rsyslog
RSYSLOG is the rocket-fast system for log processing.
- rsyslog是CentOS 6 以后版本的系统管理服务.它提供了高性能,出色的安全性和模块化设计。
- 尽管rsyslog最初是常规的syslogd,但已发展成为一种瑞士军刀式的记录工具,能够接受来自各种来源的输入,并将其转换,然后输出到不同的目的地。
- 当应用有限的处理时,RSYSLOG每秒可以将超过一百万的消息传递到本地目的地。 即使在远程的目的地和更精细的处理中,性能通常也被认为是“惊人的”。
rsyslog 特性
- 多线程
- UDP, TCP, SSL, TLS, RELP
- MySQL, PGSQL, Oracle实现日志存储
- 强大的过滤器,可实现过滤记录日志信息中任意部分
- 自定义输出格式
- 适用于企业级中继链
rsyslog是系统自带服务
- 系统安装时已经继承了rsyslog
[root@C8-192 ~]# rpm -qi rsyslog
Name : rsyslog
Version : 8.1911.0
Release : 6.el8
Architecture: x86_64
Install Date: Mon 31 May 2021 06:55:55 PM CST
Group : System Environment/Daemons
Size : 2428362
License : (GPLv3+ and ASL 2.0)
Signature : RSA/SHA256, Tue 21 Jul 2020 09:42:03 AM CST, Key ID 05b555b38483c65d
Source RPM : rsyslog-8.1911.0-6.el8.src.rpm
Build Date : Tue 21 Jul 2020 09:33:16 AM CST
Build Host : x86-02.mbox.centos.org
Relocations : (not relocatable)
Packager : CentOS Buildsys <bugs@centos.org>
Vendor : CentOS
URL : http://www.rsyslog.com/
Summary : Enhanced system logging and kernel message trapping daemon
Description :
Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
and fine grain output format control. It is compatible with stock sysklogd
and can be used as a drop-in replacement. Rsyslog is simple to set up, with
advanced features suitable for enterprise-class, encryption-protected syslog
relay chains.
rsyslog 相关文件
- 程序包:rsyslog
- 主程序:/usr/sbin/rsyslogd
- CentOS 6:/etc/rc.d/init.d/rsyslog {start|stop|restart|status}
- CentOS 7,8:/usr/lib/systemd/system/rsyslog.service
- 配置文件:/etc/rsyslog.conf,/etc/rsyslog.d/*.conf
- 库文件: /lib64/rsyslog/*.so
rsyslog 配置文件
- /etc/rsyslog.conf
cat /etc/rsyslog.conf | sed -n '/^[^#]/p'
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
input(type="imudp" port="514")
input(type="imtcp" port="514")
global(workDirectory="/var/lib/rsyslog")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
配置文件内容:
由三部分组成
- MODULES:相关模块配置
- GLOBAL DIRECTIVES:全局配置
- RULES:日志记录相关的规则配置
模块
#### MODULES ####
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load"immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
- 决定加载哪些模块,需要的加载,不需要的不加载
rpm -ql rsyslog | grep imux
/usr/lib64/rsyslog/imuxsock.so
全局设置
工作路径,配置文件路径,模块格式
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
规则
- 规则是日志的核心
- 规定了什么样的日志往哪放
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
- 内容最多的日志文件:var/log/messages
*.info;mail.none;authpriv.none;cron.none /var/log/messages
-
包括info及以上的任意类型,除了mail、authpriv、cron这三,都放在/var/log/messages里面写
-
文件夹前面的横线-表示异步机制,不立即写磁盘,放到缓冲区里过一会再写,提升性能,单安全性有隐患
配置格式相关说明
配置Priority 优先级别的格式
*: 表示所有级别
none:没有级别,即不记录
PRIORITY:指定级别(含)以上的所有级别
=PRIORITY:仅记录指定级别的日志信息
配置target 目标日志格式
文件路径:通常在/var/log/,文件路径前的-表示异步写入
用户:将日志事件通知给指定的用户,* 表示登录的所有用户
日志服务器:@host,把日志送往至指定的远程UDP日志服务器 @@host 将日志发送到远程TCP日志服务器
管道: | COMMAND,转发给其它命令处理
日志文件的显示格式
- 日志文件有很多,如: /var/log/messages,cron,secure等,
- 基本格式都是类似的。格式如下:
事件产生的日期时间 主机 进程(pid):事件内容
- 查看系统安全日志
[root@C8-192 ~]# tail /var/log/secure
May 31 18:32:13 C8-192 sshd[30815]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.88
Jun 1 17:12:42 C8-192 sshd[821]: Server listening on 0.0.0.0 port 22.
Jun 1 17:12:42 C8-192 sshd[821]: Server listening on :: port 22.
Jun 1 17:12:42 C8-192 polkitd[799]: Loading rules from directory /etc/polkit-1/rules.d
Jun 1 17:12:42 C8-192 polkitd[799]: Loading rules from directory /usr/share/polkit-1/rules.d
Jun 1 17:12:42 C8-192 polkitd[799]: Finished loading, compiling and executing 2 rules
Jun 1 17:12:42 C8-192 polkitd[799]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Jun 1 17:26:36 C8-192 sshd[1704]: Accepted publickey for root from 10.0.0.88 port 49324 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun 1 17:26:36 C8-192 systemd[1707]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jun 1 17:26:36 C8-192 sshd[1704]: pam_unix(sshd:session): session opened for user root by (uid=0)
日志配置实例
建立ssh服务自定义日志记录
- 默认sshd服务日志是写进/var/log/messages及对应级别的系统日志中
- 我们可以通过修改配置文件,将sshd服务记录至自定义目录
修改sshd服务的配置文件
- 找到sshd配置文件并将其中日志相关内容进行修改
sed -ri.bak '/^SyslogFacility/a SyslogFacility Local2' /etc/ssh/sshd_config
修改rsyslog的配置文件
- 添加自定义local2日志记录位置
echo -e "#sshd.log\nLocal2.* /var/log/sshd.log" >> /etc/rsyslog.conf
重启服务使生效
service sshd reload && systemctl restart rsyslog
写入日志以测试
[root@C8-192 ~]# cat /var/log/sshd.log
Jun 1 23:59:40 C8-192 root[2734]: i am sshd.log
Jun 2 00:03:56 C8-192 sshd[2994]: Server listening on 0.0.0.0 port 22.
Jun 2 00:03:56 C8-192 sshd[2994]: Server listening on :: port 22.
Jun 2 00:04:05 C8-192 sshd[2994]: Received signal 15; terminating.
Jun 2 00:09:43 C8-192 sshd[3132]: Accepted publickey for root from 10.0.0.88 port 49360 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun 2 00:09:45 C8-192 sshd[3135]: Received disconnect from 10.0.0.88 port 49360:11: disconnected by user
Jun 2 00:09:45 C8-192 sshd[3135]: Disconnected from user root 10.0.0.88 port 49360
Jun 2 00:09:46 C8-192 sshd[3159]: Accepted publickey for root from 10.0.0.88 port 49362 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun 2 00:09:48 C8-192 sshd[3162]: Received disconnect from 10.0.0.88 port 49362:11: disconnected by user
Jun 2 00:09:48 C8-192 sshd[3162]: Disconnected from user root 10.0.0.88 port 49362