Rsyslog是一个开源日志记录程序,它是大量Linux发行版中最受欢迎的日志记录机制。它也是CentOS 7或RHEL 7中的默认日志记录服务。可以将CentOS中的Rsyslog守护程序配置为作为服务器运行,以便从多个网络设备收集日志消息。在这篇文章中,我使用两台CentOS7 linux机器来测试Rsyslog作为服务器和客户端。

拓扑结构

客户端计算机34.67.242.159将向远程中央系统日志服务器35.224.49.121发送本地日志。
两台机器都在CentOS7上运行。

相关的YouTube视频:

Rsyslog服务器安装和配置

1.安装Rsyslog 

[[email protected] ~]$ 
[[email protected] ~]$ sudo -i
[[email protected] ~]# sudo yum update && yum install rsyslog 
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos4.zswap.net
 * epel: mirror.colorado.edu
 * extras: centos4.zswap.net
 * updates: centos4.zswap.net
No packages marked for update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos4.zswap.net
 * epel: mirror.uic.edu
 * extras: centos4.zswap.net
 * updates: centos4.zswap.net
Package rsyslog-8.24.0-41.el7_7.2.x86_64 already installed and latest version
Nothing to do
[[email protected] ~]# systemctl start rsyslog
[[email protected] ~]# systemctl enable rsyslog
[[email protected] ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-11-15 02:32:14 UTC; 11h ago
     Docs: man:rsyslogd(8)
           
RSyslog Documentation
Main PID: 17303 (rsyslogd) CGroup: /system.slice/rsyslog.service └─17303 /usr/sbin/rsyslogd -n Nov 15 02:32:14 rsyslog-server1 systemd[1]: Starting System Logging Service... Nov 15 02:32:14 rsyslog-server1 rsyslogd[17303]: [origin software="rsyslogd" swVersion="8.24....rt Nov 15 02:32:14 rsyslog-server1 systemd[1]: Started System Logging Service. Hint: Some lines were ellipsized, use -l to show in full. [[email protected] ~]# vim /etc/rsyslog.conf [[email protected] ~]# vim /etc/rsyslog.conf [[email protected] ~]# sysmtemctl restart rsyslog -bash: sysmtemctl: command not found [[email protected] ~]# systemctl restart rsyslog [[email protected] ~]# ss -tulnp | grep "rsyslog" udp UNCONN 0 0 *:514 *:* users:(("rsyslogd",pid=2507,fd=3)) udp UNCONN 0 0 [::]:514 [::]:* users:(("rsyslogd",pid=2507,fd=4)) tcp LISTEN 0 25 *:514 *:* users:(("rsyslogd",pid=2507,fd=5)) tcp LISTEN 0 25 [::]:514 [::]:* users:(("rsyslogd",pid=2507,fd=6))

[[email protected] ~]# setenforce Permissive
[[email protected] ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[[email protected] ~]# getenforce
Permissive
[[email protected] ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

[[email protected] ~]# systemctl stop firewalld

注意:您可以像我一样禁用防火墙和selinux功能。更好的方法是将selinux和防火墙配置为允许udp / tcp 514通信。在我的实验室中,我只是迅速禁用了它们,以向您展示Rsyslog的工作方式。

2.将Rsyslog配置为服务器以收集所有日志/远程日志

默认情况下,rsyslog使用imjournal和imusock模块分别从systemd日志导入结构化日志消息,并分别通过Unix套接字从本地系统上运行的应用程序接受syslog消息。

要将rsyslog配置为网络/中央日志记录服务器,您需要设置将用于远程syslog接收的协议(UDP或TCP或两者)以及侦听的端口。

如果要使用更快但不可靠的UDP连接,请在下面的行中搜索和取消注释udp。

要使用TCP连接(速度较慢但更可靠),请搜索以下行并取消注释tcp。

[[email protected] ~]# vim /etc/rsyslog.conf

...

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& ~

#### GLOBAL DIRECTIVES ####
...

[[email protected] ~]# systemctl restart rsyslog

接下来,您需要以以下格式定义用于处理远程日志的规则集。查看上面的规则集模板,第一个规则是“ $ template RemoteLogs”,/ var / log /%HOSTNAME%/%PROGRAMNAME%.log”。

指令$ template告诉rsyslog守护程序根据生成的消息的主机名(客户端计算机名)和远程客户端工具(程序/应用程序),将所有接收到的远程消息收集并写入/ var / log下的不同日志中。通过模板RemoteLogs中的设置。

第二行“ *。*?RemoteLogs”表示使用RemoteLogs模板配置记录来自所有设施的所有严重性级别的消息。

最后一行“&“〜”指示rsyslog在将消息写入文件后停止处理消息。如果您不包括“&〜”,而是将消息写入本地文件。

另一个模板示例:

 $ template DailyPerHost,” / logs / syslog_devices /%FROMHOST-IP%/%FROMHOST-IP%-%$ YEAR%-%$ MONTH%-%$ DAY%.log”
 *.* -?DailyPerHost

RsyslogClient安装和配置

1.安装Rsyslog 

[[email protected] ~]$ curl ifconfig.me
34.67.242.159[[email protected] ~]$ 
[[email protected] ~]$ 
[[email protected] ~]$ sudo yum update && yum install rsyslog 
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos4.zswap.net
 * epel: mirror.grid.uchicago.edu
 * extras: centos4.zswap.net
 * updates: centos4.zswap.net
No packages marked for update
Loaded plugins: fastestmirror
You need to be root to perform this command.
[[email protected] ~]$ sudo -i
[[email protected] ~]# sudo yum update && yum install rsyslog 
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos4.zswap.net
 * epel: mirror.grid.uchicago.edu
 * extras: centos4.zswap.net
 * updates: centos4.zswap.net
No packages marked for update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos4.zswap.net
 * epel: mirror.grid.uchicago.edu
 * extras: centos4.zswap.net
 * updates: centos4.zswap.net
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction, or "yum-complete-transaction --cleanup-only" and "yum history redo last", first to finish them. If those don't work you'll have to try removing/installing packages by hand (maybe package-cleanup can help).
The program yum-complete-transaction is found in the yum-utils package.
--> Running transaction check
---> Package rsyslog.x86_64 0:8.24.0-41.el7_7 will be updated
---> Package rsyslog.x86_64 0:8.24.0-41.el7_7.2 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================
 Package             Arch               Version                       Repository           Size
================================================================================================
Updating:
 rsyslog             x86_64             8.24.0-41.el7_7.2             updates             616 k

Transaction Summary
================================================================================================
Upgrade  1 Package

Total size: 616 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test


Transaction check error:
  package rsyslog-8.24.0-41.el7_7.2.x86_64 is already installed

Error Summary
-------------

[[email protected] ~]# systemctl start rsyslog
[[email protected] ~]# systemctl enable rsyslog
[[email protected] ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-11-15 02:24:26 UTC; 12h ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/

 Main PID: 905 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           └─905 /usr/sbin/rsyslogd -n

Nov 15 02:24:26 rsyslog-client1 systemd[1]: Starting System Logging Service...
Nov 15 02:24:26 rsyslog-client1 rsyslogd[905]:  [origin software="rsyslogd" swVersion="8.24...rt
Nov 15 02:24:26 rsyslog-client1 systemd[1]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.

2.将Rsyslog配置为客户端以收集本地日志/远程日志以发送到远程Rsyslog服务器

要强制rsyslog守护程序充当日志客户端并将所有本地生成的日志消息转发到远程rsyslog服务器,请在文件末尾添加此转发规则,如以下屏幕快照所示。

*. *  @@35.224.49.121:514
[[email protected] ~]# vim /etc/rsyslog.conf 

...
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An  上 -disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown  上  # save messages to disk  上  shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
*.* @@35.224.49.121:514



[[email protected] ~]# systemctl restart rsyslog
[[email protected] ~]# logger -s -p user.info Testing Rsyslog Client log
jon_netsec: Testing Rsyslog Client log
[[email protected] ~]# 

测试与验证

[[email protected] log]# ls
audit     cron       grubby_prune_debug  ntpstats         secure    wtmp
boot.log  dmesg      lastlog             qemu-ga          spooler   yum.log
btmp      firewalld  maillog             rsyslog-client1  tallylog
chrony    grubby     messages            rsyslog-server1  tuned
[[email protected] log]# cd rsyslog-server1/
[[email protected] rsyslog-server1]# ls
jon_netsec.log  kernel.log  polkitd.log  rsyslogd.log  sshd.log  systemd.log
[[email protected] rsyslog-server1]# cat jon_netsec.log 
2019-11-15T14:50:52.794133+00:00 rsyslog-server1 jon_netsec: Testing Server Rsyslog
[[email protected] rsyslog-server1]# cd ..
[[email protected] log]# cd rsyslog-client1/
[[email protected] rsyslog-client1]# ls
dbus.log      jon_netsec.log      nm-dispatcher.log  rsyslogd.log
dhclient.log   网络 Manager.log  polkitd.log        systemd.log
[[email protected] rsyslog-client1]# cat jon_netsec.log 
2019-11-15T14:51:40+00:00 rsyslog-client1 jon_netsec: Testing Rsyslog Client log
[[email protected] rsyslog-client1]# vim /etc/rsyslog.conf
[[email protected] rsyslog-client1]# 

发表评论