rsyslog采集网络设备日志

vim rsyslog.conf
#开启接受日志
$ModLoad imudp

module(load="imudp") # 启用 UDP 输入模块
input(type="imudp" port="514")

module(load="imtcp") # 启用 TCP 输入模块
input(type="imtcp" port="514")


$UDPServerRun 514

$ModLoad imtcp
$InputTCPServerRun 514

$ModLoad imklog
$WorkDirectory /var/lib/rsyslog
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none;local1.none;local2.none;local3.none;local4.none;local5.none;local6.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
#收集网络日志
$template h3c,"/log_data/h3c/%FROMHOST-IP%-%$YEAR%%$MONTH%%$DAY%.log"
local6.* ?h3c
$template huawei,"/log_data/huawei/%FROMHOST-IP%-%$YEAR%%$MONTH%%$DAY%.log"
local5.* ?huawei
$template cisco,"/log_data/cisco/%FROMHOST-IP%-%$YEAR%%$MONTH%%$DAY%.log"
local4.* ?cisco
$template ruijie,"/log_data/ruijie/%FROMHOST-IP%-%$YEAR%%$MONTH%%$DAY%.log"
local3.* ?ruijie
#收集深信服AC
$template sangfor,"/log_data/sangfor/%FROMHOST-IP%-%$YEAR%%$MONTH%%$DAY%.log"
if $FROMHOST-IP == '10.250.18.250' or $FROMHOST-IP == '10.250.111.2' or $FROMHOST-IP == '10.250.111.3' or $FROMHOST-IP == '10.250.30.251' then -?sangfor

mkdir  /log_data/huawei/ -p
mkdir  /log_data/h3c/  -p
mkdir  /log_data/cisco/  -p
启动服务
systemctl start rsyslogd
systemctl enable rsyslogd

“ 网络设备配置
Huawei：info-center loghost source Vlanif99
info-center loghost 10.10.0.184 facility local5

H3C:
info-center loghost source Vlan-interface99
info-center loghost 10.10.0.184 facility local6

CISCO:
(config)#logging on
(config)#logging trap informational
(config)#logging 10.10.0.184 
(config)#logging facility local4
(config)#logging source-interface e0

Ruijie：logging buffered warnings
logging source interface VLAN 99
logging facility local6
logging server 10.10.0.184


注意：10.10.0.184为rsyslog服务器的IP ”