日志服務(wù)的簡(jiǎn)介

rsyslog 特性：CentOS6 和7
多線程
UDP, TCP, SSL, TLS, RELP
MySQL, PGSQL, Oracle 實(shí)現(xiàn)日志存儲(chǔ)
強(qiáng)大的過(guò)濾器痴鳄，可實(shí)現(xiàn)過(guò)濾記錄日志信息中任意部分
自定義輸出格式
ELK ：elasticsearch, logstash, kibana
非關(guān)系型分布式數(shù)據(jù)庫(kù)
基于apache 軟件基金會(huì)jakarta 項(xiàng)目組的項(xiàng)目lucene
Elasticsearch 是個(gè)開(kāi)源分布式搜索引擎
Logstash 對(duì)日志進(jìn)行收集类少、分析熏矿，并將其存儲(chǔ)供以后使用
kibana 的 可以提供的日志分析友好的 Web
術(shù)語(yǔ)响巢，參見(jiàn)man logger
facility ：設(shè)施见妒，從功能或程序上對(duì)日志進(jìn)行 歸 類
auth, authpriv, cron, daemon,ftp,kern, lpr, mail,news, security(auth), user, uucp, local0-local7, syslog
Priority 優(yōu)先級(jí)別供搀，從低到高排序
debug, info, notice, warn(warning), err(error),crit(critical), alert, emerg(panic)
參看 幫助： ： man 3 syslog
程序包：rsyslog
主程序：/usr/sbin/rsyslogd
CentOS 6 ：service rsyslog {start|stop|restart|status}
CentOS 7 ：/usr/lib/systemd/system/rsyslog.service
配置文件：/etc/rsyslog.conf ，/etc/rsyslog.d/.conf
庫(kù)： 文件： /lib64/rsyslog/.so
配置文件格式：由三部分組成
MODULES ：相關(guān)模塊配置
GLOBAL DIRECTIVES ：全局配置
RULES
RULES 配置格式： facility.priority; facility.priority… target
facility： ：
*: 所有的facility
facility1,facility2,facility3,... ：指定的facility
priority： ：
*: 所有級(jí)別
none ：沒(méi)有級(jí)別止后，即不記錄
PRIORITY ：指定級(jí)別（含）以上的所有級(jí)別
=PRIORITY ：僅記錄指定級(jí)別的日志信息
target： ：
文件路徑：通常在/var/log/ 瞎惫，文件路徑前的- 表示異步寫入
用戶：將日志事件通知給指定的用戶，* 表示登錄的所有用戶
日志服務(wù)器：@host 译株，把日志送往至指定的遠(yuǎn)程服務(wù)器記錄
： 管道： | COMMAND
通常的日志格式：
事件產(chǎn)生的日期間 時(shí)間 機(jī) 主機(jī) 進(jìn)程(pid) ：事件內(nèi)容
： 如： /var/log/messages,cron,secure等
配置rsyslog 成為日志 服務(wù)器
#### MODULES ####
# Provides UDP syslog reception 啟用udp協(xié)議
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception 啟用tcp協(xié)議
$ModLoad imtcp
$InputTCPServerRun 514
其它的日志文件
/var/log/secure ：系統(tǒng)安裝日志瓜喇，文本格式，應(yīng)周期性分析
/var/log/btmp ：當(dāng)前系統(tǒng)上歉糜，用戶的失敗嘗試登錄相關(guān)的日志信息乘寒，二進(jìn)制格式，lastb 命令進(jìn)行查看
/var/log/wtmp ：當(dāng)前系統(tǒng)上匪补，用戶正常登錄系統(tǒng)的相關(guān)日志信息伞辛， 二進(jìn)制格式， 夯缺，last 命令可以查看
/var/log/lastlog: 每一個(gè)用戶最近一次的登錄 信息蚤氏， 二進(jìn)制格式，lastlog 命令 可以查看
/var/log/dmesg ：系統(tǒng)引導(dǎo)過(guò)程中的日志信息踊兜，文本格式文本查看工具查看
專用命令dmesg 查看
/var/log/messages ：系統(tǒng)中大部分的信息
/var/log/anaconda : anaconda 的日志

[root@root ~]# cat /etc/rsyslog.conf 
# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception ruguo
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
#表示除了mail竿滨、authpriv、cron 這三種設(shè)備的日志文件其他程序的info級(jí)別及以上的級(jí)別都記錄到/var/log/messages文件里
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
#authpriv設(shè)備 的日志記錄到/var/log/secure文件里
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
#mail 所有級(jí)別的日志記錄到以異步的方式/var/log/maillog以異步的方式

# Log cron stuff
cron.*                                                  /var/log/cron
#cron 計(jì)劃日志所有的日志都記錄在/var/log/cron
# Everybody gets emergency messages
*.emerg                                                 *
#所有設(shè)備的emerg 級(jí)別的錯(cuò)誤會(huì)通知登錄該主機(jī)的所有用戶
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
#表示uucp捏境，news程序發(fā)生的crit級(jí)別的事件就往/var/log/spooler文件里寫
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
#計(jì)算機(jī)啟動(dòng)日志往/var/log/boot.log

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
[root@root network-scripts]# cat /etc/ssh/sshd_config 
#   $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV  日志文件記錄到authpriv設(shè)備里
#LogLevel INFO 
#表示比info級(jí)別高或者等于info級(jí)別的在記錄AUTHPRIV 設(shè)備對(duì)應(yīng)的文件

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   ForceCommand cvs server

• 未改先測(cè)試一下
  [root@root ~]# logger "chenxininhao"
• 查看內(nèi)容
  [root@root ~]# tail -1 /var/log/messages
  Aug 9 14:06:41 root root: chenxininhao
• 使用另一臺(tái)主機(jī)測(cè)試一下ssh記錄的日志信息

[root@localhost ser]# ssh  172.16.253.183 連接
The authenticity of host '172.16.253.183 (172.16.253.183)' can't be established.
RSA key fingerprint is a9:ad:42:ec:d4:20:cd:a2:ee:67:98:0c:f9:79:74:f8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.253.183' (RSA) to the list of known hosts.
root@172.16.253.183's password: 
Last login: Wed Aug  9 10:46:10 2017 from 192.168.75.1
[root@root ~]# 

• 在172.16.253.183查看ssh記錄的日志信息ssh的日志文件交給authpriv設(shè)備記錄于游；
  ssh的配置文件因?yàn)槭侨缦聦?/li>

#SyslogFacility AUTH
SyslogFacility AUTHPRIV 表示sshd的日志文件交個(gè)authpriv設(shè)備記錄
#LogLevel INFO 

• 查看日志服務(wù)器相關(guān)設(shè)置；authpriv設(shè)備的所有日志記在/var/log/secure中

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
設(shè)備.日志級(jí)別*表示所有級(jí)別                記錄到的文件

• 查看ssh的日志信息

[root@root ~]# tail -3   /var/log/secure
Aug  9 10:46:10 root sshd[3923]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug  9 14:10:30 root sshd[4258]: Accepted password for root from 172.16.253.147 port 57124 ssh2

• 更改ssh的日志文件

1.修改日志服務(wù)的配置文件
[root@root ~]# vim /etc/rsyslog.conf

# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
#表示除了mail垫言、authpriv贰剥、cron 這三種設(shè)備的日志文件其他程序的info級(jí)別及以上的級(jí)別都記錄到/var/log/messages文件里
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
#authpriv 身份驗(yàn)證的日志記錄到/var/log/secure文件里
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
#mail 所有級(jí)別的日志記錄到以異步的方式/var/log/maillog以異步的方式
local0.*                                                /var/log/sshdlog
#表示設(shè)置local0.* 所有級(jí)別的日志記錄在/var/log/sshdlog
2.修改sshd服務(wù)的配置文件
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#SyslogFacility AUTHPRIV 
SyslogFacility local0
#表示把sshd的所有日志交給local0設(shè)備處理
3.重啟兩個(gè)服務(wù)
[root@root network-scripts]# service sshd restart
停止 sshd：                                                [確定]
正在啟動(dòng) sshd：                                            [確定]
[root@root ~]# service rsyslog restart
關(guān)閉系統(tǒng)日志記錄器：                                       [確定]
啟動(dòng)系統(tǒng)日志記錄器：                                       [確定]
4.測(cè)試
（1）[root@localhost ser]# ssh  172.16.253.183
root@172.16.253.183's password: 
Last login: Wed Aug  9 14:10:30 2017 from 172.16.253.147
[root@root ~]# 
（2）[root@root ~]# cat /var/log/sshdlog 
Aug  9 14:39:04 root sshd[4402]: Accepted password for root from 172.16.253.147 port 57126 ssh2
--
5.sshd的不希望記錄在文本中而是通知用戶
local0.*                                                root,chenxi
#表示設(shè)置local0.* 所有級(jí)別的日志通知給root或者chenxi；如果是*表示通知所有登錄到機(jī)器上的用戶
[root@root ~]# service rsyslog restart
關(guān)閉系統(tǒng)日志記錄器：                                       [確定]
啟動(dòng)系統(tǒng)日志記錄器：                                       [確定]
（客戶端測(cè)試）
[root@localhost ser]# ssh  172.16.253.183
root@172.16.253.183's password: 密碼輸錯(cuò)
Permission denied, please try again.
root@172.16.253.183's password: 密碼正確
Last login: Wed Aug  9 14:39:04 2017 from 172.16.253.147
服務(wù)端查看

實(shí)現(xiàn)日志遠(yuǎn)程記錄6的發(fā)生到7上

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
使用udp的514端口實(shí)現(xiàn)讓遠(yuǎn)程主機(jī)辭主機(jī)上寫日志
# Provides TCP syslog reception
保存退出后重啟服務(wù)
[root@localhost ser]# service rsyslog restart
Redirecting to /bin/systemctl restart  rsyslog.service
查看端口是否打開(kāi)udp的514是否打開(kāi)
[root@localhost ser]# ss -nlu
State       Recv-Q Send-Q               Local Address:Port                              Peer Address:Port              
UNCONN      0      0                        127.0.0.1:323                                          *:*                  
UNCONN      0      0                                *:514                                          *:*         
6上測(cè)試自己記錄日志是否正常
[root@root ~]# logger "chenxi 99"
[root@root ~]# tail -1 /var/log/messages 
Aug  9 15:39:03 root root: chenxi 99
修改日志的配置文件規(guī)則
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                @172.16.253.147
#表示除了mail筷频、authpriv鸠澈、cron 這三種設(shè)備的日志文件其他程序的info級(jí)別及以上的級(jí)別都以UDP的方式發(fā)送到172.16.253.147上記錄；
一個(gè)@表示UDP協(xié)議兩個(gè)表示TCP協(xié)議截驮；
重啟
測(cè)試
[root@root ~]# service rsyslog restart
關(guān)閉系統(tǒng)日志記錄器：                                       [確定]
啟動(dòng)系統(tǒng)日志記錄器：                                       [確定]
[root@root ~]# logger "chenxi 99"
[root@root ~]# logger "chenxi 699"
7上查看日志信息
[root@localhost ser]# tail -1 /var/log/messages 
Aug  9 15:51:42 root root: chenxi 699
讓6上的sshd服務(wù)的日志走tcp服務(wù)
root@root ~]# vim /etc/ssh/sshd_config 
#SyslogFacility AUTHPRIV 
SyslogFacility local0 表示讓關(guān)于sshd服務(wù)的日志交給local0設(shè)備處理
#LogLevel INFO 
保存退出；重啟
[root@root ~]# service sshd restart
停止 sshd：                                                [確定]
正在啟動(dòng) sshd：                                            [確定]
[root@root ~]# vim /etc/rsyslog.conf
local0.*                                                @@172.16.253.147
#local0設(shè)備的日志通過(guò)TCP協(xié)議寫到172.16.253.147
重啟日志服務(wù)
[root@root ~]# service rsyslog restart
關(guān)閉系統(tǒng)日志記錄器：                                       [確定]
啟動(dòng)系統(tǒng)日志記錄器：                                       [確定]
7服務(wù)器上的操作
[root@root ~]# vim /etc/rsyslog.conf
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#啟用tcp協(xié)議實(shí)現(xiàn)讓遠(yuǎn)程主機(jī)往此主機(jī)上寫日志
重啟日志服務(wù)
[root@localhost ser]# systemctl restart rsyslog
查看端口
[root@localhost ser]# ss -nltu
Netid State      Recv-Q Send-Q             Local Address:Port                            Peer Address:Port              
udp   UNCONN     0      0                      127.0.0.1:323                                        *:*                  
udp   UNCONN     0      0                              *:514                                        *:*                  
udp   UNCONN     0      0                              *:68                                         *:*                  
udp   UNCONN     0      0                              *:42623                                      *:*                  
udp   UNCONN     0      0                            ::1:323                                       :::*                  
udp   UNCONN     0      0                             :::514                                       :::*                  
udp   UNCONN     0      0                             :::4661                                      :::*                  
tcp   LISTEN     0      128                            *:22                                         *:*                  
tcp   LISTEN     0      25                             *:514                                        *:*                  
tcp   LISTEN     0      80                            :::3306                                      :::*                  
tcp   LISTEN     0      128                           :::80                                        :::*                  
tcp   LISTEN     0      128                           :::22                                        :::*                  
tcp   LISTEN     0      25                            :::514                                       :::*        
測(cè)試
[root@gh ~]# ssh 192.168.75.128
root@192.168.75.128's password: 
Last login: Wed Aug  9 16:19:11 2017 from 192.168.75.129
[root@root ~]# 
[root@localhost ser]# tail -1 /var/log/messages 
Aug  9 16:17:27 root sshd[4915]: Failed password for root from 192.168.75.129 port 53380 ssh2