一条日志的处理流程大概是这样的,如下
首先是
"日志的来源
source s_name { ... };"
然后是
"过滤规则
filter f_name { ... };"
再然后是 "消息链
log { source(s_name); filter(f_name); destination(d_name) };"
最后是
"目标动作
destination d_name { ... };"
这样以来一条日志就根据你的意思来处理了,需要注意的是一条日志消息过了之后,会匹配定义的所有配置,并不是匹配到以后就不再往下匹配了.
@version:3.2
options {
flush_lines (0);
time_reopen (10);
log_fifo_size (2048);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
};
source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
};
source net {
udp(ip(0.0.0.0),port(514));
};
destination net_log {
file ("/mnt/logdata/net_log/net_log/${YEAR}.${MONTH}.${DAY}/${HOST}.log" );
};
destination d_mesg {
file("/mnt/logdata/net_log/log/messages"); };
filter f_net_hill {
match("item failed" value(MESSAGE))
or match("Backup to Master" value(MESSAGE))
or match("Master to Backup" value(MESSAGE)); };
filter f_iis_msg {
match("OWA~false" value(MESSAGE));
};
filter f_sys_mail {
message("正在离开群集");
};
destination mysql_net_hill {
program("mysql -h10.2.178.20 -usyslog -pSysl0g2017@,./ itcc_zabbix < /opt/pipe/myhill.pipe");
pipe("/opt/pipe/myhill.pipe"
template("INSERT INTO w_net_hill_logs (host, datetime, msg) VALUES ( '$HOST', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$MSG' );\n") template-escape(yes) ); };
log { source(mail_system);filter(f_iis_msg); destination(mysql_iis); };
创建pipe目录
mkdir /opt/pipe
创建pipe文件
mkfifo /opt/pipe/myiis.pipe
pipe 文件参考以上
sql 方式写入,参考:
# MySQL define destination
destination d_mysql {
sql(
type
(mysql)
username(
"syslog"
)
password(
"Pass123!"
)
database(
"syslog"
)
host(
"172.16.1.20"
)
table(
"logs"
)
columns(
"host"
,
"facility"
,
"priority"
,
"level"
,
"tag"
,
"datetime"
,
"program"
,
"msg"
)
values(
"$HOST"
,
"$FACILITY"
,
"$PRIORITY"
,
"$LEVEL"
,
"$TAG"
,
"$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC"
,
"$PROGRAM"
,
"$MSG"
)
indexes(
"datetime"
,
"host"
)
);
};