日志服务

日志服务的简介

rsyslog 特性:CentOS6 和7
多线程
UDP, TCP, SSL, TLS, RELP
MySQL, PGSQL, Oracle 实现日志存储
强大的过滤器,可实现过滤记录日志信息中任意部分
自定义输出格式
ELK :elasticsearch, logstash, kibana
非关系型分布式数据库
基于apache 软件基金会jakarta 项目组的项目lucene
Elasticsearch 是个开源分布式搜索引擎
Logstash 对日志进行收集、分析,并将其存储供以后使用
kibana 的 可以提供的日志分析友好的 Web
术语,参见man logger
facility :设施,从功能或程序上对日志进行 归 类
auth, authpriv, cron, daemon,ftp,kern, lpr, mail,news, security(auth), user, uucp, local0-local7, syslog
Priority 优先级别,从低到高排序
debug, info, notice, warn(warning), err(error),crit(critical), alert, emerg(panic)
参看 帮助: : man 3 syslog
程序包:rsyslog
主程序:/usr/sbin/rsyslogd
CentOS 6 :service rsyslog {start|stop|restart|status}
CentOS 7 :/usr/lib/systemd/system/rsyslog.service
配置文件:/etc/rsyslog.conf ,/etc/rsyslog.d/.conf
库: 文件: /lib64/rsyslog/
.so
配置文件格式:由三部分组成
MODULES :相关模块配置
GLOBAL DIRECTIVES :全局配置
RULES
RULES 配置格式: facility.priority; facility.priority… target
facility: :
*: 所有的facility
facility1,facility2,facility3,... :指定的facility
priority: :
*: 所有级别
none :没有级别,即不记录
PRIORITY :指定级别(含)以上的所有级别
=PRIORITY :仅记录指定级别的日志信息
target: :
文件路径:通常在/var/log/ ,文件路径前的- 表示异步写入
用户:将日志事件通知给指定的用户,* 表示登录的所有用户
日志服务器:@host ,把日志送往至指定的远程服务器记录
: 管道: | COMMAND
通常的日志格式:
事件产生的日期间 时间 机 主机 进程(pid) :事件内容
: 如: /var/log/messages,cron,secure等
配置rsyslog 成为日志 服务器
#### MODULES ####
# Provides UDP syslog reception 启用udp协议
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception 启用tcp协议
$ModLoad imtcp
$InputTCPServerRun 514
其它的日志文件
/var/log/secure :系统安装日志,文本格式,应周期性分析
/var/log/btmp :当前系统上,用户的失败尝试登录相关的日志信息,二进制格式,lastb 命令进行查看
/var/log/wtmp :当前系统上,用户正常登录系统的相关日志信息, 二进制格式, ,last 命令可以查看
/var/log/lastlog: 每一个用户最近一次的登录 信息, 二进制格式,lastlog 命令 可以查看
/var/log/dmesg :系统引导过程中的日志信息,文本格式文本查看工具查看
专用命令dmesg 查看
/var/log/messages :系统中大部分的信息
/var/log/anaconda : anaconda 的日志

[root@root ~]# cat /etc/rsyslog.conf 
# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception ruguo
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
#表示除了mail、authpriv、cron 这三种设备的日志文件其他程序的info级别及以上的级别都记录到/var/log/messages文件里
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
#authpriv设备 的日志记录到/var/log/secure文件里
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
#mail 所有级别的日志记录到以异步的方式/var/log/maillog以异步的方式

# Log cron stuff
cron.*                                                  /var/log/cron
#cron 计划日志所有的日志都记录在/var/log/cron
# Everybody gets emergency messages
*.emerg                                                 *
#所有设备的emerg 级别的错误会通知登录该主机的所有用户
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
#表示uucp,news程序发生的crit级别的事件就往/var/log/spooler文件里写
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
#计算机启动日志往/var/log/boot.log

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
[root@root network-scripts]# cat /etc/ssh/sshd_config 
#   $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV  日志文件记录到authpriv设备里
#LogLevel INFO 
#表示比info级别高或者等于info级别的在记录AUTHPRIV 设备对应的文件

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   ForceCommand cvs server
  • 未改先测试一下
    [root@root ~]# logger "chenxininhao"
  • 查看内容
    [root@root ~]# tail -1 /var/log/messages
    Aug 9 14:06:41 root root: chenxininhao
  • 使用另一台主机测试一下ssh记录的日志信息
[root@localhost ser]# ssh  172.16.253.183 连接
The authenticity of host '172.16.253.183 (172.16.253.183)' can't be established.
RSA key fingerprint is a9:ad:42:ec:d4:20:cd:a2:ee:67:98:0c:f9:79:74:f8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.253.183' (RSA) to the list of known hosts.
root@172.16.253.183's password: 
Last login: Wed Aug  9 10:46:10 2017 from 192.168.75.1
[root@root ~]# 
  • 在172.16.253.183查看ssh记录的日志信息ssh的日志文件交给authpriv设备记录;
    ssh的配置文件因为是如下写
#SyslogFacility AUTH
SyslogFacility AUTHPRIV 表示sshd的日志文件交个authpriv设备记录
#LogLevel INFO 

  • 查看日志服务器相关设置;authpriv设备的所有日志记在/var/log/secure中
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
设备.日志级别*表示所有级别                记录到的文件
  • 查看ssh的日志信息
[root@root ~]# tail -3   /var/log/secure
Aug  9 10:46:10 root sshd[3923]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug  9 14:10:30 root sshd[4258]: Accepted password for root from 172.16.253.147 port 57124 ssh2
  • 更改ssh的日志文件
1.修改日志服务的配置文件
[root@root ~]# vim /etc/rsyslog.conf

# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
#表示除了mail、authpriv、cron 这三种设备的日志文件其他程序的info级别及以上的级别都记录到/var/log/messages文件里
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
#authpriv 身份验证的日志记录到/var/log/secure文件里
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
#mail 所有级别的日志记录到以异步的方式/var/log/maillog以异步的方式
local0.*                                                /var/log/sshdlog
#表示设置local0.* 所有级别的日志记录在/var/log/sshdlog
2.修改sshd服务的配置文件
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#SyslogFacility AUTHPRIV 
SyslogFacility local0
#表示把sshd的所有日志交给local0设备处理
3.重启两个服务
[root@root network-scripts]# service sshd restart
停止 sshd:                                                [确定]
正在启动 sshd:                                            [确定]
[root@root ~]# service rsyslog restart
关闭系统日志记录器:                                       [确定]
启动系统日志记录器:                                       [确定]
4.测试
(1)[root@localhost ser]# ssh  172.16.253.183
root@172.16.253.183's password: 
Last login: Wed Aug  9 14:10:30 2017 from 172.16.253.147
[root@root ~]# 
(2)[root@root ~]# cat /var/log/sshdlog 
Aug  9 14:39:04 root sshd[4402]: Accepted password for root from 172.16.253.147 port 57126 ssh2
--
5.sshd的不希望记录在文本中而是通知用户
local0.*                                                root,chenxi
#表示设置local0.* 所有级别的日志通知给root或者chenxi;如果是*表示通知所有登录到机器上的用户
[root@root ~]# service rsyslog restart
关闭系统日志记录器:                                       [确定]
启动系统日志记录器:                                       [确定]
(客户端测试)
[root@localhost ser]# ssh  172.16.253.183
root@172.16.253.183's password: 密码输错
Permission denied, please try again.
root@172.16.253.183's password: 密码正确
Last login: Wed Aug  9 14:39:04 2017 from 172.16.253.147
服务端查看

实现日志远程记录6的发生到7上

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
使用udp的514端口实现让远程主机辞主机上写日志
# Provides TCP syslog reception
保存退出后重启服务
[root@localhost ser]# service rsyslog restart
Redirecting to /bin/systemctl restart  rsyslog.service
查看端口是否打开udp的514是否打开
[root@localhost ser]# ss -nlu
State       Recv-Q Send-Q               Local Address:Port                              Peer Address:Port              
UNCONN      0      0                        127.0.0.1:323                                          *:*                  
UNCONN      0      0                                *:514                                          *:*         
6上测试自己记录日志是否正常
[root@root ~]# logger "chenxi 99"
[root@root ~]# tail -1 /var/log/messages 
Aug  9 15:39:03 root root: chenxi 99
修改日志的配置文件规则
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                @172.16.253.147
#表示除了mail、authpriv、cron 这三种设备的日志文件其他程序的info级别及以上的级别都以UDP的方式发送到172.16.253.147上记录;
一个@表示UDP协议两个表示TCP协议;
重启
测试
[root@root ~]# service rsyslog restart
关闭系统日志记录器:                                       [确定]
启动系统日志记录器:                                       [确定]
[root@root ~]# logger "chenxi 99"
[root@root ~]# logger "chenxi 699"
7上查看日志信息
[root@localhost ser]# tail -1 /var/log/messages 
Aug  9 15:51:42 root root: chenxi 699
让6上的sshd服务的日志走tcp服务
root@root ~]# vim /etc/ssh/sshd_config 
#SyslogFacility AUTHPRIV 
SyslogFacility local0 表示让关于sshd服务的日志交给local0设备处理
#LogLevel INFO 
保存退出;重启
[root@root ~]# service sshd restart
停止 sshd:                                                [确定]
正在启动 sshd:                                            [确定]
[root@root ~]# vim /etc/rsyslog.conf
local0.*                                                @@172.16.253.147
#local0设备的日志通过TCP协议写到172.16.253.147
重启日志服务
[root@root ~]# service rsyslog restart
关闭系统日志记录器:                                       [确定]
启动系统日志记录器:                                       [确定]
7服务器上的操作
[root@root ~]# vim /etc/rsyslog.conf
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#启用tcp协议实现让远程主机往此主机上写日志
重启日志服务
[root@localhost ser]# systemctl restart rsyslog
查看端口
[root@localhost ser]# ss -nltu
Netid State      Recv-Q Send-Q             Local Address:Port                            Peer Address:Port              
udp   UNCONN     0      0                      127.0.0.1:323                                        *:*                  
udp   UNCONN     0      0                              *:514                                        *:*                  
udp   UNCONN     0      0                              *:68                                         *:*                  
udp   UNCONN     0      0                              *:42623                                      *:*                  
udp   UNCONN     0      0                            ::1:323                                       :::*                  
udp   UNCONN     0      0                             :::514                                       :::*                  
udp   UNCONN     0      0                             :::4661                                      :::*                  
tcp   LISTEN     0      128                            *:22                                         *:*                  
tcp   LISTEN     0      25                             *:514                                        *:*                  
tcp   LISTEN     0      80                            :::3306                                      :::*                  
tcp   LISTEN     0      128                           :::80                                        :::*                  
tcp   LISTEN     0      128                           :::22                                        :::*                  
tcp   LISTEN     0      25                            :::514                                       :::*        
测试
[root@gh ~]# ssh 192.168.75.128
root@192.168.75.128's password: 
Last login: Wed Aug  9 16:19:11 2017 from 192.168.75.129
[root@root ~]# 
[root@localhost ser]# tail -1 /var/log/messages 
Aug  9 16:17:27 root sshd[4915]: Failed password for root from 192.168.75.129 port 53380 ssh2
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 204,732评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 87,496评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 151,264评论 0 338
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,807评论 1 277
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,806评论 5 368
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,675评论 1 281
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,029评论 3 399
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,683评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 41,704评论 1 299
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,666评论 2 321
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,773评论 1 332
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,413评论 4 321
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,016评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,978评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,204评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 45,083评论 2 350
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,503评论 2 343

推荐阅读更多精彩内容