用途:
搭建集中日志管理系统,以用于后续朔源。默认情况下 rsyslog 服务是开启的,不过日志文件一般是保存在 var/log 本地目录下,对于有经验收的入侵者,入侵以后一般会清空 var/log 或者本机上所有的log文件,造成无法朔源的后果,集中日志服务器可解决该问题
一、服务端搭建(内网IP:192.168.225.83)
默认情况下 rsyslog 是安装好的,所以就如何安装 rsyslog 不再描述,百度上应该有很多
1、防火墙配置,增加如下命令
iptables -A INPUT -m state --state NEW -m udp -p udp -i eth0 --dport 514 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -i eth0 --dport 514 -j ACCEPT
注意,一定要保存,重启iptables
service iptables save
service iptables restart
2、配置 rsyslog配置文件
配置文件路径:\etc\rsyslog.conf
配置如下,直接贴文件了,以下是我扩配置文件, 注意,为防止log把系统盘撑爆,以及超级大文件的产品,本服务器在配置的时候将保存目录移动 /mnt/log 下,文件保存方式为一天一个文件,格式为 security_20180321 ...., 方便查询
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#/mnt/log/%FROMHOST-IP%_%$year%%$month%%$day%messages.log
#*.info;mail.none;authpriv.none;cron.none /mnt/log/messages
#为信息加上日志时间
$template logformat-message,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定义的日志文件的名称,按照年月日
$template DynFile-message,"/mnt/log/message-%$year%%$month%%$day%.log"
#写入日志文件
*.info;mail.none;authpriv.none;cron.none ?DynFile-message;logformat-message
# The authpriv file has restricted access.
#authpriv.* /mnt/log/secure
#为信息加上日志时间
$template logformat-secure,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定义的日志文件的名称,按照年月日
$template DynFile-secure,"/mnt/log/secure-%$year%%$month%%$day%.log"
#写入日志文件
authpriv.* ?DynFile-secure;logformat-secure
# Log all the mail messages in one place.
#mail.* -/mnt/log/maillog
#为信息加上日志时间
$template logformat-maillog,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定义的日志文件的名称,按照年月日
$template DynFile-maillog,"/mnt/log/maillog-%$year%%$month%%$day%.log"
#写入日志文件
mail.* ?DynFile-maillog;logformat-maillog
# Log cron stuff
#cron.* /mnt/log/cron
#为信息加上日志时间
$template logformat-cron,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定义的日志文件的名称,按照年月日
$template DynFile-cron,"/mnt/log/cron-%$year%%$month%%$day%.log"
#写入日志文件
cron.* ?DynFile-cron;logformat-cron
# Everybody gets emergency messages
#*.emerg *
#为信息加上日志时间
$template logformat-emerg,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定义的日志文件的名称,按照年月日
$template DynFile-emerg,"/mnt/log/emerg-%$year%%$month%%$day%.log"
#写入日志文件
*.emerg ?DynFile-emerg;logformat-emerg
# Save news errors of level crit and higher in a special file.
#uucp,news.crit /mnt/log/spooler
#为信息加上日志时间
$template logformat-spooler,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定义的日志文件的名称,按照年月日
$template DynFile-spooler,"/mnt/log/spooler-%$year%%$month%%$day%.log"
#写入日志文件
uucp,news.crit ?DynFile-spooler;logformat-spooler
# Save boot messages also to boot.log
#local7.* /mnt/log/boot.log
#为信息加上日志时间
$template logformat-boot,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定义的日志文件的名称,按照年月日
$template DynFile-boot,"/mnt/log/boot-%$year%%$month%%$day%.log"
#写入日志文件
local7.* ?DynFile-boot;logformat-boot
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
3、重启 rsyslogd 服务,以确保修改的配置文件生效
service rsyslog restart
二、客户端搭建
1、防火墙配置
同服务端
iptables -A INPUT -m state --state NEW -m udp -p udp -i eth0 --dport 514 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -i eth0 --dport 514 -j ACCEPT
注意,一定要保存,重启iptables
service iptables save
service iptables restart
2、配置文件配置
注意此处与服务端配置有区别, 注意红色加粗部妥,填写Log服务器的IP地址即可,以下为Tcp主式
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514 tcp
#
*.* @remote-host:514 udp
*.* @@192.168.225.83:514
# ### end of the forwarding rule ###
3、重启 rsyslog 服务
service rsyslog restart
三、测试
在客户机上测试如下命令:
logger 'hello word'
在服务器上的目录 /mnt/log 下将会有一个 messages_xxxxxxxx 其内容最后一行为 'hello word'
至此说明配置成功
四、注意事项
当测试不通过时注意安全组或者外围防为墙的配置