#  systemctl status rsyslog.service
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since 三 2021-04-21 10:45:22 CST; 15s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
  Process: 22264 ExecStartPost=/bin/bash /usr/bin/timezone_update.sh (code=exited, status=0/SUCCESS)
  Process: 22260 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=killed, signal=SEGV)
 Main PID: 22260 (code=killed, signal=SEGV)

4月 21 10:45:22 mycseuler systemd[1]: rsyslog.service: main process exited, code=killed, status=11/SEGV
4月 21 10:45:22 mycseuler systemd[1]: Unit rsyslog.service entered failed state.
4月 21 10:45:22 mycseuler systemd[1]: rsyslog.service failed.
4月 21 10:45:22 mycseuler systemd[1]: rsyslog.service holdoff time over, scheduling restart.
4月 21 10:45:22 mycseuler systemd[1]: Stopped System Logging Service.
4月 21 10:45:22 mycseuler systemd[1]: start request repeated too quickly for rsyslog.service
4月 21 10:45:22 mycseuler systemd[1]: Failed to start System Logging Service.
4月 21 10:45:22 mycseuler systemd[1]: Unit rsyslog.service entered failed state.
4月 21 10:45:22 mycseuler systemd[1]: rsyslog.service failed.
 

原因分析：

查看 /etc/rsyslog.conf

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####
$FileGroup root
$FileOwner root
$FileCreateMode 0640

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_FileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile /run/log/journal/imjournal.state

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron
 

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
 

local5.*                                                /var/log/local5.log

# make gtls driver the default and set certificate files
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/root/cert/ca.pem"
DefaultNetstreamDriverCertFile="/root/cert/cert.pem"
DefaultNetstreamDriverKeyFile="/root/cert/key.pem"
)

module(load="imfile")

# File 1 

input(type="imfile"

File="/var/log/local5.log"

Tag="local5:"

Severity="info"

Facility="local5")

# set up the action for local5 messages
action(
type="omfwd"
protocol="tcp"
port="514"
target="192.168.5.88"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/certvalid"
)

 

input 模块中的File配置File="/var/log/local5.log"和系统日志local5.*       /var/log/local5.log

存在冲突！！

系统日志可以直接转发到第三方日志syslog服务器，无需单独配置，删除掉错误的input模块即可。