Foreword
In Linux systems, rsyslog is often used as a logging tool. The full name of Rsyslog is rocket-fast system for log. It provides high performance, high security functions and modular design. It can accept logs from various sources and output them to different destinations. At the same time, rsyslog can pass a variety of protocols, such as UDP, TCP; it can also be encrypted for transmission, such as TLS.
This article will introduce the establishment of rsyslog remote server on centos.
1. TCP and UDP protocol environment construction
1. Ensure that the network connection between the server segment and the client segment is normal
Perform ping operations on the server and client, and they can ping each other successfully.
2. Configure /etc/rsyslog.conf
2.1 Turn on TCP/UDP monitoring in rsyslog
ModLoad imudp and ModLoad imtcp are configured to enable UDP/TCP monitoring.
UDPServerRun and InputTCPServerRun are configured to configure the UDP/TCP listening port
2.2 Set log message storage location and file naming
The $template Remote configuration item is used to define the location where the log file is stored and the template of the file name. The details are as follows:
$template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
Remote is the name of the template, which can be customized;
“/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%
Y
E
A
R
YEAR%-%
YEARMONTH%-%
D
A
Y
DAY%.log” is the address that specifies the remote log storage, where “%fromhost-ip%” is the IP address of the client,”%
DAYYEAR%-%
M
O
N
T
H
MONTH%-%
MONTHDAY%” is the time (year, month, day) when the remote log was sent, so the meaning of this template is to store the remote log in the /var/log/remote_syslog directory, and create different files based on the IP and log time of the remote log. folders and log files.
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
Identifies the run template Remote to accept all remote logs.
2.3 Customized log receiving format
Optional, generally use the default template.
For remote logs, rsyslog can process the format of the received log messages. If not set, the default template that comes with rsyslog will be used by default.
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
- Comment out the default version of rsyslog
- Customize the remote log template through the template command
$template myFormat,"%timegenerated% %FROMHOST-IP% %syslogtag% %msg%\\ "
%timegenerated%: log generation time
%FROMHOST-IP%: Log source host IP
%syslogtag%: Log generation service
%msg%: Log content
Note:
If you only want to store the raw data of the remote log, you can use the following template:
$template myFormat,"%syslogtag% %msg%\\ "
- Apply custom template
$ActionFileDefaultTemplate myFormat
3. Turn off the firewall service
Enter the following command on the log server:
systemctl stop firewalld setenforce 0 sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
4. Restart and view the rsyslog service
systemctl restart rsyslog restart rsyslog service
systemctl status rsyslog View the current status of rsyslog service
5. Configure log client
Configure the IP port and other information of the remote server in the log client (that is, the server that sends the log)
6. Check the current rsyslog monitoring status
Enter the following command on the log server:
netstat -pan | grep syslog
Check syslog monitoring status
7. View receiving log files and contents
2. TLS protocol environment construction
TLS protocol is an encrypted transmission protocol based on TCP protocol, which is divided into one-way authentication and two-way authentication.
1. Set up the server according to the previous chapter
2. Certificate usage
Client (log sending side) certificate usage:
| One-way authentication | Two-way authentication | |
|---|---|---|
| Root certificate | Y | Y |
| Local certificate | N | Y |
| Key | N | Y |
Certificate usage on the server side (receiving log side):
| One-way authentication | Two-way authentication | |
|---|---|---|
| Root certificate | Y | Y |
| Local certificate | Y | Y |
| Key | Y | Y |
3. Quote the certificate in the /etc/rsyslog.conf file and ensure that TCP monitoring is turned on
Here TCP is enabled to use the new version of rsyslog recommended format.
3.1 One-way authentication
# make gtls driver the default $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem $DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem $DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem # load TCP listener module( load="imtcp" #StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon" ) $InputTCPServerRun 514 </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack. png" alt="" title="">
3.2 Two-way authentication
# make gtls driver the default $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem $DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem $DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem # load TCP listener module( load="imtcp" #StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="x509/certvalid" ) $InputTCPServerRun 514 </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack. png" alt="" title="">
The main difference in configuration between one-way authentication and two-way authentication is the “StreamDriver.Authmode” configuration item.
3. Different protocol conf files
1. TCP/UDP
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) $ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state $EscapeControlCharactersOnReceive off #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog #Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 $template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" :fromhost-ip, !isequal, "127.0.0.1" ?Remote # ### end of the forwarding rule ### </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack. png" alt="" title="">
2. TLS
2.1 One-way authentication
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) $ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files #$DefaultNetstreamDriverCAFile /var/syslog/tls/cacert.pem #$DefaultNetstreamDriverCertFile /var/syslog/tls/server/cert.pem #$DefaultNetstreamDriverKeyFile /var/syslog/tls/server/key.pem $DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem $DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem $DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem # load TCP listener module( load="imtcp" #StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon" ) $InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state $EscapeControlCharactersOnReceive off #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog #Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 $template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" :fromhost-ip, !isequal, "127.0.0.1" ?Remote # ### end of the forwarding rule ### </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack. png" alt="" title="">
2.2 Two-way authentication
# rsyslog configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### # The imjournal module bellow is now used as a message source instead of imuxsock. $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imjournal # provides access to the systemd journal #$ModLoad imklog # reads kernel messages (the same are read from journald) $ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files #$DefaultNetstreamDriverCAFile /var/syslog/tls/cacert.pem #$DefaultNetstreamDriverCertFile /var/syslog/tls/server/cert.pem #$DefaultNetstreamDriverKeyFile /var/syslog/tls/server/key.pem $DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem $DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem $DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem # load TCP listener module( load="imtcp" #StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="x509/certvalid" ) $InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Where to place auxiliary files $WorkDirectory /var/lib/rsyslog # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf # Turn off message reception via local log socket; # local messages are retrieved through imjournal now. $OmitLocalLogging on # File to store the position in the journal $IMJournalStateFile imjournal.state $EscapeControlCharactersOnReceive off #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog #Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 $template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log" :fromhost-ip, !isequal, "127.0.0.1" ?Remote # ### end of the forwarding rule ### </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack. png" alt="" title="">