Linux CentOS 配置rsyslog服务器
1 注意点
/etc/rsyslog.conf配置文件需要放到/etc目录下,/etc/rsyslog.d/rsyslog.conf配置文件可能不生效。
2 rsyslog配置文件内容 /etc/rsyslog.conf
$ModLoad imptcp.so
$ModLoad imudp.so
$ModLoad imtcp.so
#########################
##### Global config #####
#########################
# Specific file/directory permissions can be set
# this is particularly needed, if Splunk UF is running as non-root
$DirOwner root
$DirGroup root
$FileOwner root
$FileGroup root
$umask 0000
$DirCreateMode 0755
$FileCreateMode 0755
# ensure syslog is not truncated & room for burst
$MaxMessageSize 32k
$MainMsgQueueSize 100000
$RulesetCreateMainQueue on
############################################
##### Log remote sources classification ####
############################################
$RuleSet remoteLogging
$RulesetCreateMainQueue on
# catch all, all data that did not meet above criteria will end up here
$template unclassified, "/data/logs/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log"
*.* ?unclassified
& ~
##############################
###### Enable listeners ######
### listen on TCP/UDP 514 ###
##############################
$InputTCPServerBindRuleset remoteLogging
$InputTCPServerRun 514
$InputUDPServerBindRuleset remoteLogging
$UDPServerRun 514
3 关闭SELinux
3.1 查看SELinux状态
如果SELinux status参数为enabled
即为开启状态
/usr/sbin/sestatus -v
SELinux status: enabled
3.2 关闭SELinux
3.2.1 临时关闭(不用重启机器)
setenforce 0
设置SELinux 成为permissive模式
setenforce 1
设置SELinux 成为enforcing模式
setenforce 0
3.2.2 长期关闭(修改配置文件需要重启服务器)
修改/etc/selinux/config
配置文件,
将SELINUX=enforcing
修改成SELINUX=disabled
[root@syslogserver etc]# vim /etc/selinux/config
[root@syslogserver etc]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@syslogserver etc]#
4 检查
4.1 检查端口
使用netstat -tlunp
检查udp/tcp 514 端口是否启动
[root@syslogserver etc]# netstat -tlunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 942/rsyslogd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 939/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1110/master
tcp6 0 0 :::514 :::* LISTEN 942/rsyslogd
tcp6 0 0 :::22 :::* LISTEN 939/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1110/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 715/chronyd
udp 0 0 0.0.0.0:514 0.0.0.0:* 942/rsyslogd
udp6 0 0 ::1:323 :::* 715/chronyd
udp6 0 0 :::514 :::* 942/rsyslogd
4.2 检查服务
使用systemctl status rsyslog
命令查看rsyslog服务状态
[root@syslogserver etc]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2022-04-20 10:22:36 EDT; 37min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 942 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─942 /usr/sbin/rsyslogd -n
Apr 20 10:22:31 syslogserver systemd[1]: Starting System Logging Service...
Apr 20 10:22:36 syslogserver rsyslogd[942]: [origin software="rsyslogd" swVersion="8.24.0-57.el7_9.2" x-pid="942" x-info="http://www.rsyslog.com"] start
Apr 20 10:22:36 syslogserver rsyslogd[942]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.24.0-57.el7_9.2 try http://www.rsyslog.com/e/2307 ]
Apr 20 10:22:36 syslogserver rsyslogd[942]: imptcp: no ptcp server defined, module can not run. [v8.24.0-57.el7_9.2 try http://www.rsyslog.com/e/2172 ]
Apr 20 10:22:36 syslogserver rsyslogd[942]: activation of module imptcp.so failed [v8.24.0-57.el7_9.2 try http://www.rsyslog.com/e/-3 ]
Apr 20 10:22:36 syslogserver systemd[1]: Started System Logging Service.
4.3 检查数据保存目录是否有文件创建
使用ll
命令查看数据保存目录是否有文件或者目录创建
[root@syslogserver etc]# ll /data/logs
total 0
drwxr-xr-x 2 root root 28 Apr 20 10:39 10.10.0.106
drwxr-xr-x. 2 root root 28 Apr 20 10:21 10.10.0.200
4.4 查看是否有数据发送
使用tcpdump
命令抓数据包,查看是否有syslog数据发送过来。
tcpdump -i ens33 port 514
-i 指定网卡
port 指定端口
[root@syslogserver etc]# tcpdump -i ens33 port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
11:06:53.827449 IP 10.10.0.200.60584 > syslogserver.shell: Flags [P.], seq 1261825365:1261825638, ack 2691278109, win 229, options [nop,nop,TS val 5789496 ecr 2338143], length 273
11:06:53.827472 IP syslogserver.shell > 10.10.0.200.60584: Flags [.], ack 273, win 2863, options [nop,nop,TS val 2365811 ecr 5789496], length 0
11:07:06.084711 IP 10.10.0.106.55635 > syslogserver.syslog: SYSLOG daemon.error, length: 200
11:07:07.304469 IP 10.10.0.106.55635 > syslogserver.syslog: SYSLOG daemon.notice, length: 753
11:07:07.305152 IP 10.10.0.106.55635 > syslogserver.syslog: SYSLOG daemon.notice, length: 1472
11:07:07.305638 IP 10.10.0.106.55635 > syslogserver.syslog: SYSLOG daemon.notice, length: 418
11:07:07.306043 IP 10.10.0.106.55635 > syslogserver.syslog: SYSLOG daemon.notice, length: 431
4.5 Rsyslog 调试
/usr/sbin/rsyslogd -dn
[root@otherserver rsyslog.d]#
3517.010528795:main thread : config parser: resume parsing of file /etc/rsyslog.d/rsyslog.conf at line 1
3517.010531611:main thread : cnf:global:cfsysline: $ModLoad imptcp.so
3517.010535862:main thread : Requested to load module 'imptcp.so'
3517.010538853:main thread : loading module '/usr/lib64/rsyslog/imptcp.so'
3517.010614828:main thread : source file imptcp.c requested reference for module 'lmnet', reference count now 4
3517.010635519:main thread : module imptcp.so of type 0 being loaded (keepType=0).
3517.010638643:main thread : module config name is 'imptcp'
3517.016586530:main thread : builtin:omfile
3517.016588192:main thread : builtin:ompipe
3517.016589755:main thread : builtin-shell
3517.016591347:main thread : builtin:omdiscard
3517.016592941:main thread : builtin:omfwd
3517.016594477:main thread : builtin:omusrmsg
3517.016595974:main thread : builtin:pmrfc5424
3517.016597510:main thread : builtin:pmrfc3164
3517.016599009:main thread : builtin:smfile
3517.016600519:main thread : builtin:smtradfile
3517.016602018:main thread : builtin:smfwd
3517.016603541:main thread : builtin:smtradfwd
3517.016605132:main thread : imuxsock
3517.016606755:main thread : imjournal
3517.016608255:main thread : imptcp.so
3517.016609866:main thread : imudp.so
3517.016611417:main thread : imtcp.so
3517.016613470:main thread : GenerateLocalHostName uses 'OtherServer'
3517.016616583:main thread : ratelimit:rsyslogd[dflt]:new ratelimiter:bReduceRepeatMsgs 0
3517.016619044:main thread : ratelimit:rsyslogd[internal_messages]:new ratelimiter:bReduceRepeatMsgs 0
3517.016625158:main thread : rsyslogd: checking if startup is ok, pidfile '/var/run/syslogd.pid'.
rsyslogd: pidfile '/var/run/syslogd.pid' and pid 4135 already exist.
If you want to run multiple instances of rsyslog, you need to specify
different pid files for them (-i option).
rsyslogd: run failed with error -3000 (see rsyslog.h or try http://www.rsyslog.com/e/3000 to learn what that number means)
4.6 Rsyslog 测试发送syslog 日志
logger -d -n xxx.xxx.xxx.xxx -P 514 "test message"
评论区