Rsyslog 收集Docker日志-配置玩转

rsyslog安装没什么好说的，略过

配置文件修改前，需注意3点：

1. 先关闭selinux、firewalld等防火墙，后面再放行

2. 主机名修改，推荐

  hostnamectl set-hostname server       （主rsyslog服务器）

  hostnamectl set-hostname client       （客户端rsyslog服务器）

3. 域名解析修改/etc/hosts，主服务、客户端都添加

  192.168.0.229           server

  192.168.0.230           client

下面直接开始配置rsyslog的配置文件

rsyslog服务端配置/etc/rsyslog.conf

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html

# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html

# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)

       SysSock.Use="off") # Turn off message reception via local log socket;

                          # local messages are retrieved through imjournal now.

module(load="imjournal"             # provides access to the systemd journal

       StateFile="imjournal.state") # File to store the position in the journal

#module(load="imklog") # reads kernel messages (the same are read from journald)

#module(load"immark") # provides --MARK-- message capability

# Provides UDP syslog reception

# for parameters see http://www.rsyslog.com/doc/imudp.html

module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception

# for parameters see http://www.rsyslog.com/doc/imtcp.html

module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files

global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format

module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/

include(file="/etc/rsyslog.d/*.conf" mode="optional")

#### RULES ####

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.

authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.

mail.*                                                  -/var/log/maillog

# Log cron stuff

cron.*                                                  /var/log/cron

# Everybody gets emergency messages

*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.

uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log

local7.*                                                /var/log/boot.log

# ### sample forwarding rule ###

#action(type="omfwd"  

# An on-disk queue is created for this action. If the remote host is

# down, messages are spooled to disk and sent when it is up again.

#queue.filename="fwdRule1"       # unique name prefix for spool files

#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)

#queue.saveonshutdown="on"       # save messages to disk on shutdown

#queue.type="LinkedList"         # run asynchronously

#action.resumeRetryCount="-1"    # infinite retries if host is down

# Remote Logging (we use TCP for reliable delivery)

# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514

#Target="remote_host" Port="XXX" Protocol="tcp")

# /var/log/my/%programname%_%$year%-%$month%-%$day%.log

$template RemoteLogs,"/var/log/my/%HOSTNAME%/%PROGRAMNAME%/%PROGRAMNAME%_%$YEAR%-%$MONTH%-%$DAY%.log" *
*.* ?RemoteLogs
& ~

释义：

  上面4行绿色文字为打开514端口转发

  下面3行绿色文字为日志收集模板

********************************************************************************************************************************************************

rsyslog客户端配置/etc/rsyslog.conf

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html

# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html

# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)

       SysSock.Use="off") # Turn off message reception via local log socket;

                          # local messages are retrieved through imjournal now.

module(load="imjournal"             # provides access to the systemd journal

       StateFile="imjournal.state") # File to store the position in the journal

#module(load="imklog") # reads kernel messages (the same are read from journald)

#module(load"immark") # provides --MARK-- message capability

# Provides UDP syslog reception

# for parameters see http://www.rsyslog.com/doc/imudp.html

module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception

# for parameters see http://www.rsyslog.com/doc/imtcp.html

module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files

global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format

module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/

include(file="/etc/rsyslog.d/*.conf" mode="optional")

#### RULES ####

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.

authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.

mail.*                                                  -/var/log/maillog

# Log cron stuff

cron.*                                                  /var/log/cron

# Everybody gets emergency messages

*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.

uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log

local7.*                                                /var/log/boot.log

# ### sample forwarding rule ###

#action(type="omfwd"  

# An on-disk queue is created for this action. If the remote host is

# down, messages are spooled to disk and sent when it is up again.

#queue.filename="fwdRule1"       # unique name prefix for spool files

#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)

#queue.saveonshutdown="on"       # save messages to disk on shutdown

#queue.type="LinkedList"         # run asynchronously

#action.resumeRetryCount="-1"    # infinite retries if host is down

# Remote Logging (we use TCP for reliable delivery)

# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514

#Target="remote_host" Port="XXX" Protocol="tcp")

*.* @@192.168.0.229:514           # @@表示TCP协议

*.* @192.168.0.229:514               # @ 表示 UDP 协议

释义：

  上面4行绿色文字为打开514端口转发

  下面 2 行绿色文字为通过TCP和UDP协议转发本机所有日志到192.168.0.229的rsyslog主服务器上

**************************************************************************************************************************************************

Docker容器日志收集到rsyslog主服务器

docker run -d -p 8080:80 --name nginx-test --log-driver syslog --log-opt syslog-address=tcp://client:514 --log-opt tag="{{.ID}}" nginx

日志会收集到/var/log/my/%HOSTNAME%/%PROGRAMNAME%/%PROGRAMNAME%_%$YEAR%-%$MONTH%-%$DAY%.log

注意：tag还可以更精确一点，因为docker提供了丰富的模板标签：

  {{.ID}}：容器ID的前12个字符

  {{.FullID}}：容器ID的完整名称

  {{.Name}}：容器名称

  {{.ImageID}}：容器镜像ID的前12个字符

  {{.ImageFullID}}：容器镜像ID的完整名称

  {{.ImageName}}：容器镜像名称

  {{.DaemonName}}：Docker守护进程名称（名为docker）