Rsyslog是一个开源日志记录程序,它是大量Linux发行版中最受欢迎的日志记录机制。它也是CentOS 7或RHEL 7中的默认日志记录服务。可以将CentOS中的Rsyslog守护程序配置为作为服务器运行,以便从多个网络设备收集日志消息。在这篇文章中,我使用两台CentOS7 linux机器来测试Rsyslog作为服务器和客户端。
拓扑结构
客户端计算机34.67.242.159将向远程中央系统日志服务器35.224.49.121发送本地日志。
两台机器都在CentOS7上运行。
相关的YouTube视频:
Rsyslog服务器安装和配置
1.安装Rsyslog
[[email protected] ~]$
[[email protected] ~]$ sudo -i
[[email protected] ~]# sudo yum update && yum install rsyslog
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos4.zswap.net
* epel: mirror.colorado.edu
* extras: centos4.zswap.net
* updates: centos4.zswap.net
No packages marked for update Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos4.zswap.net * epel: mirror.uic.edu * extras: centos4.zswap.net * updates: centos4.zswap.net Package rsyslog-8.24.0-41.el7_7.2.x86_64 already installed and latest version Nothing to do [[email protected] ~]# systemctl start rsyslog [[email protected] ~]# systemctl enable rsyslog [[email protected] ~]# systemctl status rsyslog ● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2019-11-15 02:32:14 UTC; 11h ago Docs: man:rsyslogd(8)RSyslog DocumentationMain PID: 17303 (rsyslogd) CGroup: /system.slice/rsyslog.service └─17303 /usr/sbin/rsyslogd -n Nov 15 02:32:14 rsyslog-server1 systemd[1]: Starting System Logging Service... Nov 15 02:32:14 rsyslog-server1 rsyslogd[17303]: [origin software="rsyslogd" swVersion="8.24....rt Nov 15 02:32:14 rsyslog-server1 systemd[1]: Started System Logging Service. Hint: Some lines were ellipsized, use -l to show in full. [[email protected] ~]# vim /etc/rsyslog.conf [[email protected] ~]# vim /etc/rsyslog.conf [[email protected] ~]# sysmtemctl restart rsyslog -bash: sysmtemctl: command not found [[email protected] ~]# systemctl restart rsyslog [[email protected] ~]# ss -tulnp | grep "rsyslog" udp UNCONN 0 0 *:514 *:* users:(("rsyslogd",pid=2507,fd=3)) udp UNCONN 0 0 [::]:514 [::]:* users:(("rsyslogd",pid=2507,fd=4)) tcp LISTEN 0 25 *:514 *:* users:(("rsyslogd",pid=2507,fd=5)) tcp LISTEN 0 25 [::]:514 [::]:* users:(("rsyslogd",pid=2507,fd=6))
[[email protected] ~]# setenforce Permissive
[[email protected] ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
[[email protected] ~]# getenforce
Permissive
[[email protected] ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[[email protected] ~]# systemctl stop firewalld
注意:您可以像我一样禁用防火墙和selinux功能。更好的方法是将selinux和防火墙配置为允许udp / tcp 514通信。在我的实验室中,我只是迅速禁用了它们,以向您展示Rsyslog的工作方式。
2.将Rsyslog配置为服务器以收集所有日志/远程日志
默认情况下,rsyslog使用imjournal和imusock模块分别从systemd日志导入结构化日志消息,并分别通过Unix套接字从本地系统上运行的应用程序接受syslog消息。
要将rsyslog配置为网络/中央日志记录服务器,您需要设置将用于远程syslog接收的协议(UDP或TCP或两者)以及侦听的端口。
如果要使用更快但不可靠的UDP连接,请在下面的行中搜索和取消注释udp。
要使用TCP连接(速度较慢但更可靠),请搜索以下行并取消注释tcp。
[[email protected] ~]# vim /etc/rsyslog.conf
...
# The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 $template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?RemoteLogs & ~ #### GLOBAL DIRECTIVES ####
...
[[email protected] ~]# systemctl restart rsyslog
接下来,您需要以以下格式定义用于处理远程日志的规则集。查看上面的规则集模板,第一个规则是“ $ template RemoteLogs”,/ var / log /%HOSTNAME%/%PROGRAMNAME%.log”。
指令$ template告诉rsyslog守护程序根据生成的消息的主机名(客户端计算机名)和远程客户端工具(程序/应用程序),将所有接收到的远程消息收集并写入/ var / log下的不同日志中。通过模板RemoteLogs中的设置。
第二行“ *。*?RemoteLogs”表示使用RemoteLogs模板配置记录来自所有设施的所有严重性级别的消息。
最后一行“&“〜”指示rsyslog在将消息写入文件后停止处理消息。如果您不包括“&〜”,而是将消息写入本地文件。
另一个模板示例:
$ template DailyPerHost,” / logs / syslog_devices /%FROMHOST-IP%/%FROMHOST-IP%-%$ YEAR%-%$ MONTH%-%$ DAY%.log”
*.* -?DailyPerHost
RsyslogClient安装和配置
1.安装Rsyslog
[[email protected] ~]$ curl ifconfig.me
34.67.242.159[[email protected] ~]$
[[email protected] ~]$
[[email protected] ~]$ sudo yum update && yum install rsyslog
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos4.zswap.net
* epel: mirror.grid.uchicago.edu
* extras: centos4.zswap.net
* updates: centos4.zswap.net
No packages marked for update
Loaded plugins: fastestmirror
You need to be root to perform this command.
[[email protected] ~]$ sudo -i
[[email protected] ~]# sudo yum update && yum install rsyslog
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos4.zswap.net
* epel: mirror.grid.uchicago.edu
* extras: centos4.zswap.net
* updates: centos4.zswap.net
No packages marked for update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos4.zswap.net
* epel: mirror.grid.uchicago.edu
* extras: centos4.zswap.net
* updates: centos4.zswap.net
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction, or "yum-complete-transaction --cleanup-only" and "yum history redo last", first to finish them. If those don't work you'll have to try removing/installing packages by hand (maybe package-cleanup can help).
The program yum-complete-transaction is found in the yum-utils package.
--> Running transaction check
---> Package rsyslog.x86_64 0:8.24.0-41.el7_7 will be updated
---> Package rsyslog.x86_64 0:8.24.0-41.el7_7.2 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================================
Package Arch Version Repository Size
================================================================================================
Updating:
rsyslog x86_64 8.24.0-41.el7_7.2 updates 616 k
Transaction Summary
================================================================================================
Upgrade 1 Package
Total size: 616 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction check error:
package rsyslog-8.24.0-41.el7_7.2.x86_64 is already installed
Error Summary
-------------
[[email protected] ~]# systemctl start rsyslog
[[email protected] ~]# systemctl enable rsyslog
[[email protected] ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2019-11-15 02:24:26 UTC; 12h ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 905 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─905 /usr/sbin/rsyslogd -n
Nov 15 02:24:26 rsyslog-client1 systemd[1]: Starting System Logging Service...
Nov 15 02:24:26 rsyslog-client1 rsyslogd[905]: [origin software="rsyslogd" swVersion="8.24...rt
Nov 15 02:24:26 rsyslog-client1 systemd[1]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.
2.将Rsyslog配置为客户端以收集本地日志/远程日志以发送到远程Rsyslog服务器
要强制rsyslog守护程序充当日志客户端并将所有本地生成的日志消息转发到远程rsyslog服务器,请在文件末尾添加此转发规则,如以下屏幕快照所示。
[[email protected] ~]# vim /etc/rsyslog.conf
...
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An 上 -disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown 上 # save messages to disk 上 shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
*.* @@35.224.49.121:514
[[email protected] ~]# systemctl restart rsyslog
[[email protected] ~]# logger -s -p user.info Testing Rsyslog Client log
jon_netsec: Testing Rsyslog Client log
[[email protected] ~]#
测试与验证
[[email protected] log]# ls audit cron grubby_prune_debug ntpstats secure wtmp boot.log dmesg lastlog qemu-ga spooler yum.log btmp firewalld maillog rsyslog-client1 tallylog chrony grubby messages rsyslog-server1 tuned [[email protected] log]# cd rsyslog-server1/ [[email protected] rsyslog-server1]# ls jon_netsec.log kernel.log polkitd.log rsyslogd.log sshd.log systemd.log [[email protected] rsyslog-server1]# cat jon_netsec.log 2019-11-15T14:50:52.794133+00:00 rsyslog-server1 jon_netsec: Testing Server Rsyslog [[email protected] rsyslog-server1]# cd .. [[email protected] log]# cd rsyslog-client1/ [[email protected] rsyslog-client1]# ls dbus.log jon_netsec.log nm-dispatcher.log rsyslogd.log dhclient.log 网络 Manager.log polkitd.log systemd.log [[email protected] rsyslog-client1]# cat jon_netsec.log 2019-11-15T14:51:40+00:00 rsyslog-client1 jon_netsec: Testing Rsyslog Client log [[email protected] rsyslog-client1]# vim /etc/rsyslog.conf [[email protected] rsyslog-client1]#