用途:
搭建集中日誌管理系統,以用於後續朔源。默認情況下 rsyslog 服務是開啓的,不過日誌文件一般是保存在 var/log 本地目錄下,對於有經驗收的入侵者,入侵以後一般會清空 var/log 或者本機上所有的log文件,造成無法朔源的後果,集中日誌服務器可解決該問題
一、服務端搭建(內網IP:192.168.225.83)
默認情況下 rsyslog 是安裝好的,所以就如何安裝 rsyslog 不再描述,百度上應該有很多
1、防火牆配置,增加如下命令
iptables -A INPUT -m state --state NEW -m udp -p udp -i eth0 --dport 514 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -i eth0 --dport 514 -j ACCEPT
注意,一定要保存,重啓iptables
service iptables save
service iptables restart
2、配置 rsyslog配置文件
配置文件路徑:\etc\rsyslog.conf
配置如下,直接貼文件了,以下是我擴配置文件, 注意,爲防止log把系統盤撐爆,以及超級大文件的產品,本服務器在配置的時候將保存目錄移動 /mnt/log 下,文件保存方式爲一天一個文件,格式爲 security_20180321 ...., 方便查詢
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#/mnt/log/%FROMHOST-IP%_%$year%%$month%%$day%messages.log
#*.info;mail.none;authpriv.none;cron.none /mnt/log/messages
#爲信息加上日誌時間
$template logformat-message,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定義的日誌文件的名稱,按照年月日
$template DynFile-message,"/mnt/log/message-%$year%%$month%%$day%.log"
#寫入日誌文件
*.info;mail.none;authpriv.none;cron.none ?DynFile-message;logformat-message
# The authpriv file has restricted access.
#authpriv.* /mnt/log/secure
#爲信息加上日誌時間
$template logformat-secure,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定義的日誌文件的名稱,按照年月日
$template DynFile-secure,"/mnt/log/secure-%$year%%$month%%$day%.log"
#寫入日誌文件
authpriv.* ?DynFile-secure;logformat-secure
# Log all the mail messages in one place.
#mail.* -/mnt/log/maillog
#爲信息加上日誌時間
$template logformat-maillog,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定義的日誌文件的名稱,按照年月日
$template DynFile-maillog,"/mnt/log/maillog-%$year%%$month%%$day%.log"
#寫入日誌文件
mail.* ?DynFile-maillog;logformat-maillog
# Log cron stuff
#cron.* /mnt/log/cron
#爲信息加上日誌時間
$template logformat-cron,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定義的日誌文件的名稱,按照年月日
$template DynFile-cron,"/mnt/log/cron-%$year%%$month%%$day%.log"
#寫入日誌文件
cron.* ?DynFile-cron;logformat-cron
# Everybody gets emergency messages
#*.emerg *
#爲信息加上日誌時間
$template logformat-emerg,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定義的日誌文件的名稱,按照年月日
$template DynFile-emerg,"/mnt/log/emerg-%$year%%$month%%$day%.log"
#寫入日誌文件
*.emerg ?DynFile-emerg;logformat-emerg
# Save news errors of level crit and higher in a special file.
#uucp,news.crit /mnt/log/spooler
#爲信息加上日誌時間
$template logformat-spooler,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定義的日誌文件的名稱,按照年月日
$template DynFile-spooler,"/mnt/log/spooler-%$year%%$month%%$day%.log"
#寫入日誌文件
uucp,news.crit ?DynFile-spooler;logformat-spooler
# Save boot messages also to boot.log
#local7.* /mnt/log/boot.log
#爲信息加上日誌時間
$template logformat-boot,"%TIMESTAMP:::date-mysql% %FROMHOST-IP%%msg%\n"
#定義的日誌文件的名稱,按照年月日
$template DynFile-boot,"/mnt/log/boot-%$year%%$month%%$day%.log"
#寫入日誌文件
local7.* ?DynFile-boot;logformat-boot
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
3、重啓 rsyslogd 服務,以確保修改的配置文件生效
service rsyslog restart
二、客戶端搭建
1、防火牆配置
同服務端
iptables -A INPUT -m state --state NEW -m udp -p udp -i eth0 --dport 514 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp -i eth0 --dport 514 -j ACCEPT
注意,一定要保存,重啓iptables
service iptables save
service iptables restart
2、配置文件配置
注意此處與服務端配置有區別, 注意紅色加粗部妥,填寫Log服務器的IP地址即可,以下爲Tcp主式
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514 tcp
#*.* @remote-host:514 udp
*.* @@192.168.225.83:514
# ### end of the forwarding rule ###
3、重啓 rsyslog 服務
service rsyslog restart
三、測試
在客戶機上測試如下命令:
logger 'hello word'
在服務器上的目錄 /mnt/log 下將會有一個 messages_xxxxxxxx 其內容最後一行爲 'hello word'
至此說明配置成功
四、注意事項
當測試不通過時注意安全組或者外圍防爲牆的配置