03-Log 日誌常見配置

03-Log 日誌常見配置

自定義日誌輸出位置

如何重新配置sshd的配置文件？

1、 在A(192.168.200.137)中修改/etc/ssh/sshd_config文件

[root@husa ssh]# pwd
/etc/ssh
[root@husa ssh]# vim sshd_config 
    #SyslogFacility AUTHPRIV
    SyslogFacility local5

這裏的local*是rsyslog沒有定義的facility，因此可以作爲自由配置的一個方法

2、 A(192.168.200.137)的/etc/rsyslog.conf文件中添加一個RULES

[root@husa etc]# pwd
/etc
[root@husa etc]# vim rsyslog.conf 
    # Save sshd logs in /root/sshdlog
    local5.*                                                /root/sshdlog

3、 重載sshd和rsyslog服務

[root@husa ssh]# systemctl reload sshd
[root@husa ssh]# systemctl restart rsyslog.service

4、 B(192.168.200.143)ssh遠程連接A主機

[root@husa ~]# ssh [email protected]
root@192.168.200.137's password: 
Last login: Mon Jan 18 19:06:32 2016 from 192.168.200.1
[root@husa ~]# ifconfig
eno33554984: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.200.137  netmask 255.255.255.0  broadcast 192.168.200.255
        inet6 fe80::20c:29ff:fe4d:a05a  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:4d:a0:5a  txqueuelen 1000  (Ethernet)
        RX packets 186607  bytes 71005052 (67.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 159813  bytes 140751238 (134.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

5、 查看A的/root/sshdlog內容

[root@husa ~]# ls
99.sh            grub.bak              php-5.4.40.tar.bz2                  service.sh  wordpress-4.4.1.tar.gz
anaconda-ks.cfg  latest.tar.gz         phpMyAdmin-4.0.5-all-languages      show.sh
a.sh             linux-3.10.67.tar.xz  phpMyAdmin-4.0.5-all-languages.zip  sshdlog
[root@husa ~]# less sshdlog 
Jan 19 09:07:51 husa sshd[125986]: Accepted password for root from 192.168.200.143 port 45141 ssh2

配置rsyslog網絡服務器

1、 在A(192.168.200.137)修改配置文件/etc/rsyslog.conf

表示把原有的messages轉發到B(192.168.200.143)

*.info;mail.none;authpriv.none;cron.none                @192.168.200.143

2、 在B(192.168.200.143)修改配置文件/etc/rsyslog.conf

表示打開UDP接收服務

[root@husa etc]# vim rsyslog.conf 
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

3、 A、B都重啓rsyslog服務

B

[root@husa etc]# systemctl restart rsyslog.service

A

[root@husa etc]# systemctl restart rsyslog.service

4、 A主機使用yum命令安裝一個程序zsh

[root@husa etc]# yum remove zsh
--> 正在檢查事務
---> 軟件包 zsh.x86_64.0.5.0.2-7.el7 將被 刪除
--> 解決依賴關係完成
依賴關係解決
========================================================================================================================
 Package                架構                      版本                              源                             大小
========================================================================================================================
正在刪除:
 zsh                    x86_64                    5.0.2-7.el7                       @classRoom                    5.6 M

事務概要
========================================================================================================================

刪除:
  zsh.x86_64 0:5.0.2-7.el7                                                                                              

5、 B主機查看/var/log/messages文件

[root@husa etc]# tail /var/log/messages
Jan 19 09:20:01 husa systemd: Started Session 254 of user root.
Jan 19 09:20:49 husa systemd: Stopping System Logging Service...
Jan 19 09:20:49 husa systemd: Starting System Logging Service...
Jan 19 09:20:50 husa systemd: Started System Logging Service.
Jan 19 09:21:00 husa rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="126178" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan 19 09:21:00 husa rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="126186" x-info="http://www.rsyslog.com"] start
Jan 19 09:21:00 husa systemd: Stopping System Logging Service...
Jan 19 09:21:00 husa systemd: Starting System Logging Service...
Jan 19 09:21:00 husa systemd: Started System Logging Service.
Jan 19 09:22:16 husa yum[126192]: Erased: zsh-5.0.2-7.el7.x86_64

可以發現B主機出現了一條刪除zsh包的記錄