rsyslog - 将日志发送到多个 rsyslog 服务器

Question

当我尝试将数据发送到多个 rsyslog 服务器时，它只选择第一个转发规则并忽略其余部分。

我的 rsyslog 客户端 conf 文件。

$WorkDirectory /var/tmp/rsyslog/work

$DefaultNetstreamDriverCAFile /usr/local/abc/certs/syslog_ca.crt
$DefaultNetstreamDriver gtls # use gtls netstream driver

### Forwarding rules #1
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
$ActionQueueType LinkedList   # use asynchronous processing
$ActionQueueFileName srvrfwd  # set file name, also enables disk mode
$ActionResumeRetryCount -1    # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
if $syslogtag contains 'error' then @@rsyslog.abc.com:10514
& ~
###

### Forwarding rules #2
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
$ActionQueueType LinkedList   # use asynchronous processing
$ActionQueueFileName srvrfwd1  # set file name, also enables disk mode
$ActionResumeRetryCount -1    # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
if $syslogtag contains 'error' then @@rsyslog1.abc.com:10514
& ~
###

如果我评论转发规则#1，它需要规则#2。

Answer 1

来自 rsyslog 文档：（http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/）

下一行（“& ~”）很重要：它告诉 rsyslog 在将消息写入日志后停止处理该消息

这样（通常）有效：

$WorkDirectory /var/tmp/rsyslog/work

$DefaultNetstreamDriverCAFile /usr/local/abc/certs/syslog_ca.crt
$DefaultNetstreamDriver gtls # use gtls netstream driver

### Forwarding rules #1
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
$ActionQueueType LinkedList   # use asynchronous processing
$ActionQueueFileName srvrfwd  # set file name, also enables disk mode
$ActionResumeRetryCount -1    # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
if $syslogtag contains 'error' then @@rsyslog.abc.com:10514
###

### Forwarding rules #2
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
$ActionQueueType LinkedList   # use asynchronous processing
$ActionQueueFileName srvrfwd1  # set file name, also enables disk mode
$ActionResumeRetryCount -1    # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
if $syslogtag contains 'error' then @@rsyslog1.abc.com:10514
& ~
###

或者简单地说：

$WorkDirectory /var/tmp/rsyslog/work

$DefaultNetstreamDriverCAFile /usr/local/abc/certs/syslog_ca.crt
$DefaultNetstreamDriver gtls # use gtls netstream driver

$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
$ActionQueueType LinkedList   # use asynchronous processing
$ActionQueueFileName srvrfwd  # set file name, also enables disk mode
$ActionResumeRetryCount -1    # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
if $syslogtag contains 'error' then @@rsyslog.abc.com:10514
& @@rsyslog1.abc.com:10514
###