Setting up the Rsyslog server

Environment configuration

Client1:192.168.91.17 for the centos7 system

Centos7 System Master: 192.168.91.18

Rsyslog client configuration

1. Rsyslog installation

yum install rsyslog  
Copy the code

2. Enable UDP transmission

Vim /etc/rsyslog.conf # Provides UDP syslog reception $ModLoad IMudp $UDPServerRun 514 # Provides TCP syslog reception #$ModLoad IMTCP #$InputTCPServerRun 514 *.* @192.168.28.149:514 #Copy the code

3. Restart the Rsyslog service

systemctl restart rsyslog
Copy the code

Rsyslog server configuration

1. Enable UDP/TCP transmission

Vim /etc/rsyslog.conf # Provides UDP syslog reception $ModLoad IMudp $UDPServerRun 514 # Provides TCP syslog reception Uncomment the following two lines #$ModLoad IMTCP #$InputTCPServerRun 514Copy the code

2. Restart the Rsyslog service

systemctl restart rsyslog
Copy the code

Test whether the service can send the client’s system logs back to the server

1. Continuously output system log files on the server

tailf /var/log/messages 
Copy the code

Second: use logger on the client to generate test log information (and check the output on the server to determine whether the log has been collected through the network)

logger "rsyslog test"
Copy the code

Rsyslog Sets up the central log server

By default, received logs are written to the corresponding log file on the server. For example, if secure logs are involved, they are written to /var/log/secure on the server. That is, the client writes a log file and then writes another log file to the server.

We optimized the server logging configuration with the following three questions.

Optimization problem 1: logs sent from the client, display their host name in the host location, local view is ok, if all converge to a server, how to determine which server sent this message, obviously in the form of IP better, the following to set.

The log template configuration needs to be modified on the server:

#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate myFormat  
Copy the code

After the Rsyslog service is restarted, the following information is displayed in the IP address format:

Optimization problem 2: Logs received by the server are scattered. Is it suspicious? Store logs in a specific directory for classified storage.

Conf file and enable UDP to avoid modifying the main configuration file. Create default.conf in /etc/rsyslog.d/ and add the following template:

# # # # # # # # # GLOBAL DIRECTIVES Use default timestamp format # $ActionFileDefaultTemplate using a custom format RSYSLOG_TraditionalFileFormat $template myFormat,"%timestamp% %fromhost-ip% %syslogtag% %msg%\n" $ActionFileDefaultTemplate myFormat # according to the client's IP separately store the host log in different directories, $template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" # Exclude local host IP logging, only log remote host :fromhost-ip,! Isequal, "127.0.0.1"? RemoteLogs # ignores all previous logs and does not continue logging after the remote host has loggedCopy the code

Custom formats are used to store logs of different client IP addresses in different directories.

Optimization Problem 3:

Rsyslog Custom log writing, such as /data/rsyslog directory permission is ok, but logs cannot be output?

You just need to turn off SELinux to implement the log file path writing problem.

Temporarily disable SELinux setenforce 0 Permanently disable vi /etc/selinux/config Change the value to SELinux =disableCopy the code

Related Posts

What is a botnet? What are the characteristics? Computers are part of that, right?

(1) Hashmap design and problems

Raspberry PI remote boot FRP Intranet penetration remote desktop