rsyslog Can be understood as a multi-threaded enhanced version of syslog. stay syslog Many other functions have been extended on the basis of , Such as database support (MySQL、PostgreSQL、Oracle etc. )、 Log content filtering 、 Define log format template, etc . At present, most Linux The release also uses... By default rsyslog Logging .rsyslog Three remote transport protocols are provided :

UDP  Transfer protocol  
 Based on tradition UDP Protocol for remote log transfer , It's also a tradition syslog The transport protocol used ;  Low reliability , But the performance loss is the least ,  In the network situation is relatively poor ,  Or when the receiving server is under high pressure ,
 There may be log loss .  The requirement of log integrity is not very high , It can be used in a reliable LAN environment .

TCP  Transfer protocol  
 Based on tradition TCP Protocol plaintext transmission , Need to send back to confirm , High reliability ;  But when the receiving server goes down or the network between the two goes wrong , There will be log loss .  This kind of agreement is compared with UDP stay 
 Reliability is much better , also rsyslog Native support , Simple configuration ,  At the same time, for the possible loss of logs , Additional configurations can be made to improve reliability , Therefore, it is widely used .

RELP  Transfer protocol  
RELP(Reliable Event Logging Protocol) Is based on TCP Encapsulated reliable log message transfer protocol ;  To solve the problem TCP  And  UDP  The disadvantages of the protocol and the transport protocol implemented in the application layer , It's also the three 
 The most reliable of all .  You need to install one more package rsyslog-relp To support the agreement .

 For online servers , For the sake of log security , Recommended use or use  RELP  Protocol for transmission .

rsyslog Simple configuration record for ( Here is the log on the company firewall (UDP) Call IDC Of rsyslog Log server )

 One 、rsyslog Server deployment 
 install rsyslog  Program (rsyslog By default, it has been installed in all distributions , If not in the system , It can be used yum  Installation , as follows :)
[root@zabbix ~]# yum install rsyslog -y

 To configure :
[root@zabbix ~]# cat /etc/rsyslog.conf
# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp                                          # Turn on udp Of 514 port . It can also be turned on tcp Of 514 port , We only accept udp Of 
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

$WorkDirectory /var/lib/rsyslog
$AllowedSender udp, 192.168.17.0/8                    # Just receive from 192.168.17.0/8 The host of the network segment udp journal ( This is the company firewall ip Address )
#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template Remote,"/data/fw_logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"           # Define templates , Accept log file path , The logs of different hosts are distinguished 
:fromhost-ip, !isequal, "127.0.0.1" ?Remote                                                        #  Filter server  Local log 
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
local4.*                                                /data/fw.log

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###


[root@zabbix ~]# mkdir /data/fw_logs/

[root@zabbix ~]# /etc/init.d/rsyslog restart


 Two 、 In the company firewall (192.168.17.41/42) On the configuration udp Log output strategy ( Add... To the firewall rsyslog Server side ip and 514 port )

 3、 ... and 、 After a while , stay rsyslog You can see the log output of the firewall in the log directory set on the log server 
[root@zabbix ~]# ll /data/fw_logs/
total 4.0K
drwxrwxrwx   4 root root   46 Jul 28 10:40 .
drwxr-xr-x. 18 root root 4.0K Jul 28 10:38 ..
drwx------   2 root root   41 Jul 28 10:37 192.168.17.41
drwx------   2 root root   41 Jul 28 10:40 192.168.17.42
[root@zabbix ~]# ll /data/fw_logs/192.168.17.41
total 16K
drwx------ 2 root root  41 Jul 28 10:37 .
drwxrwxrwx 4 root root  46 Jul 28 10:40 ..
-rw------- 1 root root 13K Jul 28 14:02 192.168.17.41_2017-07-28.log


------------------------------------------------------------------------------------
 You can put it rsyslog Server side rsyslog.conf Inside ip The whitelist is set to the client's ip End , such as :
$AllowedSender tcp, 172.18.0.0/16                  # To receive 172.18.0.0/16 The client of the network segment tcp Log entry , The premise is to open tcp Of 514 port 

 Configuration of the client :
 Only need rsyslog.conf Add the following line to the file :
*.*                               @172.18.10.20                     # hinder ip yes rsyslog Server side ip Address 

 start-up rsyslog Just log !

==================== Take another example =======================
The above configuration is to log the company firewall to rsyslog in . Now there's a need :
company IDC The other two servers of 172.19.10.24 and 172.19.10.25 The upper part has been deployed. gitlab、nexus、jenkins、jira and wiki, The above permission settings are complicated , A lot of people have login needs . Now you need to record all the operations of the users who log on to these two servers , The record reached rsyslog In the Journal , It is equivalent to auditing user operation records .

 The configuration is as follows ( Combined with the above installation configuration )( Server side ip yes 172.19.16.21):
1)rsyslog Server configuration   ( Compared to the above configuration , There's no AllowedSender The source of the ip White list restrictions for . That is, it is allowed to receive the logs of all machines ; The firewall logs above can still be collected )
[root@zabbix ~]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$"
$ModLoad imudp
$UDPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template Remote,"/data/fw_logs/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local5.*                                              /var/log/history.log

[root@zabbix ~]# /etc/init.d/rsyslog restart

2) stay 172.19.10.24 Configuration on 
[root@gitlab ~]# cat /etc/rsyslog.conf|grep -v "#"|grep -v "^$"
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local5.*    @172.19.16.21

[root@gitlab ~]# /etc/init.d/rsyslog restart

[root@gitlab ~]# cat /etc/profile                  # Add the following at the bottom of the file 
.......
export HISTTIMEFORMAT
export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'

3) On the other 172.19.10.25 Do similar configuration on 
[root@nexus ~]# cat /etc/rsyslog.conf |grep -v "#"|grep -v "^$"
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local5.*   @172.19.16.21 

[root@nexus ~]# /etc/init.d/rsyslog restart

[root@nexus ~]# cat /etc/profile
.......
export HISTTIMEFORMAT
export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }'

4) After a while , Found in rsyslog Server log directory /data/fw_logs There are already collected logs below 
[root@zabbix fw_logs]# pwd
/data/fw_logs
[root@zabbix fw_logs]# cd
[root@zabbix ~]# cd /data/fw_logs/
[root@zabbix fw_logs]# ll
total 12K
drwxrwxrwx   6 root root   84 Aug 16 18:28 .
drwxr-xr-x. 18 root root 4.0K Aug 16 17:58 ..
drwx------   2 root root   74 Aug 17 09:50 172.19.10.24
drwx------   2 root root   74 Aug 17 10:00 172.19.10.25
drwx------   2 root root 4.0K Aug 17 00:01 192.168.17.41
drwx------   2 root root 4.0K Aug 17 00:01 192.168.17.42
[root@zabbix fw_logs]# cd 172.19.10.24/
[root@zabbix 172.19.10.24]# ll
total 20K
drwx------ 2 root root  74 Aug 17 09:50 .
drwxrwxrwx 6 root root  84 Aug 16 18:28 ..
-rw------- 1 root root 14K Aug 16 20:45 172.19.10.24_2017-08-16.log
-rw------- 1 root root 771 Aug 17 10:03 172.19.10.24_2017-08-17.log
[root@zabbix 172.19.10.24]# cat 172.19.10.24_2017-08-16.log
Aug 16 18:39:56 gitlab bash[138413]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
Aug 16 18:39:56 gitlab bash[138418]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
Aug 16 18:39:56 gitlab bash[138422]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
Aug 16 18:39:57 gitlab bash[138426]: user=root,ppid=124297,from=172.19.16.28 29338 22,pwd=/root,command:[2017-08-16 18:39:56]root pts/5 2017-08-16 17:23 (172.19.16.28)/etc/init.d/rsyslog restart
Aug 16 18:40:30 gitlab bash[138610]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/root,command:[2017-08-16 18:40:03]root pts/0 2017-08-16 18:40 (172.16.255.202)exit
Aug 16 18:40:43 gitlab bash[138652]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:43]root pts/0 2017-08-16 18:40 (172.16.255.202)cd /data/
Aug 16 18:40:43 gitlab bash[138657]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:43]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
Aug 16 18:40:47 gitlab bash[138666]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data,command:[2017-08-16 18:40:47]root pts/0 2017-08-16 18:40 (172.16.255.202)mkdir hahahahah
Aug 16 18:40:48 gitlab bash[138671]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:48]root pts/0 2017-08-16 18:40 (172.16.255.202)cd hahahahah/
Aug 16 18:40:48 gitlab bash[138677]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:48]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
Aug 16 18:40:54 gitlab bash[138696]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:54]root pts/0 2017-08-16 18:40 (172.16.255.202)echo "Asdfasdf" >heihei
Aug 16 18:40:54 gitlab bash[138702]: user=root,ppid=138586,from=172.16.255.202 52496 22,pwd=/data/hahahahah,command:[2017-08-16 18:40:54]root pts/0 2017-08-16 18:40 (172.16.255.202)ls
.......

 The log above shows that , stay 172.19.10.24 The operation records on this machine are recorded in detail . such , You can clearly know what the users who log on to this machine have done .......

===================== adopt rsyslog collect nginx Log to remote server ====================
Requirement specification : adopt rsyslog The service will 192.168.10.21 On the server /data/nginx/logs/www.kevin.com-access.log Log real time synchronization to 192.168.10.52 Server ( Path is /data/rsyslog/nginx).

1)192.168.10.21 by rsyslog client , That is, the push side of the log .rsyslog Log is that the client actively pushes its own log to the remote server .
The operation is as follows :
[root@nginx-server ~]# yum install rsyslog -y
[root@nginx-server ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
[root@nginx-server ~]# cat /etc/rsyslog.conf
# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
$ModLoad imfile                               ## load imfile modular , This line is added manually

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none                /var/log/messages             ## Don't record local5 Log

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
user.info /var/log/history

# Add the following lines at the bottom of the file
$InputFileName /data/nginx/logs/www.kevin.com-access.log        ## Read log file ( Log files to monitor )
$InputFileTag web_access             ## Log write log tag string
$InputFileSeverity info           ## The log level
$InputFileStateFile /etc/rsyslog.d/stat-access         ## Record log points and other information .( amount to msyql Of master.info) The file name has changed ,
                                                This StateFile The logo has to change , Otherwise, it cannot be transmitted .
$InputFileFacility local5         ## Facility category
$InputFilePollInterval 1          ## Check log file interval ( second )
$InputFilePersistStateInterval 1       ## Write back offset data to file interval ( second )
$InputRunFileMonitor                          ## Activate read , Multiple groups of log reading can be set , Set this parameter at the end of each group . In order to take effect .
local5.*  @192.168.10.52            ## representative local5 All levels of the facility go through udp Protocol to 192.168.10.51

restart rsyslog service
[root@nginx-server ~]# /etc/init.d/rsyslog restart
Turn off the system loggers :                                       [ determine ]
Start the system logger :                                       [ determine ]

As the push side of the log ,rsyslog Logs don't need to be turned on 514 port ( As above rsyslog.conf It's not open in the file dup or tcp Of 514 port )
[root@nginx-server ~]# lsof -i:514
[root@nginx-server ~]#

2)192.168.10.52 by rsyslog Server side , That is, the receiving end of the log .
The configuration is as follows :
[root@log-server ~]# yum install rsyslog -y
[root@log-server ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp                   ## load imudp modular
$UDPServerRun 514            ## Turn on udp Receive and set the port number

# Provides TCP syslog reception
$ModLoad imtcp                 ## load imtcp modular .
$InputTCPServerRun 514             ## Turn on tcp Receive and set the port number .tcp and udp Two port modules can be used at the same time !

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Define a template to specify the format of the received log message ( By default, several fields will be added in front of the recorded log )
$template  SpiceTmpl,"%msg%\n"                   ##%msg:2:$% To remove the space at the beginning of the log

# Define a template to specify the storage path of the received log file %……% Between is the definition of log by year - month - Day naming
$template  DynaFile,"/data/rsyslog/nginx/%$YEAR%-%$MONTH%-%$DAY%.log"

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none                /var/log/messages            ## Don't record local5 The facility log

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# Receiving clients local5 The log sent by the facility is stored in the designated location ( The location can be defined by the template .? Represents the use of dynamic templates )
local5.*                       ?DynaFile;SpiceTmpl

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

edit /etc/sysconfig/rsyslog in "SYSLOGD_OPTIONS=" Turn on the remote log receiving function
[root@log-server ~]# cat /etc/sysconfig/rsyslog
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS="-c 5"

Create the storage directory defined after receiving logs
[root@log-server ~]# mkdir -p /data/rsyslog/nginx

restart rsyslog service
[root@log-server ~]# /etc/init.d/rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
[root@log-server ~]# lsof -i:514
COMMAND    PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
rsyslogd 24594 root    2u  IPv4 38927639      0t0  TCP *:shell (LISTEN)
rsyslogd 24594 root    3u  IPv4 38927635      0t0  UDP *:syslog
rsyslogd 24594 root    4u  IPv6 38927636      0t0  UDP *:syslog
rsyslogd 24594 root    5u  IPv6 38927640      0t0  TCP *:shell (LISTEN)

Check whether the log has been received
[root@log-server ~]# ll /data/rsyslog/nginx/
total 550876
-rw------- 1 root root 483539594 Jun 13 12:58 2018-06-13.log
[root@log-server ~]# tail -2 /data/rsyslog/nginx/2018-06-13.log
1.203.163.198 - [27/Apr/2018:00:17:53 +0800] "POST /scf/%7B%7BloginConfig.loginSubmitUrl%7D%7D HTTP/1.1" 302 0 "https://www.kevin.com/scf/login" Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36 - 0.010 0.003 10.0.54.21:9020 302
1.203.163.198 - [27/Apr/2018:00:17:53 +0800] "POST /scf/%7B%7BloginConfig.loginSubmitUrl%7D%7D HTTP/1.1" 302 0 "https://www.kevin.com/scf/login" Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.62 Safari/537.36 - 0.012 0.003 10.0.54.21:9020 302

========================= reminder ========================
rsyslog You can also collect multiple log files , It should be noted that :
$InputFileTag        Defined APPNAME Must be unique , Different applications on the same host should use different APPNAME, Otherwise, it will lead to a new definition of TOKEN and TAG Don't take effect ;
$template          The defined template name must be unique , Otherwise, it will lead to a new definition of TOKEN and TAG Don't take effect ;
$InputFileStateFile        Defined StateFile Must be unique , It has been rsyslog Used to record the progress of file upload , Otherwise it will lead to chaos ;

The following is rsyslog Configuration to collect multiple logs , Here we use 2 Take a log file as an example :

Push side configuration of logs

[root@external-lb01 ~]# cat /etc/rsyslog.conf
..........
$ModLoad imfile

.........
*.info;mail.none;authpriv.none;cron.none;local5.none;local4.none                /var/log/messages

.........

$InputFileName /data/nginx/logs/portal.kevin.com-access.log
$InputFileTag portal_access
$InputFileSeverity info
$InputFileStateFile /etc/rsyslog.d/stat1-access
$InputFileFacility local4
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor 
local4.*  @192.168.10.52

$InputFileName /data/nginx/logs/www.kevin.com-access.log
$InputFileTag web_access
$InputFileSeverity info
$InputFileStateFile /etc/rsyslog.d/stat-access
$InputFileFacility local5
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
local5.*  @192.168.10.52

 Restart the log sender rsyslog service 
[root@external-lb01 ~]# /etc/init.d/rsyslog restart

Log configuration at the receiving end

[root@open-falcon01 ~]# cat /etc/rsyslog.conf
........
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

.........
$template SpiceTmpl,"%msg%\n" 
$template DynaFile,"/data/external-lb/nginx/nginx-access.log"

$template SpiceTmpl2,"%msg%\n" 
$template DynaFile2,"/data/external-lb/portal/portal-access.log"

.........
*.info;mail.none;authpriv.none;cron.none;local5.none;local4.none                /var/log/messages

.........
local5.*                                                ?DynaFile;SpiceTmpl
local4.*                                                ?DynaFile2;SpiceTmpl2

 Restart the log receiver rsyslog service 
[root@open-falcon01 ~]# /etc/init.d/rsyslog restart

 see , When accessing the corresponding url when , There will be files after forwarding , And there are real-time log content forwarding 
[root@open-falcon01 ~]# ll /data/external-lb/nginx/nginx-access.log
-rw------- 1 root root 1067372 Oct  9 10:51 /data/external-lb/nginx/nginx-access.log
[root@open-falcon01 ~]# ll /data/external-lb/portal/portal-access.log 
-rw------- 1 root root 88141 Oct  9 22:26 /data/external-lb/portal/portal-access.log

==========================================================================
Be careful :
a) If you find that the log has not been received yet , namely /data/rsyslog/nginx There is no log generation in the directory , At the same time restart the push side and receive side of rsyslog service . Make sure that both sides iptables Firewalls and selinux close !
b) You can also modify the storage path of the received log file , If changed to the following configuration :
$template  DynaFile,"/data/rsyslog/nginx/nginx-access.log"
The files stored after log collection are as follows :
[root@log-server ~]# ll /data/rsyslog/nginx/
total 571716
-rw------- 1 root root 483539594 Jun 13 12:58 2018-06-13.log
-rw------- 1 root root 101893593 Jun 13 13:13 nginx-access.log