search
数据采集 采集源配置 rsyslog 指标采集

rsyslog 指标采集

简介

基于 syslog 指标采集,配置 rsyslog 后将 rsyslog 上报到 DataFlux 中。

前置条件

配置

进入 DataKit 安装目录下的 conf.d/syslog 目录,复制 syslog.conf.sample 并命名为 syslog.conf。示例如下:

rsyslog 和 syslog 在配置上基本相同,rsyslog 需要额外修改系统的 rsyslog 配置文件,用以将指标数据发送到 DataKit。rsyslog官方文档

以下是 rsyslog 的基本配置

[[inputs.syslog]]
  ## Protocol, address and port to host the syslog receiver.
  ## If no host is specified, then localhost is used.
  ## If no port is specified, 6514 is used (RFC5425#section-4.1).
  ##   ex: server = "tcp://localhost:6514"
  ##       server = "udp://:6514"
  ##       server = "unix:///var/run/telegraf-syslog.sock"
  server = "tcp://:6514"

  ## TLS Config
  # tls_allowed_cacerts = ["/etc/telegraf/ca.pem"]
  # tls_cert = "/etc/telegraf/cert.pem"
  # tls_key = "/etc/telegraf/key.pem"

  # Period between keep alive probes.
  # 0 disables keep alive probes.
  # Defaults to the OS configuration.
  # Only applies to stream sockets (e.g. TCP).
  keep_alive_period = "5m"

  # Maximum number of concurrent connections (default = 0).
  # 0 means unlimited.
  # Only applies to stream sockets (e.g. TCP).
  max_connections = 1024

  # Read timeout is the maximum time allowed for reading a single message (default = 5s).
  # 0 means unlimited.
  read_timeout = "5s"

  ## The framing technique with which it is expected that messages are transported (default = "octet-counting").
  ## Whether the messages come using the octect-counting (RFC5425#section-4.3.1, RFC6587#section-3.4.1),
  ## or the non-transparent framing technique (RFC6587#section-3.4.2).
  ## Must be one of "octect-counting", "non-transparent".
  # framing = "octet-counting"

  ## The trailer to be expected in case of non-transparent framing (default = "LF").
  ## Must be one of "LF", or "NUL".
  # trailer = "LF"

  # Whether to parse in best effort mode or not (default = false).
  # By default best effort parsing is off.
  best_effort = false

  ## Character to prepend to SD-PARAMs (default = "_").
  ## A syslog message can contain multiple parameters and multiple identifiers within structured data section.
  ## Eg., [id1 name1="val1" name2="val2"][id2 name1="val1" nameA="valA"]
  ## For each combination a field is created.
  ## Its name is created concatenating identifier, sdparam_separator, and parameter name.
  # sdparam_separator = "_"

rsyslog 集成:

大多数系统的 rsyslog 配置文件都在/etc/rsyslog.conf/etc/rsyslog.d/目录,建议将新配置添加到config目录中,以简化对主配置文件的更新。

/etc/rsyslog.d/50-default.conf添加以下配置,根据上面syslog的配置调整目标地址:

$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

# forward over tcp with octet framing according to RFC 5425
*.* @@(o)127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format

# uncomment to use udp according to RFC 5424
#*.* @127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format

# forward over tcp with octet framing according to RFC 5425
action(type="omfwd" Protocol="tcp" TCP_Framing="octet-counted" Target="127.0.0.1" Port="6514" Template="RSYSLOG_SyslogProtocol23Format")

# uncomment to use udp according to RFC 5424
#action(type="omfwd" Protocol="udp" Target="127.0.0.1" Port="6514" Template="RSYSLOG_SyslogProtocol23Format")

要完成TLS设置,请参考文档

采集指标

  • syslog
指标 描述 类型 单位
version 版号 integer -
severity_code 严重性编码 integer -
facility_code 程序模块编码 integer -
timestamp 时间戳 integer -
procid string -
msgid string -
sdid bool -
Structured Data 结构化数据 string -
标签名 描述
severity 严重性
facility 程序模块
hostname 主机名
appname 应用名