syslog:
$ModLoad imudp.so
$UDPServerRun 514

- Restart rsyslog:
# /etc/init.d/rsyslog restart

2. 檢查UDP port 514已開啟:
[root@rhel6 ~]# netstat -tupln | grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:* 2713/rsyslogd
udp 0 0 :::514 :::* 2713/rsyslogd

3. 配置允許接收對方的log events:
# vi /etc/rsyslog.conf to receive log from remote machine:
:fromhost-ip,isequal,"X.X.X.X" /var/log/test1_log
X.X.X.X -> remote IP address

- Restart rsyslog:
# /etc/init.d/rsyslog restart

4. 建立logrotate:
# vi /etc/logrotate.d/test1
/var/log/test1.log{
size +4096k #Trigger logrotate when file size more than 4096k
create 640 root root # File owner and permission
rotate 10 #maximum logrotate
compress
postrotate #restart rsyslog after trigger logrotate
/etc/init.d/rsyslog reload
endscript
}

- Restart rsyslog:
# /etc/init.d/rsyslog restart

No comments: