tencent cloud

피드백

Collecting Syslog

마지막 업데이트 시간:2024-01-20 17:14:28

    Overview

    Syslog refers to system logs or records and is a standard for sending log messages in internet protocols. It is supported by network routers, switches, firewalls, and UNIX/Linux servers. Syslog monitoring and management are important for business operations, helping reduce system downtime, improve network performance, and enhance security policies.

    Prerequisites

    You have deployed RSyslog.
    You have activated CLS.
    You have installed LogListener 3.0.1.0 or later on the target server with the RSyslog IP.
    The configuration in the console is made available through an allowlist. Submit a ticket for application.
    Use rsyslog/etc/rsyslog.conf to enable UDP/TCP forwarding:
    
    
    Note:
    For detailed directions on how to install LogListener, see LogListener Installation Guide.

    Directions

    Configuring RSyslog forwarding

    On the syslog server, modify RSyslog's configuration file /etc/rsyslog.conf by adding the forwarding rule in the last line. Then, RSyslog will forward syslog to the specified IP and port. If the current server is used to collect local syslog, the forwarding address should be 127.0.0.1, and the port can be a random idle port.
    If another server is used to collect local syslog, the forwarding address should be the public network IP of the server, and the port can be a random idle port.
    The following configuration indicates to forward all logs to 127.0.0.1:1000 over TCP. For more information on the configuration file, see RSyslog Documentation.
    *.* @@127.0.0.1:1000
    Run the following command to restart RSyslog for the log forwarding rule to take effect.
    sudo service rsyslog restart

    Configuring the syslog collection rule in the CLS console

    Step 1. Select a log topic

    To select a new log topic, perform the following steps: Log in to the CLS console.
    On the left sidebar, click Overview to enter the overview page.
    In the Other Logs section, find syslog collection and click Access Now.
    On the Create Log Topic page, configure the log topic information such as the name and log retention period as needed and click Next.
    To select an existing log topic, perform the following steps: Log in to the CLS console.
    On the left sidebar, click Log Topic and select the target log topic to enter the log topic management page.
    On the Collection Configuration tab, click Add in the LogListener Collection Configuration section.

    Step 2. Configure a machine group

    On the Machine Group Management page, select the machine group to which to bind the current log topic and click Next to proceed to collection configuration. For more information, see Machine Group.

    Step 3. Configure syslog collection

    On the syslog collection configuration page, configure the following information:
    Configuration Item
    Type
    Description
    Collection Rule Name
    Input box
    Indicates the name of this collection rule.
    Network Type
    Radio button
    Specifies the syslog transfer protocol: UDP or TCP.
    Parsing Protocol
    Radio button
    Specifies the protocol for log parsing. It is empty by default, indicating no parsing. Valid values: rfc3164 (RFC 3164), rfc 5424 (RFC5424), auto (automatic selection).
    Output Source
    Input box
    Specifies the protocol, address, and port for LogListener. It is in the format of [tcp/udp]://[ip]:[port]. If it is not specified, tcp://127.0.0.1:10000 will be used by default.
    Upload upon Parsing Failure
    Toggle
    Specifies the operation upon parsing failure. If it is enabled, the full text of the log will be returned based on the input key; otherwise, the log will be discarded.
    Key Name of Parsing-Failed Logs
    Input box
    Specifies the key name of logs that failed to be parsed.

    Step 4. Configure an index

    1. On the index configuration page, configure the following information:
    Index Status: Select whether to enable it.
    Full-Text Index: Select whether to set it to case-sensitive. Full-Text Delimiter: It is "@&()='",;:<>[]{}/ \\n\\t\\r" by default and can be modified as needed.
    Allow Chinese Characters: Select whether to enable this feature.
    Key-Value Index: Disabled by default. You can configure the field type, delimiters, and whether to enable statistical analysis according to the key name as needed. To enable key-value index, toggle the switch on.
    Note:
    Index configuration must be enabled first before you can perform searches.
    The modified index rules take effect only for newly written logs. The existing data is not updated.
    2. Click Submit.

    Viewing syslog

    After configuring syslog collection in the current log topic, click Search to enter the Search and Analysis page to view the syslog.
    Field
    Description
    HOSTNAME
    Hostname. The current hostname will be obtained if it is not provided in the log.
    program
    tag field in the protocol.
    priority
    priority field in the protocol.
    facility
    facility field in the protocol.
    severity
    severity field in the protocol.
    timestamp
    Timestamp of the log.
    content
    Log content, which will contain all the content of unparsed logs if parsing fails.
    SOURCE
    IP of the current host.
    client_ip
    Client IP for log transfer.
    문의하기

    고객의 업무에 전용 서비스를 제공해드립니다.

    기술 지원

    더 많은 도움이 필요하시면, 티켓을 통해 연락 바랍니다. 티켓 서비스는 연중무휴 24시간 제공됩니다.

    연중무휴 24시간 전화 지원