Linux經過Rsyslog搭建集中日誌服務器

時間  2021-03-21
標籤 python vim 安全 服務器 網絡 dom tcp ide 模塊化 工具 欄目 Linux 简体版
原文   原文鏈接

(一)Rsyslog簡介
ryslog 是一個快速處理收集系統日誌的程序,提供了高性能、安全功能和模塊化設計。rsyslog 是syslog 的升級版,它將多種來源輸入輸出轉換結果到目的地。
rsyslog是一個開源工具,被普遍用於Linux系統以經過TCP/UDP協議轉發或接收日誌消息。rsyslog守護進程能夠被配置成兩種環境,一種是配置成日誌收集服務器,rsyslog進程能夠從網絡中收集其它主機上的日誌數據,這些主機會將日誌配置爲發送到另外的遠程服務器。rsyslog的另一個用法,就是能夠配置爲客戶端,用來過濾和發送內部日誌消息到本地文件夾(如/var/log)或一臺能夠路由到的遠程rsyslog服務器上。
logrotate是一個日誌文件管理工具。用來把舊文件輪轉、壓縮、刪除,而且建立新的日誌文件。咱們能夠根據日誌文件的大小、天數等來轉儲,便於對日誌文件管理,通常都是經過cron計劃任務來完成的。python

序號 IP地址 類型 備註
1 192.168.99.99 Server端
2 192.168.99.98 client端

(二)rsyslog server服務端配置
1,rsyslog默認是安裝的,若是沒有安裝經過
[root@localhost samba]# yum install rsyslog -yvim

2,修改/etc/rsyslog.conf配置文件,啓用udp和tcp模塊 $ModLoad imudp $UDPServerRun 514 $ModLoad imtcp
$InputTCPServerRun 514安全

[root@localhost samba]# vim /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal

 #####開啓udp接收日誌
$ModLoad imudp
$UDPServerRun 514
$template RemoteHost,"/data/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"   
*.*  ?RemoteHost
& ~
####開啓tcp協議接受日誌
$ModLoad imtcp
$InputTCPServerRun 514

$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#######啓用/etc/rsyslog.d/*.conf目錄下全部以.conf結尾的配置文件
$IncludeConfig /etc/rsyslog.d/*.conf     

$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local0.*                                                /etc/keepalived/keepalived.log

3,重啓rsyslog服務服務器

[root@zabbix 2018-05-23]# systemctl restart rsyslog
[root@zabbix 2018-05-23]# systemctl status rsyslog
[root@localhost samba]# netstat -anp|grep 514
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      1445/rsyslogd       
tcp6       0      0 :::514                  :::*                    LISTEN      1445/rsyslogd       
udp        0      0 0.0.0.0:514             0.0.0.0:*                           1445/rsyslogd       
udp6       0      0 :::514                  :::*                                1445/rsyslogd

(三)rsyslog客戶端的配置
1,編輯rsylog客戶端的配置文件:網絡

[root@server98 log]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %msg%\n"   #######自定義模板的相關信息
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.*          @192.168.99.99:514                      ########該聲明告訴rsyslog守護進程,將系統上各個設備的各類日誌的全部消息路由到遠程rsyslog服務器(192.168.99.99)的UDP端口514。@@是經過tcp傳輸,一個@是經過udp傳輸。
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local0.*                                             /etc/keepalived/keepalived.log

2,重啓客戶端rsyslog服務dom

[root@server98 log]# systemctl restart rsyslog
[root@server98 log]# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since 四 2018-05-24 16:57:04 CST; 4s ago
 Main PID: 44765 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           └─44765 /usr/sbin/rsyslogd -n

5月 24 16:57:04 server98 systemd[1]: Starting System Logging Service...
5月 24 16:57:04 server98 systemd[1]: Started System Logging Service.

(四)查看客戶端和服務端的日誌是否正常生成。
(1)查看服務端是否在/data/日期/ip.log正常生成。tcp

[root@zabbix 2018-05-24]# tail -f /data/2018-05-24/192.168.99.98.log 
2018-05-24T17:02:52+08:00 server98 postfix/pickup[41198]: AAC764ACB03: uid=0 from=<smokealert@company.xy>
2018-05-24T17:02:52+08:00 server98 postfix/cleanup[45967]: AAC764ACB03: message-id=<20180524090252.AAC764ACB03@server98.localdomain>
2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AAC764ACB03: from=<smokealert@company.xy>, size=851, nrcpt=1 (queue active)
2018-05-24T17:02:52+08:00 server98 postfix/smtp[39596]: AAC764ACB03: to=<alertee@address.somewhere>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=address.somewhere type=AAAA: Host not found)
2018-05-24T17:02:52+08:00 server98 postfix/cleanup[45967]: AB6804ACB0B: message-id=<20180524090252.AB6804ACB0B@server98.localdomain>
2018-05-24T17:02:52+08:00 server98 postfix/bounce[45968]: AAC764ACB03: sender non-delivery notification: AB6804ACB0B
2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AB6804ACB0B: from=<>, size=2811, nrcpt=1 (queue active)
2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AAC764ACB03: removed
2018-05-24T17:02:52+08:00 server98 postfix/smtp[39597]: AB6804ACB0B: to=<smokealert@company.xy>, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=company.xy type=AAAA: Host not found)
2018-05-24T17:02:52+08:00 server98 postfix/qmgr[2356]: AB6804ACB0B: removed
2018-05-24T17:14:33+08:00 server98 root: hello world

(2)在客戶端生成日誌,是否日誌同步,都有
[root@server98 ~]# tail -f /var/log/messages
May 24 17:11:40 server98 Keepalived_vrrp[49377]: VRRP_Script(chk_http_port) succeeded
May 24 17:11:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2
May 24 17:11:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2
May 24 17:12:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2
May 24 17:12:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2
May 24 17:13:52 server98 smokeping[38532]: Alert someloss is active for Other.hefei.hefei-office2
May 24 17:13:52 server98 smokeping[38532]: Alert someloss is active for Other.wuxi.wuxi-office2
May 24 17:14:33 server98 root: hello worldide

至此,日誌服務端和客戶端日誌同步完成。模塊化

備註:
Linux經過Rsyslog搭建集中日誌服務器
1,Facility是syslog的模塊: rsyslog經過facility概念來定義日誌消息的來源,以方便對日誌進行分類。Facility:有0-23種設備可選,在python的syslog庫中有一部分缺失
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16-23     local0 - local7
經常使用的有:
Linux經過Rsyslog搭建集中日誌服務器工具

2,Severity:日誌等級
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug

Linux經過Rsyslog搭建集中日誌服務器

重要的配置文件:
1,rsyslog server服務端的配置:

[root@zabbix 2018-05-23]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$template RemoteHost,"/data/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"
*.*  ?RemoteHost
& ~
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local0.*                                                /etc/keepalived/keepalived.log


2,rsyslog 客戶端的配置

[root@server98 log]# grep -v "^$" /etc/rsyslog.conf | grep -v "^#"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %msg%\n"
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none          @192.168.99.99:514
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local0.*                                             /etc/keepalived/keepalived.log
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程