侧边栏壁纸
  • 累计撰写 85 篇文章
  • 累计创建 39 个标签
  • 累计收到 9 条评论

目 录CONTENT

文章目录

使用非root用户启动Rsyslog服务的两种方法

散漫的老何
2023-09-01 / 0 评论 / 0 点赞 / 1,040 阅读 / 2,542 字 / 正在检测是否收录...
温馨提示:
本文最后更新于 2023-09-01,若内容或图片失效,请留言反馈。部分素材来自网络,若不小心影响到您的利益,请联系我们删除。

使用非root用户启动Rsyslog服务的的两种方法

1 使用systemctl模式启动ryslog服务[非root用户]

1.1 允许非root用户使用1024以下端口

linux允许非root用户默认只能使用1024以上端口,sysctl 可以修改该起始端口。

例:允许非root用户使用所有端口

#临时生效
sysctl net.ipv4.ip_unprivileged_port_start=0

#永久生效,需要重启系统
echo "net.ipv4.ip_unprivileged_port_start=0" >> /etc/sysctl.conf

1.2 编辑rsyslog服务端rsyslog.conf配置文件,添加启动用户配置参数

可以利用$PrivDropToUser$PrivDropToUserID$PrivDropToGroup$PrivDropToGroupID配置指令以非root用户身份运行rsyslog

使用这些变量时,rsyslog将以root身份启动,但在初始化完成后将下降到指定的用户或组。

然后,守护程序将根据指定用户或组的权限运行。

[rsyslog@syslog-server ]$ id
uid=1000(rsyslog) gid=1000(rsyslog) groups=1000(rsyslog),190(systemd-journal)

编辑/etc/rsyslog.conf配置文件添加以下配置

# 设置rsyslog 守护进程运行用户
# 1000为用户uid和gid
$PrivDropToUserID 1000
$PrivDropToGroupID 1000

1.3 修改systemctl rsyslog服务启动用户

在 CentOS/RHEL 7 中,rsyslog 默认以 root 身份运行,以非 root 用户身份运行时会出现权限问题。

要确保您可以从/run/logs/journal中的systemd日志中获取日志记录,请将指定的用户修改为"systemd-journald"组的成员:

# usermod -G systemd-journal [specified_user]
] usermod -G systemd-journal rsyslog

1.4 使用rsyslog用户重启rsyslog服务

[rsyslog@syslog-server ]$ systemctl restart rsyslog

1.5 修改/var目录下的log文件权限

让rsyslog用户有写的权限。

[root@rsyslog-server rsyslog]# chmod 722 /var/lib/rsyslog
[root@rsyslog-server rsyslog]# chmod 722 /var/log/messages
[root@rsyslog-server rsyslog]# chmod 722 /var/log/secure
[root@rsyslog-server rsyslog]# chmod 722 /var/log/maillog
[root@rsyslog-server rsyslog]# chmod 722 /var/log/cron
[root@rsyslog-server rsyslog]# chmod 722 /var/log/spooler
[root@rsyslog-server rsyslog]# chmod 722 /var/log/boot.lo

1.6 修改/var/lib/rsyslog目录权限

这一步很重要

含义:让rsyslog用户能读取imjournal.state文件。

[root@rsyslog-server rsyslog]# chmod -R 722 /var/lib/rsyslog
原权限为:
[root@rsyslog-server rsyslog]# ll /var/lib
drwx------. 2 root    root     29 Mar  8 04:11 rsyslog

1.7 验证日志接收

image-20230308155108425

日志文件存在:

image-20230308173428084

1.8 注意点

将rsyslog tls 密钥文件保存到/home/rsyslog目录中,或者让rsyslog用户有读取密钥文件的权限。

rsyslog数据保存路径,rsyslog用户需要有写的权限。

1.9 参考配置文件

# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

$PrivDropToUserID 1000
$PrivDropToGroupID 1000
# $ModLoad imuxsock  # local messages
# imuxsock配置不能存在多次。。。
$ModLoad imtcp  # TCP listener
$DefaultNetstreamDriver gtls  # 默认为GTLS驱动程序,make gtls driver the default
$DefaultNetstreamDriverCAFile /home/rsyslog/pem/ca.pem  # certificate files CA 密钥
$DefaultNetstreamDriverCertFile /home/rsyslog/pem/machine-cert.pem  # 客户端证书
$DefaultNetstreamDriverKeyFile /home/rsyslog/pem/machine-key.pem  # 客户端私钥
$InputTCPServerStreamDriverAuthMode anon  # 驱动程序认证模式
$InputTCPServerStreamDriverMode 1  # 在tls模式下运行驱动程序
$InputTCPServerRun 514  # 在1514端口启动监听器,接收发送到tcp/1514端口上的数据
$template Remote,"/home/syslog/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log"  ## 数据保存策略
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
& ~

2 使用command模式启动rsyslog服务[非root用户]

2.1 创建rsyslog用户

创建rsyslog用户,并设置密码,必须步骤

~ ] useradd rsyslog
~ ] password rsyslog
~ ] id rsyslog
uid=1002(rsyslog) gid=1002(rsyslog) groups=1002(rsyslog)

2.2 将rsyslog.conf和rsyslog TLS证书保存到rsyslog家目录中

将rsyslog.conf、rsyslog TLS证书全部保存到/home/rsyslog目录中

  1. rsyslogd.conf 配置文件内容如下

    # rsyslog configuration file
    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
    #### MODULES ####
    # The imjournal module bellow is now used as a message source instead of imuxsock.
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imjournal # provides access to the systemd journal
    #$ModLoad imklog # reads kernel messages (the same are read from journald)
    #$ModLoad immark  # provides --MARK-- message capability
          
    # Provides UDP syslog reception
    # $ModLoad imudp
    # $UDPServerRun 514
          
    # Provides TCP syslog reception
    #$ModLoad imtcp
    #$InputTCPServerRun 514
    
    
    #### GLOBAL DIRECTIVES ####
    
    # Where to place auxiliary files
    $WorkDirectory /var/lib/rsyslog
    
    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    
    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on
    
    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf
    
    # Turn off message reception via local log socket;
    # local messages are retrieved through imjournal now.
    $OmitLocalLogging on
    
    # File to store the position in the journal
    $IMJournalStateFile imjournal.state
    
    
    #### RULES ####
    
    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.*                                                 /dev/console
    
    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    # *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    
    # The authpriv file has restricted access.
    authpriv.*                                              /var/log/secure
    
    # Log all the mail messages in one place.
    mail.*                                                  -/var/log/maillog
    
    # Log cron stuff
    cron.*                                                  /var/log/cron
    
    # Everybody gets emergency messages
    *.emerg                                                 :omusrmsg:*
    
    # Save news errors of level crit and higher in a special file.
    uucp,news.crit                                          /var/log/spooler
    
    # Save boot messages also to boot.log
    local7.*                                                /var/log/boot.log
    
    
    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
    #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    #$ActionQueueType LinkedList   # run asynchronously
    #$ActionResumeRetryCount -1    # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    #*.* @@remote-host:514
    
    # TCP/SSL Test
    # $ModLoad imuxsock # local messages
    $ModLoad imtcp # TCP listener
    
    # $PrivDropToGroup rsyslog
    # $PrivDropToUser rsyslog
    # make gtls driver the default
    $DefaultNetstreamDriver gtls
    
    # certificate files
    # $DefaultNetstreamDriverCAFile /opt/pem/ca.pem
    # $DefaultNetstreamDriverCertFile /opt/pem/machine-cert.pem
    # $DefaultNetstreamDriverKeyFile /opt/pem/machine-key.pem
    
    $DefaultNetstreamDriverCAFile /home/rsyslog/tls/myCert.pem
    $DefaultNetstreamDriverCertFile /home/rsyslog/tls/myCert.pem
    $DefaultNetstreamDriverKeyFile /home/rsyslog/tls/myKey.key
    
    $InputTCPServerStreamDriverAuthMode anon
    $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
    $InputTCPServerRun 514 # start up listener at port 1514
    
    # 保存syslog file path
    # $template Remote,"/var/log/syslog/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log"
    # $template ipRemote,"/var/log/syslog/%FROMHOST-IP%/%$YEAR%-%$MONTH%-%$DAY%.log"
    # if $fromhost-ip == '10.10.0.100'  then ?ipRemote
    # & ~
    
    $template Remote,"/home/rsyslog/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log"
    :fromhost-ip, !isequal, "127.0.0.1" ?Remote
    & ~
    # ### end of the forwarding rule ###
    
  2. 证书保存情况:

    [rsyslog@linux-syslogserver ~]$ pwd
    /home/rsyslog
    [rsyslog@linux-syslogserver ~]$ ll
    total 16
    drwx------. 2 rsyslog rsyslog   28 May  4 06:27 10.10.0.100
    -rw-rw-r--. 1 rsyslog rsyslog    4 May  4 06:58 log.pid
    -rw-------. 1 rsyslog rsyslog  262 May  4 06:55 nohup.out
    -rw-r--r--. 1 rsyslog rsyslog 4498 May  4 06:57 rsyslog.conf
    drwx------. 2 rsyslog rsyslog   41 May  4 05:54 tls
    

2.3 指定/usr/sbin/rsyslogd能使用1024以下端口

指定/usr/sbin/rsyslogd程序能使用1024以下端口

~ ] setcap cap_net_bind_service=+eip /usr/sbin/rsyslogd

补充:取消程序使用1024以下端口(不要执行)

~ ] setcap -r /path/to/application

2.4 修改/var目录下的log文件权限

让rsyslog用户有写的权限。

[root@rsyslog-server rsyslog]# chmod 722 /var/lib/rsyslog
[root@rsyslog-server rsyslog]# chmod 722 /var/log/messages
[root@rsyslog-server rsyslog]# chmod 722 /var/log/secure
[root@rsyslog-server rsyslog]# chmod 722 /var/log/maillog
[root@rsyslog-server rsyslog]# chmod 722 /var/log/cron
[root@rsyslog-server rsyslog]# chmod 722 /var/log/spooler
[root@rsyslog-server rsyslog]# chmod 722 /var/log/boot.lo

2.5 修改/var/lib/rsyslog目录权限

这一步很重要

含义:让rsyslog用户能读取imjournal.state文件。

[root@rsyslog-server rsyslog]# chmod -R 722 /var/lib/rsyslog
# 原权限为:
[root@rsyslog-server rsyslog]# ll /var/lib
drwx------. 2 root    root     29 Mar  8 04:11 rsyslog
# 更改后权限为:
[root@rsyslog-server rsyslog]# ll /var/lib
drwx-w--w-. 2 root    root     29 Mar  8 04:11 rsyslog

2.6 使用命令行启动rsyslogd程序

~ ] $ nohup /usr/sbin/rsyslogd -n -f /home/rsyslog/rsyslog.conf -i /home/rsyslog/log.pid >/dev/null 2>&1 &
[1] 2764
~ ] $

2.7 配置检查

# 检查端口 514端口是否启动
[root@linux-syslogserver 10.10.0.100]# netstat -tlunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      2764/rsyslogd       
tcp        0      0 127.0.0.1:38091         0.0.0.0:*               LISTEN      1288/node           
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      942/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1103/master         
tcp6       0      0 :::514                  :::*                    LISTEN      2764/rsyslogd       
tcp6       0      0 :::8080                 :::*                    LISTEN      943/httpd           
tcp6       0      0 :::22                   :::*                    LISTEN      942/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      1103/master         
udp        0      0 127.0.0.1:323           0.0.0.0:*                           717/chronyd         
udp6       0      0 ::1:323                 :::*                                717/chronyd

# 检查日志文件是否更新
[rsyslog@linux-syslogserver ~]$ tail -f /home/rsyslog/10.10.0.100/2023-05-04.log 
May  4 18:59:03 other-server root: rsyslog test aaaaaaaaaaaabbbbbbbbbbbbbCCCCCCCCCCCCCCCCCCCCCCCb
May  4 19:01:01 other-server crond[7595]: pam_limits(crond:session): invalid line 'End of file' - skipped
May  4 19:01:01 other-server systemd: Started Session 4 of user root.
May  4 19:01:01 other-server CROND[7597]: (root) CMD (run-parts /etc/cron.hourly)
May  4 19:01:01 other-server run-parts(/etc/cron.hourly)[7597 starting 0anacron
May  4 19:01:01 other-server run-parts(/etc/cron.hourly)[7606 finished 0anacron
May  4 19:08:54 other-server chronyd[774]: Selected source 119.28.206.193
May  4 19:09:01 other-server anacron[3878]: Job `cron.weekly' started
May  4 19:09:01 other-server anacron[3878]: Job `cron.weekly' terminated
May  4 19:09:01 other-server anacron[3878]: Normal exit (2 jobs run)
0
广告 广告

评论区