热门标签
热门文章
- 1SQL 遍历表的方法_sql遍历表中所有数据
- 2Hadoop大数据平台_dhp hadoop
- 3Linux下定时执行任务 crontab 命令
- 4天空盒1-天空盒的实现原理
- 5java Flink(四十二)Flink的序列化以及TypeInformation介绍(源码分析)_flink integertypeinfo
- 6区块链的应用:安全威胁与解决策略_区块链中的主要安全问题及解决方案
- 7【随笔】Git 基础篇 -- 远程仓库 git clone(二十五)
- 8C/C++ Runtime 多线程函数_::initialruntime()c++
- 9什么是AIOT?
- 10字节小游戏前端开发实习生一面、二面+HR面_一面二面hr面的区别
当前位置: article > 正文
【RSYSLOG系列】rsyslog远程服务器搭建
作者:笔触狂放9 | 2024-04-10 22:35:43
赞
踩
rsyslog
前言
在Linux系统中,rsyslog经常作为一个日志记录工具。Rsyslog的全称是rocket-fast system for log,它提供了高性能、高安全功能和模块化涉及,它能够接受各种各样来源的日志,输出到不同的目的地。同时,rsyslog可以通过多种协议,如UDP、TCP;也可以进行加密传输,如TLS。
本文章将介绍在centos上进行rsyslog远程服务器搭建。
一、TCP和UDP协议环境搭建
1. 确保服务器段与客户段网络连接正常
在服务端与客户端进行ping操作,可互相ping通即可。
2. 配置/etc/rsyslog.conf
2.1 打开rsyslog中TCP/UDP监听
ModLoad imudp与ModLoad imtcp两项配置为是否开启UDP/TCP监听
UDPServerRun与InputTCPServerRun两项配置为配置UDP/TCP监听端口
2.2 设置日志消息存储位置与文件命名
$template Remote配置项用于定义日志文件存放的位置,以及文件名的模板,详细细节如下:
$template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
- 1
Remote为模板名称,可自定义名称;
"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%
Y
E
A
R
YEAR%-%
YEARMONTH%-%
D
A
Y
DAY%.log"是规定远程日志存放的地址,其中"%fromhost-ip%"是客户端的IP地址,"%
DAYYEAR%-%
M
O
N
T
H
MONTH%-%
MONTHDAY%"是远程日志发送过来的时间(年月日),所以本模板的含义是将远程日志存放在/var/log/remote_syslog目录下,根据远程日志的IP与日志时间来创建不同的文件夹与日志文件。
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
- 1
标识运行用模板Remote接受所有远程日志。
2.3 自定义日志接收格式
可选,一般情况下使用默认模板即可。
针对远程日志,rsyslog可以对接收到的日志消息的格式进行处理,若未设置,默认使用rsyslog自带的默认模板。
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
- 1
- 将rsyslog默认的版本注释掉
- 通过template指令自定义远程日志模板
$template myFormat,"%timegenerated% %FROMHOST-IP% %syslogtag% %msg%\n"
- 1
%timegenerated%: 日志生成时间
%FROMHOST-IP%: 日志来源主机IP
%syslogtag%: 日志生成服务
%msg%: 日志内容
注:
如果仅想要存储远程日志的原始数据,可使用以下模板:
$template myFormat,"%syslogtag% %msg%\n"
- 1
- 套用自定义的模板
$ActionFileDefaultTemplate myFormat
- 1
3. 关闭防火墙服务
在日志服务器端输入以下命令:
systemctl stop firewalld
setenforce 0
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
- 1
- 2
- 3
4. 重启与查看rsyslog服务
systemctl restart rsyslog 重启rsyslog服务
systemctl status rsyslog 查看rsyslog服务当前状态
5. 配置日志客户端
在日志客户端(即发送日志的服务器)中配置搭建的远程服务器IP端口等信息
6. 查看当前rsyslog监听状态
在日志服务端输入以下命令:
netstat -pan | grep syslog
- 1
查看syslog监听情况
7. 查看接收日志记录文件及内容
二、TLS协议环境搭建
TLS协议是一种基于TCP协议的加密传输协议,分为单向认证、双向认证。
1. 按照上一章节搭建服务器
2. 证书使用情况
客户端(发送日志端)证书使用情况:
| 单向认证 | 双向认证 | |
|---|---|---|
| 根证书 | Y | Y |
| 本地证书 | N | Y |
| 密钥 | N | Y |
服务端(接收日志端)证书使用情况:
| 单向认证 | 双向认证 | |
|---|---|---|
| 根证书 | Y | Y |
| 本地证书 | Y | Y |
| 密钥 | Y | Y |
3. 在/etc/rsyslog.conf文件中引用证书,并确保TCP监听处于开启
此处TCP开启使用新版rsyslog推荐格式。
3.1 单向认证
# make gtls driver the default $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem $DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem $DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem # load TCP listener module( load="imtcp" #StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon" ) $InputTCPServerRun 514
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
3.2 双向认证
# make gtls driver the default $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem $DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem $DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem # load TCP listener module( load="imtcp" #StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="x509/certvalid" ) $InputTCPServerRun 514
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
单向认证和双向认证在配置上的区别主要是"StreamDriver.Authmode"配置项。
三、 不同协议conf文件
1. TCP/UDP
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) $ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state $EscapeControlCharactersOnReceive off #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 $template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" :fromhost-ip, !isequal, "127.0.0.1" ?Remote # ### end of the forwarding rule ###
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
2. TLS
2.1 单向认证
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) $ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files #$DefaultNetstreamDriverCAFile /var/syslog/tls/cacert.pem #$DefaultNetstreamDriverCertFile /var/syslog/tls/server/cert.pem #$DefaultNetstreamDriverKeyFile /var/syslog/tls/server/key.pem $DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem $DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem $DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem # load TCP listener module( load="imtcp" #StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon" ) $InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state $EscapeControlCharactersOnReceive off #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 $template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" :fromhost-ip, !isequal, "127.0.0.1" ?Remote # ### end of the forwarding rule ###
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
2.2 双向认证
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) $ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files #$DefaultNetstreamDriverCAFile /var/syslog/tls/cacert.pem #$DefaultNetstreamDriverCertFile /var/syslog/tls/server/cert.pem #$DefaultNetstreamDriverKeyFile /var/syslog/tls/server/key.pem $DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem $DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem $DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem # load TCP listener module( load="imtcp" #StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="x509/certvalid" ) $InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state $EscapeControlCharactersOnReceive off #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 $template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" :fromhost-ip, !isequal, "127.0.0.1" ?Remote # ### end of the forwarding rule ###
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/笔触狂放9/article/detail/401400
推荐阅读
相关标签
