tencent cloud

14天试用边缘安全加速平台 EO 限时免费
Konten saat ini hanya tersedia dalam bahasa inggris, edisi bahasa inggris kami akan segera menambahkan, terima kasih atas pengertian anda.
关闭

masukan

Cloud Log Service

Collecting Syslog

Terakhir diperbarui:2024-01-20 17:14:28

Overview

Syslog refers to system logs or records and is a standard for sending log messages in internet protocols. It is supported by network routers, switches, firewalls, and UNIX/Linux servers. Syslog monitoring and management are important for business operations, helping reduce system downtime, improve network performance, and enhance security policies.

Prerequisites

You have deployed RSyslog.
You have activated CLS.
You have installed LogListener 3.0.1.0 or later on the target server with the RSyslog IP.
The configuration in the console is made available through an allowlist. Submit a ticket for application.
Use rsyslog/etc/rsyslog.conf to enable UDP/TCP forwarding:


Note:
For detailed directions on how to install LogListener, see LogListener Installation Guide.

Directions

Configuring RSyslog forwarding

On the syslog server, modify RSyslog's configuration file /etc/rsyslog.conf by adding the forwarding rule in the last line. Then, RSyslog will forward syslog to the specified IP and port. If the current server is used to collect local syslog, the forwarding address should be 127.0.0.1, and the port can be a random idle port.
If another server is used to collect local syslog, the forwarding address should be the public network IP of the server, and the port can be a random idle port.
The following configuration indicates to forward all logs to 127.0.0.1:1000 over TCP. For more information on the configuration file, see RSyslog Documentation.
*.* @@127.0.0.1:1000
Run the following command to restart RSyslog for the log forwarding rule to take effect.
sudo service rsyslog restart

Configuring the syslog collection rule in the CLS console

Step 1. Select a log topic

To select a new log topic, perform the following steps: Log in to the CLS console.
On the left sidebar, click Overview to enter the overview page.
In the Other Logs section, find syslog collection and click Access Now.
On the Create Log Topic page, configure the log topic information such as the name and log retention period as needed and click Next.
To select an existing log topic, perform the following steps: Log in to the CLS console.
On the left sidebar, click Log Topic and select the target log topic to enter the log topic management page.
On the Collection Configuration tab, click Add in the LogListener Collection Configuration section.

Step 2. Configure a machine group

On the Machine Group Management page, select the machine group to which to bind the current log topic and click Next to proceed to collection configuration. For more information, see Machine Group.

Step 3. Configure syslog collection

On the syslog collection configuration page, configure the following information:
Configuration Item
Type
Description
Collection Rule Name
Input box
Indicates the name of this collection rule.
Network Type
Radio button
Specifies the syslog transfer protocol: UDP or TCP.
Parsing Protocol
Radio button
Specifies the protocol for log parsing. It is empty by default, indicating no parsing. Valid values: rfc3164 (RFC 3164), rfc 5424 (RFC5424), auto (automatic selection).
Output Source
Input box
Specifies the protocol, address, and port for LogListener. It is in the format of [tcp/udp]://[ip]:[port]. If it is not specified, tcp://127.0.0.1:10000 will be used by default.
Upload upon Parsing Failure
Toggle
Specifies the operation upon parsing failure. If it is enabled, the full text of the log will be returned based on the input key; otherwise, the log will be discarded.
Key Name of Parsing-Failed Logs
Input box
Specifies the key name of logs that failed to be parsed.

Step 4. Configure an index

1. On the index configuration page, configure the following information:
Index Status: Select whether to enable it.
Full-Text Index: Select whether to set it to case-sensitive. Full-Text Delimiter: It is "@&()='",;:<>[]{}/ \\n\\t\\r" by default and can be modified as needed.
Allow Chinese Characters: Select whether to enable this feature.
Key-Value Index: Disabled by default. You can configure the field type, delimiters, and whether to enable statistical analysis according to the key name as needed. To enable key-value index, toggle the switch on.
Note:
Index configuration must be enabled first before you can perform searches.
The modified index rules take effect only for newly written logs. The existing data is not updated.
2. Click Submit.

Viewing syslog

After configuring syslog collection in the current log topic, click Search to enter the Search and Analysis page to view the syslog.
Field
Description
HOSTNAME
Hostname. The current hostname will be obtained if it is not provided in the log.
program
tag field in the protocol.
priority
priority field in the protocol.
facility
facility field in the protocol.
severity
severity field in the protocol.
timestamp
Timestamp of the log.
content
Log content, which will contain all the content of unparsed logs if parsing fails.
SOURCE
IP of the current host.
client_ip
Client IP for log transfer.
Hubungi Kami

Hubungi tim penjualan atau penasihat bisnis kami untuk membantu bisnis Anda.

Dukungan Teknis

Buka tiket jika Anda mencari bantuan lebih lanjut. Tiket kami tersedia 7x24.

Dukungan Telepon 7x24
中国香港
+852 800 906 020 (免费)
美国
+1 844 606 0804 (免费)
英国
+44 808 196 4551 (免费)
加拿大
+1 888 605 7930 (免费)
澳大利亚
+61 1300 986 386 (免费)
EdgeOne 热线
+852 300 80699
更多本地服务热线陆续新增中