03-Log 日誌常見配置
自定義日誌輸出位置
如何重新配置sshd的配置文件?
1、 在A(192.168.200.137)中修改/etc/ssh/sshd_config文件
[root@husa ssh]# pwd
/etc/ssh
[root@husa ssh]# vim sshd_config
#SyslogFacility AUTHPRIV
SyslogFacility local5
這裏的local*是rsyslog沒有定義的facility,因此可以作爲自由配置的一個方法
2、 A(192.168.200.137)的/etc/rsyslog.conf文件中添加一個RULES
[root@husa etc]# pwd
/etc
[root@husa etc]# vim rsyslog.conf
# Save sshd logs in /root/sshdlog
local5.* /root/sshdlog
3、 重載sshd和rsyslog服務
[root@husa ssh]# systemctl reload sshd
[root@husa ssh]# systemctl restart rsyslog.service
4、 B(192.168.200.143)ssh遠程連接A主機
[root@husa ~]# ssh [email protected]
root@192.168.200.137's password:
Last login: Mon Jan 18 19:06:32 2016 from 192.168.200.1
[root@husa ~]# ifconfig
eno33554984: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.200.137 netmask 255.255.255.0 broadcast 192.168.200.255
inet6 fe80::20c:29ff:fe4d:a05a prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:4d:a0:5a txqueuelen 1000 (Ethernet)
RX packets 186607 bytes 71005052 (67.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 159813 bytes 140751238 (134.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
5、 查看A的/root/sshdlog內容
[root@husa ~]# ls
99.sh grub.bak php-5.4.40.tar.bz2 service.sh wordpress-4.4.1.tar.gz
anaconda-ks.cfg latest.tar.gz phpMyAdmin-4.0.5-all-languages show.sh
a.sh linux-3.10.67.tar.xz phpMyAdmin-4.0.5-all-languages.zip sshdlog
[root@husa ~]# less sshdlog
Jan 19 09:07:51 husa sshd[125986]: Accepted password for root from 192.168.200.143 port 45141 ssh2
配置rsyslog網絡服務器
1、 在A(192.168.200.137)修改配置文件/etc/rsyslog.conf
表示把原有的messages轉發到B(192.168.200.143)
*.info;mail.none;authpriv.none;cron.none @192.168.200.143
2、 在B(192.168.200.143)修改配置文件/etc/rsyslog.conf
表示打開UDP接收服務
[root@husa etc]# vim rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
3、 A、B都重啓rsyslog服務
B
[root@husa etc]# systemctl restart rsyslog.service
A
[root@husa etc]# systemctl restart rsyslog.service
4、 A主機使用yum命令安裝一個程序zsh
[root@husa etc]# yum remove zsh
--> 正在檢查事務
---> 軟件包 zsh.x86_64.0.5.0.2-7.el7 將被 刪除
--> 解決依賴關係完成
依賴關係解決
========================================================================================================================
Package 架構 版本 源 大小
========================================================================================================================
正在刪除:
zsh x86_64 5.0.2-7.el7 @classRoom 5.6 M
事務概要
========================================================================================================================
刪除:
zsh.x86_64 0:5.0.2-7.el7
5、 B主機查看/var/log/messages文件
[root@husa etc]# tail /var/log/messages
Jan 19 09:20:01 husa systemd: Started Session 254 of user root.
Jan 19 09:20:49 husa systemd: Stopping System Logging Service...
Jan 19 09:20:49 husa systemd: Starting System Logging Service...
Jan 19 09:20:50 husa systemd: Started System Logging Service.
Jan 19 09:21:00 husa rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="126178" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan 19 09:21:00 husa rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="126186" x-info="http://www.rsyslog.com"] start
Jan 19 09:21:00 husa systemd: Stopping System Logging Service...
Jan 19 09:21:00 husa systemd: Starting System Logging Service...
Jan 19 09:21:00 husa systemd: Started System Logging Service.
Jan 19 09:22:16 husa yum[126192]: Erased: zsh-5.0.2-7.el7.x86_64
可以發現B主機出現了一條刪除zsh包的記錄