High-Availability

syslog-ng 配置在調試模式下工作,但並非沒有

  • September 5, 2019

我正在嘗試將 syslog-ng 作為 HA 集群中的 OCF 資源執行。我遇到了一些非常奇怪的行為 - 當我在調試模式下啟動單個實例時,過濾器匹配並正確轉發。但是,當我刪除調試標誌時,它只匹配兩個過濾器之一。所以,它是這樣工作的(主機名和 IP 被編輯):

# pcs status
Cluster name: fwdr
Stack: corosync
Current DC: fwdr-secondary (version 1.1.19-8.el7_6.4-c3c624ea3d) - partition with quorum
Last updated: Thu Sep  5 11:50:18 2019
Last change: Thu Sep  5 10:27:51 2019 by root via cibadmin on fwdr-primary

2 nodes configured
2 resources configured

Online: [ fwdr-primary fwdr-secondary ]

Full list of resources:

virtual_ip     (ocf::heartbeat:IPaddr2):       Started fwdr-primary
syslog-ng      (ocf::heartbeat-git:syslog-ng): Started fwdr-primary

Daemon Status:
 corosync: active/enabled
 pacemaker: active/enabled
 pcsd: active/enabled

系統日誌-ng.conf:

@version: 3.5

source incoming {
       udp(
           ip("VIP")
           port(514)
           flags(no-parse)
       );

       tcp(
           ip("VIP")
           port(514)
           flags(no-parse)
       );
};

filter pi_duplication {
   netmask("someip/32")
   or netmask("someip/32")
   or netmask("someip/32")

   ...a bunch of these...

   or netmask("someip/32")
};

destination dl {
   udp(
           "<REDACTED:dl hostname>"
           port(514)
           spoof_source(yes)
           template( "${MESSAGE}\n" )
   );
};

destination ci {
   tcp(
       "<REDACTED:ci hostname>"
       port(11468)
       template( "${MESSAGE}\n" )
   );
};

log {
   source(incoming);
   filter(pi);
   destination(ci);
};

現在,禁用 syslog-ng 資源:

# pcs resource disable syslog-ng
...
Full list of resources:

virtual_ip     (ocf::heartbeat:IPaddr2):       Started fwdr-primary
syslog-ng      (ocf::heartbeat-git:syslog-ng): Stopped (disabled)

現在以調試模式啟動它:

# syslog-ng -f /etc/syslog-ng/syslog-ng.conf --foreground --debug
Reading path for candidate modules; path='//usr/lib64/syslog-ng'

...

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:6]
 Compiling incoming reference [source] at [/etc/syslog-ng/syslog-ng.conf:6]
   Compiling incoming sequence [source] at [/etc/syslog-ng/syslog-ng.conf:3]
     Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3]
       Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4]
       Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:1]
 Compiling pi_duplication reference [filter] at [/etc/syslog-ng/syslog-ng.conf:6]
   Compiling pi_duplication sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:1]
     Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:1]
 Compiling ci reference [destination] at [/etc/syslog-ng/syslog-ng.conf:6]
   Compiling ci sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:5]
     Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:5]
       Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5]
Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7]
 Compiling incoming reference [source] at [/etc/syslog-ng/syslog-ng.conf:7]
 Compiling dl reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7]
   Compiling dl sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4]
     Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4]
       Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5]
Syslog connection established; fd='9', server='AF_INET(<REDACTED:dl host's IP>:514)', local='AF_INET(0.0.0.0:0)'
Running application hooks; hook='1'
Running application hooks; hook='3'
syslog-ng starting up; version='3.5.6'
Syslog connection established; fd='8', server='AF_INET(<REDACTED:is host's IP>:11468)', local='AF_INET(0.0.0.0:0)'
Syslog connection accepted; fd='16', client='AF_INET(<REDACTED:ci host's IP>:47876)', local='AF_INET(10.68.233.48:514)'
Incoming log entry; line='<REDACTED>'
Filter rule evaluation begins; rule='pi_duplication', location='/etc/syslog-ng/syslog-ng.conf:17:32'
Filter node evaluation result; result='not-match'
Filter node evaluation result; result='not-match'
Filter node evaluation result; result='not-match', type='OR'
Filter node evaluation result; result='not-match'
Filter node evaluation result; result='not-match', type='OR'
Filter node evaluation result; result='not-match'
Filter node evaluation result; result='not-match', type='OR'

...repeated...

Filter node evaluation result; result='not-match'
Filter node evaluation result; result='not-match', type='OR'
Filter node evaluation result; result='match'
Filter node evaluation result; result='match', type='OR'
Filter node evaluation result; result='match', type='OR'
Filter node evaluation result; result='match', type='OR'
Filter node evaluation result; result='match', type='OR'
Filter node evaluation result; result='match', type='OR'
Filter node evaluation result; result='match', type='OR'
Filter rule evaluation result; result='match', rule='pi_duplication', location='/etc/syslog-ng/syslog-ng.conf:17:32'

依此類推,每條傳入線路都匹配並正確發送到兩個目標。流量範例,其中source是生成主機,destination是ci主機,myvip是我監聽的VIP,myrealip是fwdr-primary的真實IP:

# tcpdump -nn -i enp15s0f0 "port 514 or port 11468"                                       
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp15s0f0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:03:14.545138 IP source.48100 > myvip.514: Flags [P.], seq 2372587949:2372588369, ack 3533250116, win 29, length 420
12:03:14.545185 IP myvip.514 > source.48100: Flags [R], seq 3533250116, win 0, length 0
12:03:15.227043 IP source.48112 > myvip.514: Flags [S], seq 2965678208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
12:03:15.227107 IP myvip.514 > source.48112: Flags [S.], seq 280396112, ack 2965678209, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:03:15.260720 IP source.48112 > myvip.514: Flags [.], ack 1, win 29, length 0
12:03:15.260773 IP source.48112 > myvip.514: Flags [P.], seq 1:401, ack 1, win 29, length 400
12:03:15.260796 IP myvip.514 > source.48112: Flags [.], ack 401, win 237, length 0
12:03:15.262926 IP source.48112 > dlhost.514: SYSLOG local0.info, length: 400
12:03:15.263037 IP myrealip.41003 > destination.11468: Flags [P.], seq 2022253190:2022253590, ack 3273547315, win 229, options [nop,nop,TS val 3195491935 ecr 501321261], length 400
12:03:15.263175 IP destination.11468 > myrealip.41003: Flags [.], ack 400, win 235, options [nop,nop,TS val 501331496 ecr 3195491935], length 0

現在,重新啟用集群資源:

# pcs resource enable syslog-ng

現在網路靜默:

12:08:24.610741 IP source.48240 > myvip.514: Flags [S], seq 3387574314, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
12:08:24.610796 IP myvip.514 > source.48240: Flags [S.], seq 2754922833, ack 3387574315, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
12:08:24.644579 IP source.48240 > myvip.514: Flags [.], ack 1, win 29, length 0
12:09:01.941077 IP source.48240 > myvip.514: Flags [P.], seq 1:484, ack 1, win 29, length 483
12:09:01.941127 IP myvip.514 > source.48240: Flags [.], ack 484, win 237, length 0
12:09:01.942064 IP source.48240 > dlhost.514: SYSLOG local0.info, length: 483

(直接來自 source > dlhost 的數據包是我根據 dl 規則欺騙源的地方)。換句話說,在集群下執行時的跟踪顯示它只匹配 dl 規則,而在調試模式下在前台執行時,它正確匹配兩個規則!這使得調試變得非常困難,我無法弄清楚發生了什麼。

從您的 syslog-ng 版本,我猜您在 RHEL/CentOS 7 上使用 EPEL 的 syslog-ng。

現在無法驗證它,但我有一些遙遠的記憶,當從 systemd 啟動 syslog-ng 時,SELinux 會阻止網路連接。如果有任何與 syslog-ng 相關的內容,您應該檢查您的審核日誌。

我關於該主題的部落格可能會有所幫助:https ://www.syslog-ng.com/community/b/blog/posts/using-syslog-ng-with-selinux-in-enforcing-mode

引用自:https://serverfault.com/questions/982061