rsyslog 系统日志服务简介

rsyslog

RSYSLOG is the rocket-fast system for log processing.

  • rsyslog是CentOS 6 以后版本的系统管理服务.它提供了高性能,出色的安全性和模块化设计。
  • 尽管rsyslog最初是常规的syslogd,但已发展成为一种瑞士军刀式的记录工具,能够接受来自各种来源的输入,并将其转换,然后输出到不同的目的地。
  • 当应用有限的处理时,RSYSLOG每秒可以将超过一百万的消息传递到本地目的地。 即使在远程的目的地和更精细的处理中,性能通常也被认为是“惊人的”。

rsyslog 特性

  • 多线程
  • UDP, TCP, SSL, TLS, RELP
  • MySQL, PGSQL, Oracle实现日志存储
  • 强大的过滤器,可实现过滤记录日志信息中任意部分
  • 自定义输出格式
  • 适用于企业级中继链
    rsyslog 系统日志服务简介

rsyslog是系统自带服务

  • 系统安装时已经继承了rsyslog
[root@C8-192 ~]# rpm -qi rsyslog
Name        : rsyslog
Version     : 8.1911.0
Release     : 6.el8
Architecture: x86_64
Install Date: Mon 31 May 2021 06:55:55 PM CST
Group       : System Environment/Daemons
Size        : 2428362
License     : (GPLv3+ and ASL 2.0)
Signature   : RSA/SHA256, Tue 21 Jul 2020 09:42:03 AM CST, Key ID 05b555b38483c65d
Source RPM  : rsyslog-8.1911.0-6.el8.src.rpm
Build Date  : Tue 21 Jul 2020 09:33:16 AM CST
Build Host  : x86-02.mbox.centos.org
Relocations : (not relocatable)
Packager    : CentOS Buildsys <bugs@centos.org>
Vendor      : CentOS
URL         : http://www.rsyslog.com/
Summary     : Enhanced system logging and kernel message trapping daemon
Description :
Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
and fine grain output format control. It is compatible with stock sysklogd
and can be used as a drop-in replacement. Rsyslog is simple to set up, with
advanced features suitable for enterprise-class, encryption-protected syslog
relay chains.

rsyslog 相关文件

  • 程序包:rsyslog
  • 主程序:/usr/sbin/rsyslogd
  • CentOS 6:/etc/rc.d/init.d/rsyslog {start|stop|restart|status}
  • CentOS 7,8:/usr/lib/systemd/system/rsyslog.service
  • 配置文件:/etc/rsyslog.conf,/etc/rsyslog.d/*.conf
  • 库文件: /lib64/rsyslog/*.so

rsyslog 配置文件

  • /etc/rsyslog.conf
cat /etc/rsyslog.conf | sed -n '/^[^#]/p'
module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket; 
			  # local messages are retrieved through imjournal now.
module(load="imjournal" 	    # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
input(type="imudp" port="514")
input(type="imtcp" port="514")
global(workDirectory="/var/lib/rsyslog")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

配置文件内容:

由三部分组成

  • MODULES:相关模块配置
  • GLOBAL DIRECTIVES:全局配置
  • RULES:日志记录相关的规则配置

模块

#### MODULES ####

module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket; 
			  # local messages are retrieved through imjournal now.
module(load="imjournal" 	    # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load"immark") # provides --MARK-- message capability

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
  • 决定加载哪些模块,需要的加载,不需要的不加载
rpm -ql rsyslog | grep imux 
/usr/lib64/rsyslog/imuxsock.so

全局设置

工作路径,配置文件路径,模块格式

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

规则

  • 规则是日志的核心
  • 规定了什么样的日志往哪放
#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
  • 内容最多的日志文件:var/log/messages
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
  • 包括info及以上的任意类型,除了mail、authpriv、cron这三,都放在/var/log/messages里面写

  • 文件夹前面的横线-表示异步机制,不立即写磁盘,放到缓冲区里过一会再写,提升性能,单安全性有隐患

配置格式相关说明

配置Priority 优先级别的格式

*: 表示所有级别
none:没有级别,即不记录
PRIORITY:指定级别(含)以上的所有级别
=PRIORITY:仅记录指定级别的日志信息

配置target 目标日志格式

文件路径:通常在/var/log/,文件路径前的-表示异步写入
用户:将日志事件通知给指定的用户,* 表示登录的所有用户
日志服务器:@host,把日志送往至指定的远程UDP日志服务器 @@host 将日志发送到远程TCP日志服务器
管道: | COMMAND,转发给其它命令处理

日志文件的显示格式

  • 日志文件有很多,如: /var/log/messages,cron,secure等,
  • 基本格式都是类似的。格式如下:
事件产生的日期时间 主机 进程(pid):事件内容
  • 查看系统安全日志
[root@C8-192 ~]# tail /var/log/secure 
May 31 18:32:13 C8-192 sshd[30815]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.88
Jun  1 17:12:42 C8-192 sshd[821]: Server listening on 0.0.0.0 port 22.
Jun  1 17:12:42 C8-192 sshd[821]: Server listening on :: port 22.
Jun  1 17:12:42 C8-192 polkitd[799]: Loading rules from directory /etc/polkit-1/rules.d
Jun  1 17:12:42 C8-192 polkitd[799]: Loading rules from directory /usr/share/polkit-1/rules.d
Jun  1 17:12:42 C8-192 polkitd[799]: Finished loading, compiling and executing 2 rules
Jun  1 17:12:42 C8-192 polkitd[799]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Jun  1 17:26:36 C8-192 sshd[1704]: Accepted publickey for root from 10.0.0.88 port 49324 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun  1 17:26:36 C8-192 systemd[1707]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jun  1 17:26:36 C8-192 sshd[1704]: pam_unix(sshd:session): session opened for user root by (uid=0)

日志配置实例

建立ssh服务自定义日志记录

  • 默认sshd服务日志是写进/var/log/messages及对应级别的系统日志中
  • 我们可以通过修改配置文件,将sshd服务记录至自定义目录

修改sshd服务的配置文件

  • 找到sshd配置文件并将其中日志相关内容进行修改
sed -ri.bak '/^SyslogFacility/a SyslogFacility Local2' /etc/ssh/sshd_config

修改rsyslog的配置文件

  • 添加自定义local2日志记录位置
echo -e "#sshd.log\nLocal2.* /var/log/sshd.log" >> /etc/rsyslog.conf

重启服务使生效

service sshd reload && systemctl restart rsyslog

写入日志以测试

[root@C8-192 ~]# cat /var/log/sshd.log
Jun  1 23:59:40 C8-192 root[2734]: i am sshd.log
Jun  2 00:03:56 C8-192 sshd[2994]: Server listening on 0.0.0.0 port 22.
Jun  2 00:03:56 C8-192 sshd[2994]: Server listening on :: port 22.
Jun  2 00:04:05 C8-192 sshd[2994]: Received signal 15; terminating.
Jun  2 00:09:43 C8-192 sshd[3132]: Accepted publickey for root from 10.0.0.88 port 49360 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun  2 00:09:45 C8-192 sshd[3135]: Received disconnect from 10.0.0.88 port 49360:11: disconnected by user
Jun  2 00:09:45 C8-192 sshd[3135]: Disconnected from user root 10.0.0.88 port 49360
Jun  2 00:09:46 C8-192 sshd[3159]: Accepted publickey for root from 10.0.0.88 port 49362 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun  2 00:09:48 C8-192 sshd[3162]: Received disconnect from 10.0.0.88 port 49362:11: disconnected by user
Jun  2 00:09:48 C8-192 sshd[3162]: Disconnected from user root 10.0.0.88 port 49362
上一篇:win10 objectarx向导在 vs2015中不起作用的解决办法


下一篇:Linux文本处理sed命令高级用法