使用者工具

網站工具


tech:logsrv

CentOS 啟動 Log Server 功能

因為一些 Embeded System 提供送出 log 到 Log Server 的功能, 所以就上網找了一下..

  • Log Server : 192.168.11.252
  • /etc/sysconfig/rsyslog
    # Options for rsyslogd
    # Syslogd options are deprecated since rsyslog v3.
    # If you want to use them, switch to compatibility mode 2 by "-c 2"
    # See rsyslogd(8) for more details
    SYSLOGD_OPTIONS="-c 5"
  • /etc/rsyslog.conf 將 #### RULES #### 底下全部更換如下: 要將以下的 'mylogserver' 換成 CentOS 的 hostname
    :
    :
    #### RULES ####
    $template DYNmessages,"/var/log/hosts/%HOSTNAME%/messages.%$YEAR%-%$MONTH%-%$DAY%.log"
    $template DYNsecure,"/var/log/hosts/%HOSTNAME%/secure.%$YEAR%-%$MONTH%-%$DAY%.log"
    $template DYNmaillog,"/var/log/hosts/%HOSTNAME%/maillog.%$YEAR%-%$MONTH%-%$DAY%.log"
    $template DYNcron,"/var/log/hosts/%HOSTNAME%/cron.%$YEAR%-%$MONTH%-%$DAY%.log"
    $template DYNspooler,"/var/log/hosts/%HOSTNAME%/spooler.%$YEAR%-%$MONTH%-%$DAY%.log"
    $template DYNboot,"/var/log/hosts/%HOSTNAME%/boot.%$YEAR%-%$MONTH%-%$DAY%.log"
    $template DYNdaemon,"/var/log/hosts/%HOSTNAME%/daemon.%$YEAR%-%$MONTH%-%$DAY%.log"
    $template DYNother,"/var/log/hosts/%HOSTNAME%/other.%$YEAR%-%$MONTH%-%$DAY%.log"
    
    
    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.*                                                 /dev/console
    
    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    #*.info;mail.none;authpriv.none;cron.none                /var/log/messages
    if \
            $source == 'mylogserver' \
            and \
                   $syslogseverity <= '6' \
            and ( \
                            $syslogfacility-text != 'mail' \
                    and \
                            $syslogfacility-text != 'authpriv' \
                    and \
                            $syslogfacility-text != 'cron' \
            ) \
    then    /var/log/messages
    
    # The authpriv file has restricted access.
    #authpriv.*                                              /var/log/secure
    if \
            $source == 'mylogserver' \
                    and \
            $syslogfacility-text == 'authpriv' \
    then    /var/log/secure
    
    # Log all the mail messages in one place.
    #mail.*                                                  -/var/log/maillog
    if \
            $source == 'mylogserver' \
                    and \
            $syslogfacility-text == 'mail' \
    then    -/var/log/maillog
    
    
    # Log cron stuff
    #cron.*                                                  /var/log/cron
    if \
            $source == 'mylogserver' \
                    and \
            $syslogfacility-text == 'cron' \
    then    /var/log/cron
    
    # Everybody gets emergency messages
    #*.emerg                                                 *
    if \
            $source == 'mylogserver' \
                    and \
            $syslogseverity-text == 'emerg' \
    then    *
    
    # Save news errors of level crit and higher in a special file.
    #uucp,news.crit                                          /var/log/spooler
    if \
            $source == 'mylogserver' \
                    and \
            (\
                    $syslogfacility-text == 'uucp' \
                            or \
                    $syslogfacility-text == 'news' \
            )\
                    and \
            $syslogseverity-text == 'crit' \
    then    /var/log/spooler
    
    # Save boot messages also to boot.log
    #local7.*                                                /var/log/boot.log
    if \
            $source == 'mylogserver' \
                    and \
            $syslogfacility-text == 'local7' \
    then    /var/log/boot.log
    
    
    # not log server 's log
    if \
            $source != 'mylogserver' \
            and \
                 $syslogseverity <= '6' \
            and ( \
                            $syslogfacility-text != 'mail' \
                    and \
                            $syslogfacility-text != 'authpriv' \
                    and \
                            $syslogfacility-text != 'cron' \
            ) \
    then    ?DYNmessages
    
    if \
            $source != 'mylogserver' \
                    and \
            $syslogfacility-text == 'authpriv' \
    then    ?DYNsecure
    
    if \
            $source != 'mylogserver' \
                    and \
            $syslogfacility-text == 'mail' \
    then    -?DYNmaillog
    
    if \
            $source != 'mylogserver' \
                    and \
            $syslogfacility-text == 'cron' \
    then    ?DYNcron
    
    if \
            $source != 'mylogserver' \
                    and \
            (\
                    $syslogfacility-text == 'uucp' \
                            or \
                    $syslogfacility-text == 'news' \
            )\
                    and \
            $syslogseverity-text == 'crit' \
    then    ?DYNspooler
    
    if \
            $source != 'mylogserver' \
                    and \
            $syslogfacility-text == 'local7' \
    then    ?DYNboot
    
    if \
            $source != 'mylogserver' \
                    and \
            $syslogfacility-text == 'daemon' \
    then    ?DYNdaemon
    if \
            $source != 'mylogserver' \
            and ( \
                            $syslogfacility-text != 'mail' \
                    and \
                            $syslogfacility-text != 'authpriv' \
                    and \
                            $syslogfacility-text != 'cron' \
                    and \
                            $syslogfacility-text != 'uucp' \
                    and \
                            $syslogfacility-text != 'news' \
                    and \
                            $syslogfacility-text != 'local7' \
                    and \
                            $syslogfacility-text != 'daemon' \
            ) \
    then    ?DYNother
    
    
    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    :
    :
  • /etc/rsyslog.d/log-server.conf
    $ModLoad imudp.so
    # load the network stuff
    $UDPServerAddress 0.0.0.0
    $UDPServerRun 514
    # reduce any duplicates
    #$RepeatedMsgReduction on
  • CentOS 6.x
    service rsyslog restart
  • 如果有 firewall 要開啟 udp port 514

然後就可以看到外部主機紀錄出現在 /var/log/hosts/ 內, Exp rt-n56u 出現在 /var/log/hosts/rt-n56u/* , 在 /var/logs/hosts/rt56u/messages.2016-05-29.log 內看到過來的訊息如下:

:
May 29 23:25:26 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=219.87.151.2 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=12106 DF PROTO=TCP <1>SPT=39452 DPT=10051 SEQ=3368554679 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A11C14BB70000000001030307)
May 29 23:25:26 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=175.98.115.161 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1887 DF PROTO=TCP <1>SPT=34673 DPT=10051 SEQ=1821995807 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A6C9378290000000001030307)
May 29 23:25:26 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=121.201.8.212 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=35179 DF PROTO=TCP <1>SPT=38778 DPT=10051 SEQ=1970503924 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0ACC0D860000000001030307)
May 29 23:25:28 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=175.98.115.161 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1888 DF PROTO=TCP <1>SPT=34673 DPT=10051 SEQ=1821995807 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A6C937FF90000000001030307)
May 29 23:25:28 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=121.201.8.212 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=35180 DF PROTO=TCP <1>SPT=38778 DPT=10051 SEQ=1970503924 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0ACC15560000000001030307)
May 29 23:25:29 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=219.87.151.2 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=34454 DF PROTO=TCP <1>SPT=39398 DPT=10051 SEQ=2364037294 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A11C157570000000001030307)
May 29 23:25:29 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=220.130.139.9 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=56982 DF PROTO=TCP <1>SPT=34513 DPT=10051 SEQ=1186483004 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A49E4B1070000000001030307)
May 29 23:25:30 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=219.87.151.2 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=12107 DF PROTO=TCP <1>SPT=39452 DPT=10051 SEQ=3368554679 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A11C15B570000000001030307)
May 29 23:25:32 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=175.98.115.161 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1889 DF PROTO=TCP <1>SPT=34673 DPT=10051 SEQ=1821995807 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A6C938F990000000001030307)
May 29 23:25:32 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=121.201.8.212 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=35181 DF PROTO=TCP <1>SPT=38778 DPT=10051 SEQ=1970503924 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0ACC24F60000000001030307)
:
其他 Linux 主機的 Log 也可以透過設定 /etc/syslog.conf (CentOS 5.x) /etc/rsyslog.conf (CentOS 6.x)
*.*            @192.168.11.252

這樣就會將 log 送到 192.168.11.252 Log Server 內了..

參考網址

tech/logsrv.txt · 上一次變更: 2016/05/29 23:27 由 jonathan