====== CentOS 啟動 Log Server 功能 ======
因為一些 Embeded System 提供送出 log 到 Log Server 的功能, 所以就上網找了一下..
* Log Server : 192.168.11.252
* /etc/sysconfig/rsyslog
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS="-c 5"
* /etc/rsyslog.conf 將 #### RULES #### 底下全部更換如下: **要將以下的 'mylogserver' 換成 CentOS 的 hostname**
:
:
#### RULES ####
$template DYNmessages,"/var/log/hosts/%HOSTNAME%/messages.%$YEAR%-%$MONTH%-%$DAY%.log"
$template DYNsecure,"/var/log/hosts/%HOSTNAME%/secure.%$YEAR%-%$MONTH%-%$DAY%.log"
$template DYNmaillog,"/var/log/hosts/%HOSTNAME%/maillog.%$YEAR%-%$MONTH%-%$DAY%.log"
$template DYNcron,"/var/log/hosts/%HOSTNAME%/cron.%$YEAR%-%$MONTH%-%$DAY%.log"
$template DYNspooler,"/var/log/hosts/%HOSTNAME%/spooler.%$YEAR%-%$MONTH%-%$DAY%.log"
$template DYNboot,"/var/log/hosts/%HOSTNAME%/boot.%$YEAR%-%$MONTH%-%$DAY%.log"
$template DYNdaemon,"/var/log/hosts/%HOSTNAME%/daemon.%$YEAR%-%$MONTH%-%$DAY%.log"
$template DYNother,"/var/log/hosts/%HOSTNAME%/other.%$YEAR%-%$MONTH%-%$DAY%.log"
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none /var/log/messages
if \
$source == 'mylogserver' \
and \
$syslogseverity <= '6' \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
) \
then /var/log/messages
# The authpriv file has restricted access.
#authpriv.* /var/log/secure
if \
$source == 'mylogserver' \
and \
$syslogfacility-text == 'authpriv' \
then /var/log/secure
# Log all the mail messages in one place.
#mail.* -/var/log/maillog
if \
$source == 'mylogserver' \
and \
$syslogfacility-text == 'mail' \
then -/var/log/maillog
# Log cron stuff
#cron.* /var/log/cron
if \
$source == 'mylogserver' \
and \
$syslogfacility-text == 'cron' \
then /var/log/cron
# Everybody gets emergency messages
#*.emerg *
if \
$source == 'mylogserver' \
and \
$syslogseverity-text == 'emerg' \
then *
# Save news errors of level crit and higher in a special file.
#uucp,news.crit /var/log/spooler
if \
$source == 'mylogserver' \
and \
(\
$syslogfacility-text == 'uucp' \
or \
$syslogfacility-text == 'news' \
)\
and \
$syslogseverity-text == 'crit' \
then /var/log/spooler
# Save boot messages also to boot.log
#local7.* /var/log/boot.log
if \
$source == 'mylogserver' \
and \
$syslogfacility-text == 'local7' \
then /var/log/boot.log
# not log server 's log
if \
$source != 'mylogserver' \
and \
$syslogseverity <= '6' \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
) \
then ?DYNmessages
if \
$source != 'mylogserver' \
and \
$syslogfacility-text == 'authpriv' \
then ?DYNsecure
if \
$source != 'mylogserver' \
and \
$syslogfacility-text == 'mail' \
then -?DYNmaillog
if \
$source != 'mylogserver' \
and \
$syslogfacility-text == 'cron' \
then ?DYNcron
if \
$source != 'mylogserver' \
and \
(\
$syslogfacility-text == 'uucp' \
or \
$syslogfacility-text == 'news' \
)\
and \
$syslogseverity-text == 'crit' \
then ?DYNspooler
if \
$source != 'mylogserver' \
and \
$syslogfacility-text == 'local7' \
then ?DYNboot
if \
$source != 'mylogserver' \
and \
$syslogfacility-text == 'daemon' \
then ?DYNdaemon
if \
$source != 'mylogserver' \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
and \
$syslogfacility-text != 'uucp' \
and \
$syslogfacility-text != 'news' \
and \
$syslogfacility-text != 'local7' \
and \
$syslogfacility-text != 'daemon' \
) \
then ?DYNother
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
:
:
* /etc/rsyslog.d/log-server.conf
$ModLoad imudp.so
# load the network stuff
$UDPServerAddress 0.0.0.0
$UDPServerRun 514
# reduce any duplicates
#$RepeatedMsgReduction on
* CentOS 6.x
service rsyslog restart
* 如果有 firewall 要開啟 udp port 514
然後就可以看到外部主機紀錄出現在 /var/log/hosts/ 內, Exp rt-n56u 出現在 /var/log/hosts/rt-n56u/* , 在 /var/logs/hosts/rt56u/messages.2016-05-29.log 內看到過來的訊息如下:
:
May 29 23:25:26 rt-n56u kernel: DROP <4>DROP IN=ppp0 OUT= MAC= <1>SRC=219.87.151.2 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=12106 DF PROTO=TCP <1>SPT=39452 DPT=10051 SEQ=3368554679 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A11C14BB70000000001030307)
May 29 23:25:26 rt-n56u kernel: DROP <4>DROP IN=ppp0 OUT= MAC= <1>SRC=175.98.115.161 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1887 DF PROTO=TCP <1>SPT=34673 DPT=10051 SEQ=1821995807 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A6C9378290000000001030307)
May 29 23:25:26 rt-n56u kernel: DROP <4>DROP IN=ppp0 OUT= MAC= <1>SRC=121.201.8.212 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=35179 DF PROTO=TCP <1>SPT=38778 DPT=10051 SEQ=1970503924 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0ACC0D860000000001030307)
May 29 23:25:28 rt-n56u kernel: DROP <4>DROP IN=ppp0 OUT= MAC= <1>SRC=175.98.115.161 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1888 DF PROTO=TCP <1>SPT=34673 DPT=10051 SEQ=1821995807 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A6C937FF90000000001030307)
May 29 23:25:28 rt-n56u kernel: DROP <4>DROP IN=ppp0 OUT= MAC= <1>SRC=121.201.8.212 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=35180 DF PROTO=TCP <1>SPT=38778 DPT=10051 SEQ=1970503924 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0ACC15560000000001030307)
May 29 23:25:29 rt-n56u kernel: DROP <4>DROP IN=ppp0 OUT= MAC= <1>SRC=219.87.151.2 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=34454 DF PROTO=TCP <1>SPT=39398 DPT=10051 SEQ=2364037294 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A11C157570000000001030307)
May 29 23:25:29 rt-n56u kernel: DROP <4>DROP IN=ppp0 OUT= MAC= <1>SRC=220.130.139.9 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=56982 DF PROTO=TCP <1>SPT=34513 DPT=10051 SEQ=1186483004 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A49E4B1070000000001030307)
May 29 23:25:30 rt-n56u kernel: DROP <4>DROP IN=ppp0 OUT= MAC= <1>SRC=219.87.151.2 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=12107 DF PROTO=TCP <1>SPT=39452 DPT=10051 SEQ=3368554679 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A11C15B570000000001030307)
May 29 23:25:32 rt-n56u kernel: DROP <4>DROP IN=ppp0 OUT= MAC= <1>SRC=175.98.115.161 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1889 DF PROTO=TCP <1>SPT=34673 DPT=10051 SEQ=1821995807 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A6C938F990000000001030307)
May 29 23:25:32 rt-n56u kernel: DROP <4>DROP IN=ppp0 OUT= MAC= <1>SRC=121.201.8.212 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=35181 DF PROTO=TCP <1>SPT=38778 DPT=10051 SEQ=1970503924 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0ACC24F60000000001030307)
:
其他 Linux 主機的 Log 也可以透過設定 /etc/syslog.conf (CentOS 5.x) /etc/rsyslog.conf (CentOS 6.x)
*.* @192.168.11.252
這樣就會將 log 送到 192.168.11.252 Log Server 內了..
===== 參考網址 =====
* http://d.hatena.ne.jp/RogerLi2006/20080710/1215676546
* http://linux.vbird.org/linux_basic/0570syslog.php
* http://ssorc.tw/1194
{{tag>logServer syslog}}