{"id":361,"date":"2018-08-22T12:35:34","date_gmt":"2018-08-22T03:35:34","guid":{"rendered":"http:\/\/dong1lkim.oboki.net\/?p=361"},"modified":"2019-09-01T22:21:05","modified_gmt":"2019-09-01T13:21:05","slug":"fluentd-usecase-rsyslog","status":"publish","type":"post","link":"https:\/\/oboki.net\/workspace\/data-engineering\/fluentd\/fluentd-usecase-rsyslog\/","title":{"rendered":"[Fluentd] Usecase – rsyslog"},"content":{"rendered":"

Fluentd Use Case<\/h1>\n

rsyslog \ud50c\ub7ec\uadf8\uc778 \ud65c\uc6a9\ud558\uae30<\/h2>\n

\n fluentd \ub294 \uae30\ubcf8\uc801\uc73c\ub85c rsyslog \ub97c \uc218\uc2e0\ud558\uace0 \ud30c\uc2f1\ud560 \uc218 \uc788\ub294 \ud50c\ub7ec\uadf8\uc778\uc774 \uc124\uce58\ub41c\ub2e4.\n<\/p><\/blockquote>\n

rsyslogd \uc790\uccb4\uc801\uc73c\ub85c \ub85c\uadf8\ub97c \ubaa8\uc744\uc218 \uc788\ub294 \uae30\ub2a5\uc774 \uc788\uc73c\ubbc0\ub85c aggregator \uc11c\ubc84\ub97c \ud1b5\ud574 rsyslog \ub97c 1\ucc28\uc801\uc73c\ub85c \ubaa8\uc740 \ub2e4\uc74c, \uba87 \ub300\uc758 aggregator \uc11c\ubc84\uc5d0\uc11c fluentd \uc5d0\uac8c \ub85c\uadf8\ub97c \uc804\ub2ec\ud574\uc904 \uc218 \uc788\ub3c4\ub85d \ud55c\ub2e4.<\/p>\n

rsyslog data \ud750\ub984\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n

\n \uc5ec\ub7ec \ub300\uc758 syslog \ubc1c\uc0dd \uc11c\ubc84 -> \uba87 \ub300\uc758 \uc911\uac1c \uc11c\ubc84 -> fluentd -> elasticsearch\n<\/p><\/blockquote>\n

rsyslog config<\/h3>\n

remote rsyslog server<\/h4>\n

rsyslog \uc11c\ube44\uc2a4\ub97c \uc774\uc6a9\ud55c \ub85c\uadf8\uac00 \ubc1c\uc0dd\ud558\ub294 \uc11c\ubc84\uc5d0 \ub2e4\uc74c\uacfc \uac19\uc774 \uc124\uc815\ud55c\ub2e4.<\/p>\n

vi \/etc\/rsyslog.conf<\/code><\/p>\n

*.* @@192.168.179.141:10514\n$ActionExecOnlyWhenPreviousIsSuspended on\n&       @@192.168.179.142:10514\n&       \/var\/log\/localbuffer\n$ActionExecOnlyWhenPreviousIsSuspended off\n<\/code><\/pre>\n
\ubcc0\uacbd\uc0ac\ud56d \uc801\uc6a9\uc744 \uc704\ud574 rsyslog \uc11c\ube44\uc2a4\ub97c \uc7ac\uc2e4\ud589 \ud55c\ub2e4.<\/p>\n
systemctl restart rsyslogd<\/code><\/p>\n
aggregator rsyslog server<\/h4>\n
remote \uc11c\ubc84\uc5d0\uc11c \uc804\uc1a1\ud558\ub294 rsyslog\ub97c \uc218\uc2e0\ud574\uc904 \uc911\uac1c \uc11c\ubc84\uc5d0 \ub2e4\uc74c\uacfc \uac19\uc774 \uc124\uc815\ud55c\ub2e4.<\/p>\n
vi \/etc\/rsyslog.conf<\/code><\/p>\n
$ModLoad imtcp\n$InputTCPServerRun 10514\n\n*.* @@0.0.0.0:42185\n<\/code><\/pre>\n
\ubcc0\uacbd\uc0ac\ud56d \uc801\uc6a9\uc744 \uc704\ud574 rsyslog \uc11c\ube44\uc2a4\ub97c \uc7ac\uc2e4\ud589 \ud55c\ub2e4.<\/p>\n
systemctl restart rsyslogd<\/code><\/p>\n
fluentd config<\/h3>\n
rsyslog \uc911\uac1c \uc11c\ubc84\ub85c\ubd80\ud130 \ubc1c\uc0dd\ud558\ub294 \ub85c\uadf8\ub97c \uc218\uc9d1\ud558\uc5ec elasticsearch \ub85c \uc800\uc7a5\ud558\ub294 fluentd \uc124\uc815\uc774\ub2e4.<\/p>\n
# rsyslog\n## Input\n<source>\n  @type syslog\n  port 42185\n  protocol_type tcp\n  tag rsyslog\n<\/source>\n\n## Filter\n<filter rsyslog.**>\n  @type record_transformer\n  <record>\n    hostname \"#{Socket.gethostname}\"\n    tag ${tag}\n    timestamp ${time}\n  <\/record>\n<\/filter>\n\n## Output\n<match rsyslog.**>\n  @type copy\n\n  <store>\n    @type elasticsearch\n    hosts 192.168.179.81:9200,192.168.179.82:9200,\n    logstash_format true\n    logstash_prefix rsyslog\n    logstash_dateformat %Y%m\n    include_tag_key true\n    tag_key @log_name\n    flush_interval 10s \n  <\/store>\n<\/match>\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Fluentd Use Case rsyslog \ud50c\ub7ec\uadf8\uc778 \ud65c\uc6a9\ud558\uae30 fluentd \ub294 \uae30\ubcf8\uc801\uc73c\ub85c rsyslog \ub97c \uc218\uc2e0\ud558\uace0 \ud30c\uc2f1\ud560 \uc218 \uc788\ub294 \ud50c\ub7ec\uadf8\uc778\uc774 \uc124\uce58\ub41c\ub2e4. rsyslogd \uc790\uccb4\uc801\uc73c\ub85c \ub85c\uadf8\ub97c \ubaa8\uc744\uc218 \uc788\ub294 \uae30\ub2a5\uc774 \uc788\uc73c\ubbc0\ub85c aggregator \uc11c\ubc84\ub97c \ud1b5\ud574 rsyslog \ub97c 1\ucc28\uc801\uc73c\ub85c \ubaa8\uc740 \ub2e4\uc74c, \uba87 \ub300\uc758 aggregator \uc11c\ubc84\uc5d0\uc11c fluentd \uc5d0\uac8c \ub85c\uadf8\ub97c \uc804\ub2ec\ud574\uc904 \uc218 \uc788\ub3c4\ub85d \ud55c\ub2e4. rsyslog data \ud750\ub984\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4. \uc5ec\ub7ec \ub300\uc758 syslog \ubc1c\uc0dd \uc11c\ubc84 -> \uba87 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[142,143],"class_list":["post-361","post","type-post","status-publish","format-standard","hentry","category-fluentd","tag-fluented","tag-syslog"],"_links":{"self":[{"href":"https:\/\/oboki.net\/workspace\/wp-json\/wp\/v2\/posts\/361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oboki.net\/workspace\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oboki.net\/workspace\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oboki.net\/workspace\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oboki.net\/workspace\/wp-json\/wp\/v2\/comments?post=361"}],"version-history":[{"count":5,"href":"https:\/\/oboki.net\/workspace\/wp-json\/wp\/v2\/posts\/361\/revisions"}],"predecessor-version":[{"id":1246,"href":"https:\/\/oboki.net\/workspace\/wp-json\/wp\/v2\/posts\/361\/revisions\/1246"}],"wp:attachment":[{"href":"https:\/\/oboki.net\/workspace\/wp-json\/wp\/v2\/media?parent=361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oboki.net\/workspace\/wp-json\/wp\/v2\/categories?post=361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oboki.net\/workspace\/wp-json\/wp\/v2\/tags?post=361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}