侧边栏壁纸
  • 累计撰写 85 篇文章
  • 累计创建 39 个标签
  • 累计收到 9 条评论

目 录CONTENT

文章目录

Linux CentOS 配置rsyslog服务器

散漫的老何
2022-05-26 / 0 评论 / 0 点赞 / 1,196 阅读 / 1,404 字 / 正在检测是否收录...
温馨提示:
本文最后更新于 2022-10-22,若内容或图片失效,请留言反馈。部分素材来自网络,若不小心影响到您的利益,请联系我们删除。

Linux CentOS 配置rsyslog服务器

1 注意点

/etc/rsyslog.conf配置文件需要放到/etc目录下,/etc/rsyslog.d/rsyslog.conf配置文件可能不生效。

2 rsyslog配置文件内容 /etc/rsyslog.conf

$ModLoad imptcp.so
$ModLoad imudp.so
$ModLoad imtcp.so

#########################
##### Global config #####
#########################
# Specific file/directory permissions can be set
# this is particularly needed, if Splunk UF is running as non-root

$DirOwner root
$DirGroup root
$FileOwner root
$FileGroup root
$umask 0000
$DirCreateMode 0755
$FileCreateMode 0755

# ensure syslog is not truncated & room for burst
$MaxMessageSize 32k
$MainMsgQueueSize 100000
$RulesetCreateMainQueue on

############################################
##### Log remote sources classification ####
############################################
$RuleSet remoteLogging
$RulesetCreateMainQueue on

# catch all, all data that did not meet above criteria will end up here
$template unclassified, "/data/logs/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log"
*.* ?unclassified
& ~

##############################
###### Enable listeners ######
###  listen on TCP/UDP 514 ###
##############################

$InputTCPServerBindRuleset remoteLogging
$InputTCPServerRun 514
$InputUDPServerBindRuleset remoteLogging
$UDPServerRun 514

3 关闭SELinux

3.1 查看SELinux状态

如果SELinux status参数为enabled即为开启状态

/usr/sbin/sestatus -v
SELinux status:                 enabled

3.2 关闭SELinux

3.2.1 临时关闭(不用重启机器)

setenforce 0 设置SELinux 成为permissive模式
setenforce 1 设置SELinux 成为enforcing模式

setenforce 0

3.2.2 长期关闭(修改配置文件需要重启服务器)

修改/etc/selinux/config配置文件,

SELINUX=enforcing修改成SELINUX=disabled

[root@syslogserver etc]# vim /etc/selinux/config 
[root@syslogserver etc]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 


[root@syslogserver etc]# 

4 检查

4.1 检查端口

使用netstat -tlunp检查udp/tcp 514 端口是否启动

[root@syslogserver etc]# netstat -tlunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      942/rsyslogd        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      939/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1110/master         
tcp6       0      0 :::514                  :::*                    LISTEN      942/rsyslogd        
tcp6       0      0 :::22                   :::*                    LISTEN      939/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      1110/master         
udp        0      0 127.0.0.1:323           0.0.0.0:*                           715/chronyd         
udp        0      0 0.0.0.0:514             0.0.0.0:*                           942/rsyslogd        
udp6       0      0 ::1:323                 :::*                                715/chronyd         
udp6       0      0 :::514                  :::*                                942/rsyslogd  

4.2 检查服务

使用systemctl status rsyslog命令查看rsyslog服务状态

[root@syslogserver etc]# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2022-04-20 10:22:36 EDT; 37min ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 942 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           └─942 /usr/sbin/rsyslogd -n

Apr 20 10:22:31 syslogserver systemd[1]: Starting System Logging Service...
Apr 20 10:22:36 syslogserver rsyslogd[942]:  [origin software="rsyslogd" swVersion="8.24.0-57.el7_9.2" x-pid="942" x-info="http://www.rsyslog.com"] start
Apr 20 10:22:36 syslogserver rsyslogd[942]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.24.0-57.el7_9.2 try http://www.rsyslog.com/e/2307 ]
Apr 20 10:22:36 syslogserver rsyslogd[942]: imptcp: no ptcp server defined, module can not run. [v8.24.0-57.el7_9.2 try http://www.rsyslog.com/e/2172 ]
Apr 20 10:22:36 syslogserver rsyslogd[942]: activation of module imptcp.so failed [v8.24.0-57.el7_9.2 try http://www.rsyslog.com/e/-3 ]
Apr 20 10:22:36 syslogserver systemd[1]: Started System Logging Service.

4.3 检查数据保存目录是否有文件创建

使用ll命令查看数据保存目录是否有文件或者目录创建

[root@syslogserver etc]# ll /data/logs
total 0
drwxr-xr-x  2 root root 28 Apr 20 10:39 10.10.0.106
drwxr-xr-x. 2 root root 28 Apr 20 10:21 10.10.0.200

4.4 查看是否有数据发送

使用tcpdump命令抓数据包,查看是否有syslog数据发送过来。

tcpdump -i ens33 port 514

-i 指定网卡

port 指定端口

[root@syslogserver etc]# tcpdump -i ens33 port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

11:06:53.827449 IP 10.10.0.200.60584 > syslogserver.shell: Flags [P.], seq 1261825365:1261825638, ack 2691278109, win 229, options [nop,nop,TS val 5789496 ecr 2338143], length 273
11:06:53.827472 IP syslogserver.shell > 10.10.0.200.60584: Flags [.], ack 273, win 2863, options [nop,nop,TS val 2365811 ecr 5789496], length 0
11:07:06.084711 IP 10.10.0.106.55635 > syslogserver.syslog: SYSLOG daemon.error, length: 200
11:07:07.304469 IP 10.10.0.106.55635 > syslogserver.syslog: SYSLOG daemon.notice, length: 753
11:07:07.305152 IP 10.10.0.106.55635 > syslogserver.syslog: SYSLOG daemon.notice, length: 1472
11:07:07.305638 IP 10.10.0.106.55635 > syslogserver.syslog: SYSLOG daemon.notice, length: 418
11:07:07.306043 IP 10.10.0.106.55635 > syslogserver.syslog: SYSLOG daemon.notice, length: 431

4.5 Rsyslog 调试

/usr/sbin/rsyslogd -dn

[root@otherserver rsyslog.d]#
3517.010528795:main thread    : config parser: resume parsing of file /etc/rsyslog.d/rsyslog.conf at line 1
3517.010531611:main thread    : cnf:global:cfsysline: $ModLoad imptcp.so
3517.010535862:main thread    : Requested to load module 'imptcp.so'
3517.010538853:main thread    : loading module '/usr/lib64/rsyslog/imptcp.so'
3517.010614828:main thread    : source file imptcp.c requested reference for module 'lmnet', reference count now 4
3517.010635519:main thread    : module imptcp.so of type 0 being loaded (keepType=0).
3517.010638643:main thread    : module config name is 'imptcp'
3517.016586530:main thread    : builtin:omfile
3517.016588192:main thread    : builtin:ompipe
3517.016589755:main thread    : builtin-shell
3517.016591347:main thread    : builtin:omdiscard
3517.016592941:main thread    : builtin:omfwd
3517.016594477:main thread    : builtin:omusrmsg
3517.016595974:main thread    : builtin:pmrfc5424
3517.016597510:main thread    : builtin:pmrfc3164
3517.016599009:main thread    : builtin:smfile
3517.016600519:main thread    : builtin:smtradfile
3517.016602018:main thread    : builtin:smfwd
3517.016603541:main thread    : builtin:smtradfwd
3517.016605132:main thread    : imuxsock
3517.016606755:main thread    : imjournal
3517.016608255:main thread    : imptcp.so
3517.016609866:main thread    : imudp.so
3517.016611417:main thread    : imtcp.so
3517.016613470:main thread    : GenerateLocalHostName uses 'OtherServer'
3517.016616583:main thread    : ratelimit:rsyslogd[dflt]:new ratelimiter:bReduceRepeatMsgs 0
3517.016619044:main thread    : ratelimit:rsyslogd[internal_messages]:new ratelimiter:bReduceRepeatMsgs 0
3517.016625158:main thread    : rsyslogd: checking if startup is ok, pidfile '/var/run/syslogd.pid'.
rsyslogd: pidfile '/var/run/syslogd.pid' and pid 4135 already exist.
If you want to run multiple instances of rsyslog, you need to specify
different pid files for them (-i option).
rsyslogd: run failed with error -3000 (see rsyslog.h or try http://www.rsyslog.com/e/3000 to learn what that number means)

4.6 Rsyslog 测试发送syslog 日志

logger -d -n xxx.xxx.xxx.xxx -P 514 "test message"
0
广告 广告

评论区