其他分享
首页 > 其他分享> > rsyslog 系统日志服务简介

rsyslog 系统日志服务简介

作者:互联网

rsyslog

RSYSLOG is the rocket-fast system for log processing.

rsyslog 特性

rsyslog是系统自带服务

[root@C8-192 ~]# rpm -qi rsyslog
Name        : rsyslog
Version     : 8.1911.0
Release     : 6.el8
Architecture: x86_64
Install Date: Mon 31 May 2021 06:55:55 PM CST
Group       : System Environment/Daemons
Size        : 2428362
License     : (GPLv3+ and ASL 2.0)
Signature   : RSA/SHA256, Tue 21 Jul 2020 09:42:03 AM CST, Key ID 05b555b38483c65d
Source RPM  : rsyslog-8.1911.0-6.el8.src.rpm
Build Date  : Tue 21 Jul 2020 09:33:16 AM CST
Build Host  : x86-02.mbox.centos.org
Relocations : (not relocatable)
Packager    : CentOS Buildsys <bugs@centos.org>
Vendor      : CentOS
URL         : http://www.rsyslog.com/
Summary     : Enhanced system logging and kernel message trapping daemon
Description :
Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
and fine grain output format control. It is compatible with stock sysklogd
and can be used as a drop-in replacement. Rsyslog is simple to set up, with
advanced features suitable for enterprise-class, encryption-protected syslog
relay chains.

rsyslog 相关文件

rsyslog 配置文件

cat /etc/rsyslog.conf | sed -n '/^[^#]/p'
module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket; 
			  # local messages are retrieved through imjournal now.
module(load="imjournal" 	    # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
input(type="imudp" port="514")
input(type="imtcp" port="514")
global(workDirectory="/var/lib/rsyslog")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

配置文件内容:

由三部分组成

模块

#### MODULES ####

module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket; 
			  # local messages are retrieved through imjournal now.
module(load="imjournal" 	    # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load"immark") # provides --MARK-- message capability

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
rpm -ql rsyslog | grep imux 
/usr/lib64/rsyslog/imuxsock.so

全局设置

工作路径,配置文件路径,模块格式

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

规则

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

配置格式相关说明

配置Priority 优先级别的格式

*: 表示所有级别
none:没有级别,即不记录
PRIORITY:指定级别(含)以上的所有级别
=PRIORITY:仅记录指定级别的日志信息

配置target 目标日志格式

文件路径:通常在/var/log/,文件路径前的-表示异步写入
用户:将日志事件通知给指定的用户,* 表示登录的所有用户
日志服务器:@host,把日志送往至指定的远程UDP日志服务器 @@host 将日志发送到远程TCP日志服务器
管道: | COMMAND,转发给其它命令处理

日志文件的显示格式

事件产生的日期时间 主机 进程(pid):事件内容
[root@C8-192 ~]# tail /var/log/secure 
May 31 18:32:13 C8-192 sshd[30815]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.88
Jun  1 17:12:42 C8-192 sshd[821]: Server listening on 0.0.0.0 port 22.
Jun  1 17:12:42 C8-192 sshd[821]: Server listening on :: port 22.
Jun  1 17:12:42 C8-192 polkitd[799]: Loading rules from directory /etc/polkit-1/rules.d
Jun  1 17:12:42 C8-192 polkitd[799]: Loading rules from directory /usr/share/polkit-1/rules.d
Jun  1 17:12:42 C8-192 polkitd[799]: Finished loading, compiling and executing 2 rules
Jun  1 17:12:42 C8-192 polkitd[799]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Jun  1 17:26:36 C8-192 sshd[1704]: Accepted publickey for root from 10.0.0.88 port 49324 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun  1 17:26:36 C8-192 systemd[1707]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jun  1 17:26:36 C8-192 sshd[1704]: pam_unix(sshd:session): session opened for user root by (uid=0)

日志配置实例

建立ssh服务自定义日志记录

修改sshd服务的配置文件

sed -ri.bak '/^SyslogFacility/a SyslogFacility Local2' /etc/ssh/sshd_config

修改rsyslog的配置文件

echo -e "#sshd.log\nLocal2.* /var/log/sshd.log" >> /etc/rsyslog.conf

重启服务使生效

service sshd reload && systemctl restart rsyslog

写入日志以测试

[root@C8-192 ~]# cat /var/log/sshd.log
Jun  1 23:59:40 C8-192 root[2734]: i am sshd.log
Jun  2 00:03:56 C8-192 sshd[2994]: Server listening on 0.0.0.0 port 22.
Jun  2 00:03:56 C8-192 sshd[2994]: Server listening on :: port 22.
Jun  2 00:04:05 C8-192 sshd[2994]: Received signal 15; terminating.
Jun  2 00:09:43 C8-192 sshd[3132]: Accepted publickey for root from 10.0.0.88 port 49360 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun  2 00:09:45 C8-192 sshd[3135]: Received disconnect from 10.0.0.88 port 49360:11: disconnected by user
Jun  2 00:09:45 C8-192 sshd[3135]: Disconnected from user root 10.0.0.88 port 49360
Jun  2 00:09:46 C8-192 sshd[3159]: Accepted publickey for root from 10.0.0.88 port 49362 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun  2 00:09:48 C8-192 sshd[3162]: Received disconnect from 10.0.0.88 port 49362:11: disconnected by user
Jun  2 00:09:48 C8-192 sshd[3162]: Disconnected from user root 10.0.0.88 port 49362

标签:sshd,log,简介,192,C8,rsyslog,var,系统日志
来源: https://blog.csdn.net/timonium/article/details/117443139