简体繁体 English

RFC 5424 和系统日志

[英]RFC 5424 and Syslog

原文 2022-12-30 17:00:48 5 1 logging/ syslog

When I print content of my log files in /var/log directory for instance head /var/log/messages it seems like the messages are not completley compliant with RFC5424 as described here .当我在/var/log目录中打印我的日志文件的内容时，例如head /var/log/messages ，这些消息似乎不完全符合此处所述的 RFC5424。 First obvious difference is that there is no version at the begging of my log messages.第一个明显的区别是在我的日志消息的开头没有版本。 It is not by the rules of RFC5424 on my Ubuntu neither on Fedora这不是我的 Ubuntu 上的 RFC5424 规则，也不是 Fedora 上的
I would like to know what does that mean for the syslog format itself.我想知道这对 syslog 格式本身意味着什么。 Is it completly unique and doesn't actually follow any specific syntax or does it mean that it has it's own syntax for local PCs I'm not familiar with?它是完全独特的并且实际上不遵循任何特定语法，还是意味着它对我不熟悉的本地 PC 有自己的语法？

1 个解决方案

The format of messages in your system log are typically determined by your logging daemon.系统日志中消息的格式通常由日志守护进程决定。 This can change based on your distribution and configuration, my Debian installation for example uses rsyslogd .这可以根据您的分布和配置进行更改，例如我的 Debian 安装使用rsyslogd 。 syslog-ng is another popular choice. syslog-ng是另一个流行的选择。 You could research and change the format of messages by looking up and altering the configuration of whatever logging daemon you are using, again for example mine is in /etc/rsyslog.conf .您可以通过查找和更改您正在使用的任何日志守护程序的配置来研究和更改消息的格式，例如我的在/etc/rsyslog.conf中。 If you want to understand your own system, you'll need to figure out what daemon you're using (a good starting point might be running ps -e | grep log ), and research that.如果你想了解你自己的系统，你需要弄清楚你正在使用什么守护进程（一个好的起点可能是运行ps -e | grep log ），并研究它。

Logging formats themselves can vary pretty widely, despite the existence of standards like RFC 5424 and it's predecessor RFC 3164 .尽管存在RFC 5424及其前身RFC 3164等标准，但日志记录格式本身可以有很大差异。 Windows has it's own system based around the Windows Event Log . Windows 有自己的系统，基于Windows 事件日志。 Journald has a wide set of output formats, including JSON. Cisco device logs typically follow their own special format, which might require special consideration for some systems. Journald有一组广泛的 output 格式，包括 JSON。Cisco 设备日志通常遵循它们自己的特殊格式，这可能需要对某些系统进行特殊考虑。 And of course there are competing standards like the Common Event Format .当然还有像Common Event Format这样的竞争标准。

All of that to say it isn't uncommon for an individual system's format to be relatively unique.所有这些都表明，单个系统的格式相对独特并不少见。 Usually centralized log aggregation services like Splunk or the ELK stack provide a level of normalization that helps with this issue at scale.通常集中式日志聚合服务（如Splunk或ELK 堆栈）提供一定程度的规范化，有助于大规模解决此问题。 But for a personal system, it's probably enough to just understand your own specific service, and work with that.但是对于个人系统，了解您自己的特定服务并使用它可能就足够了。