Rsyslog简介
Rsyslog 是一个快速处理收集系统日志的程序,提供了高性能、安全功能和模块化设计。rsyslog 是syslog 的升级版,它将多种来源输入输出转换结果到目的地。reliable syslog over TCP, SSL/TLS and RELP
Rsyslog can be configured in a client/server model. When configured as a client, it sends logs to a remote server over the network via TCP/UDP protocols. As a server, it receives logs over the network from remote client on port 514 TCP/UDP or any custom port on which it is configured to listen on.
Install Rsyslog on Ubuntu 20.04
Rsyslog is the default syslogd on Debian systems and is usually installed on Ubuntu 20.04 by default.
You can verify this by checking the version of installed rsyslog.
apt list -a rsyslog
Listing... Done
rsyslog/bionic,bionic-updates,now 8.32.0-1ubuntu4 amd64 [installed]
rsyslogd -v
rsyslogd 8.32.0, compiled with:
Setup Rsyslog Server on Ubuntu 20.04
配置Rsyslog 服务器模式
Open the ryslog configuration file for editing;
vim /etc/rsyslog.conf
找到#### MODULES ####部分,修改成如下所示:
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="5140")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="5140")
重新启动rsyslog
sudo systemctl restart rsyslog
查看监听是否正常
netstat -na |grep 0:514
tcp 0 0 0.0.0.0:5140 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:5140 0.0.0.0:*
ss -4altunp | grep 514
udp UNCONN 0 0 0.0.0.0:5140 0.0.0.0:*
tcp LISTEN 0 25 0.0.0.0:5140 0.0.0.0:*
如果有防火墙,打开防火墙
ufw allow 5140/udp
ufw allow 5140/tcp
限制允许访问的IP地址/域名
vim /etc/rsyslog.conf
...
###########################
#### GLOBAL DIRECTIVES ####
###########################
# $AllowedSender - specifies which remote systems are allowed to send syslog messages to rsyslogd
$AllowedSender UDP, 192.168.57.0/24, [::1]/128, *.example.net, servera.example.com
$AllowedSender TCP, 192.168.58.0/24, [::1]/128, *.example.net, servera.example.com
配置保存的文件/模板
vim /etc/rsyslog.conf
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="5140")
#Custom template to generate the log filename dynamically based on the client's IP address.
$template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log"
*.* ?RemInputLogs
检查配置文件是否正确
rsyslogd -f /etc/rsyslog.conf -N1
rsyslogd: version 8.2001.0, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
没有问题,重新Rsyslog服务
systemctl restart rsyslog
Rsyslogd is now ready to receive logs from remote hosts.
配置Rsyslog客户端转发日志到服务器
验证tcp/udp远程连接
Verify Remote Rsyslog Server Ports Connection
To verify connectivity to remote rsyslog server TCP port 5140, run the command below;
telnet 192.168.57.3 5140
Verify connectivity to UDP port 5140. Since you cannot telnet to UDP port 514, use netcat command. On the server, run the command below;
nc -ul 5140
On the client, run the command below, press ENTER and type anything. You should be able to see what you type on the server.
nc -u 192.168.57.3 5140
配置客户端
vim /etc/rsyslog.conf
To send authentication logs over port 5140/UDP, add the following line at the end of the file.
# Send logs to remote syslog server over UDP
auth,authpriv.* @192.168.57.3:5140
To send all logs over port 5140/TCP, add the following line at the end of the file.
# Send logs to remote syslog server over TCP 5140
*.* @@192.168.57.3:5140
如果你的日志非常重要,不接受丢失,就配置下面参数,保存到磁盘上面。
# Define Disk Queue Buffer in case the server goes down
$ActionQueueFileName queue # define a file name for disk assistance.
$ActionQueueMaxDiskSpace 1g # The maximum size that all queue files together will use on disk.
$ActionQueueSaveOnShutdown on # specifies that data should be saved at shutdown
$ActionQueueType LinkedList # holds enqueued messages in memory which makes the process very fast.
$ActionResumeRetryCount -1 # prevents rsyslog from dropping messages when retrying to connect if server is not responding,
Restart the rsyslog service on the client.
systemctl restart rsyslog
You can now log out of the client and login again. The authentication logs should be available on rsyslog server.
Login to the Rsyslog server and verify the same.
ls /var/log/remotelogs/
send specific logs to remote server
The following sample monitors two files. If you need just one, remove the second one. If you need more, add them according to the sample ;). This code must be placed in /etc/rsyslog.conf (or wherever your distro puts rsyslog’s config files). Note that only commands actually needed need to be specified. The second file uses less commands and uses defaults instead.
module(load="imfile" PollingInterval="10") #needs to be done just once
# File 1
input(type="imfile"
File="/path/to/file1"
Tag="tag1"
Severity="error"
Facility="local7")
# File 2
input(type="imfile"
File="/path/to/file2"
Tag="tag2")
# ... and so on ... #
relp rsyslog 相关
relp服务器端配置
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html
前提条件
apt-get install rsyslog-relp
Edit /etc/rsyslog.conf to enable RELP input module. For example, to listen on port 2514:
module(load="imrelp") # needs to be done just once
input(type="imrelp" port="2514" maxDataSize="10k")
配置tls支持
Receive RELP traffic via TLS¶
This receives RELP traffic via TLS using the recommended “openssl” library. Except for encryption support the scenario is the same as in Example 1.
Certificate files must exist at configured locations. Note that authmode “certvalid” is not very strong - you may want to use a different one for actual deployments. For details, see parameter descriptions.
module(load="imrelp" tls.tlslib="openssl")
input(type="imrelp" port="2514" maxDataSize="10k"
tls="on"
tls.cacert="/tls-certs/ca.pem"
tls.mycert="/tls-certs/cert.pem"
tls.myprivkey="/tls-certs/key.pem"
tls.authmode="certvalid"
tls.permittedpeer="rsyslog")
客户端配置
Sending msgs with omrelp
The following sample sends all messages to the central server “centralserv” at port 2514 (note that that server must run imrelp on port 2514).
module(load="omrelp")
action(type="omrelp" target="centralserv" port="2514")
Sending msgs with omrelp via TLS
This is the same as the previous example but uses TLS (via OpenSSL) for operations.
Certificate files must exist at configured locations. Note that authmode “certvalid” is not very strong - you may want to use a different one for actual deployments. For details, see parameter descriptions.
module(load="omrelp" tls.tlslib="openssl")
action(type="omrelp"
target="centralserv" port="2514" tls="on"
tls.cacert="tls-certs/ca.pem"
tls.mycert="tls-certs/cert.pem"
tls.myprivkey="tls-certs/key.pem"
tls.authmode="certvalid"
tls.permittedpeer="rsyslog")
旧命令用下面这个
This module uses old-style action configuration to keep consistent with the forwarding rule. So far, no additional configuration directives can be specified. To send a message via RELP, use
*.* :omrelp:<server>:<port>;<template>
rsyslog 新命令都是使用action的方式
Use the following configuration in /etc/rsyslog.conf or create a file with the following content in the /etc/rsyslog.d/ directory:
*.* action(type="omfwd"
queue.type="linkedlist"
queue.filename="example_fwd"
action.resumeRetryCount="-1"
queue.saveOnShutdown="on"
target="example.com" port="6514" protocol="tcp"
)
Sample syslog.conf 配置tcp 使用 tls通信
Keep in mind that this rsyslog.conf accepts messages via TCP, only. The only other source accepted is messages from the server itself.
module(load="imuxsock") # local messages
module(load="imtcp" # TCP listener
StreamDriver.Name="gtls"
StreamDriver.Mode="1" # run driver in TLS-only mode
StreamDriver.Authmode="anon"
)
# make gtls driver the default and set certificate files
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/path/to/contrib/gnutls/ca.pem"
DefaultNetstreamDriverCertFile="/path/to/contrib/gnutls/cert.pem"
DefaultNetstreamDriverKeyFile="/path/to/contrib/gnutls/key.pem"
)
# start up listener at port 6514
input(
type="imtcp"
port="6514"
)
Be sure to safeguard at least the private key (machine-key.pem)! If some third party obtains it, you security is broken!
omfwd用法
Example 1
The following command sends all syslog messages to a remote server via TCP port 10514.
action(type="omfwd" Target="192.168.2.11" Port="10514" Protocol="tcp" Device="eth0")
Example 2
In case the system in use has multiple (maybe virtual) network interfaces network namespaces come in handy, each with its own routing table. To be able to distribute syslogs to remote servers in different namespaces specify them as separate actions.
action(type="omfwd" Target="192.168.1.13" Port="10514" Protocol="tcp" NetworkNamespace="ns_eth0.0")
action(type="omfwd" Target="192.168.2.24" Port="10514" Protocol="tcp" NetworkNamespace="ns_eth0.1")
action(type="omfwd" Target="192.168.3.38" Port="10514" Protocol="tcp" NetworkNamespace="ns_eth0.2")
rsyslog central logging to hostname.log excluding localhost
# Add on top of the RULES statement
$template remote, "/var/log/%HOSTNAME%.log"
if ($fromhost-ip != "127.0.0.1" ) then -?remote
& stop
storing-messages-from-a-remote-system-into-a-specific-file
Config Statements
$ModLoad imtcp
$InputTCPServerRun 10514
# do this in FRONT of the local/regular rules
if $fromhost-ip startswith '192.0.1.' then /var/log/network1.log
& ~
if $fromhost-ip startswith '192.0.2.' then /var/log/network2.log
& ~
# local/regular rules, like
*.* /var/log/syslog.log
How it works
It is important that the rules processing the remote messages come before any rules to process local messages. The if’s above check if a message originates on the network in question and, if so, writes them to the appropriate log. The next line (“& ~”) is important: it tells rsyslog to stop processing the message after it was written to the log. As such, these messages will not reach the local part. Without that “& ~”, messages would also be written to the local files.
Also note that in the filter there is a dot after the last number in the IP address. This is important to get reliable filters. For example, both of the addresses “192.0.1.1” and “192.0.10.1” start with “192.0.1” but only one actually starts with “192.0.1.”!
参考文档:https://blog.csdn.net/McwoLF/article/details/110121026
https://www.rsyslog.com/doc/v8-stable/configuration/modules/omrelp.html
https://gist.github.com/drmalex07/bb178d61f800488446d22de4301160f1
https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_server.html
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_the_new_syntax_for_rsyslog_queues
https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
