29.3 Forwarding to Syslog
Problem
You need to forward your logs to a Syslog listener to aggregate logs
to a centralized service.
问题
需要将错误日志通过 syslog 服务记录到集中日志服务器。
Solution
Use the access_log and error_log directives to send your logs to a
Syslog listener:
error_log syslog:server=10.0.1.42 debug;
access_log syslog:server=10.0.1.42,tag=nginx,severity=info geoproxy;
The syslog parameter for the error_log and access_log directives
is followed by a colon and a number of options. These options
include the required server flag that denotes the IP, DNS name, or
Unix socket to connect to, as well as optional flags such
as facility, severity, tag, and nohostname. The server option
takes a port number, along with IP addresses or DNS names. How‐
ever, it defaults to UDP 514. The facility option refers to the
facility of the log message defined as one of the 23 defined in the
RFC standard for Syslog; the default value is local7. The tag option
tags the message with a value. This value defaults to nginx.
severity defaults to info and denotes the severity of the message
being sent. The nohostname flag disables adding the hostname field
into the Syslog message header and does not take a value.
解决方案
在使用 error_log 和 access_log 指令时,将日志发送至 syslog 监听器:
error_log syslog:server=10.0.1.42 debug;
access_log syslog:server=10.0.1.42,tag=nginx,severity=info geoproxy;
error_log 和 access_log 指令的 syslog 参数紧跟冒号(:)和一些参数选项。
包括:必选的 server 标记表示需要连接的 IP、DNS 名称或 UNIX 套接字;
可选参数有 facility、severity、tag 和 nohostname。server 参数接收带
端口的 IP 地址或 DNS 名称;默认是 UDP 514 端口。facility 参数设置
syslog 的类型(facility),值是 syslog RFC 标准定义的 23 个值中的一个
(@todo)。tag 参数表示日志文件中显示时候的标题,默认值是 nginx。
severity 设置消息严重程度,默认是 info 级别日志。nohostname 选项,禁
止将 hostname 域添加到syslog的消息头中。
Discussion
Syslog is a standard protocol for sending log messages and collect‐
ing those logs on a single server or collection of servers. Sending
logs to a centralized location helps in debugging when you’ve got
multiple instances of the same service running on multiple hosts.
This is called aggregating logs. Aggregating logs allows you to view
logs together in one place without having to jump from server to
server and mentally stitch together logfiles by timestamp. A com‐
mon log aggregation stack is ElasticSearch, Logstash, and Kibana,
also known as the ELK Stack. NGINX makes streaming these logs to
your Syslog listener easy with the access_log and error_log direc‐
tives.
结论
syslog 是用于在单台服务器或服务器集群中记录和收集日志的标准协议。
在多个主机上运行相同服务的多个实例时,将日志发送到集中位置有助于调试,
这称为聚合日志。聚合日志允许您在一个地方查看日志,而不必切换不同服务器,
并通过时间戳将日志文件集成在一起。常见聚合日志解决方案有 ElasticSearch、
Logstash、Kibana 和 ELK Stack。但 NGINX 通过发送日志到 syslog 监听器,
能够很容易的将 access_log 和 error_log 指令捕捉的日志发送到聚合日志服务
器上。
参考
[RFC3164 - BSD Syslog协议](https://www.jianshu.com/p/8656fc85e497\
[Nginx文档-记录日志到syslog](https://oopsguy.com/2017/07/23/nginx-document-logging-to-syslog/\
[关于syslog](http://blog.csdn.net/smstong/article/details/8919803\