High-Availability
syslog-ng 配置在調試模式下工作,但並非沒有
我正在嘗試將 syslog-ng 作為 HA 集群中的 OCF 資源執行。我遇到了一些非常奇怪的行為 - 當我在調試模式下啟動單個實例時,過濾器匹配並正確轉發。但是,當我刪除調試標誌時,它只匹配兩個過濾器之一。所以,它是這樣工作的(主機名和 IP 被編輯):
# pcs status Cluster name: fwdr Stack: corosync Current DC: fwdr-secondary (version 1.1.19-8.el7_6.4-c3c624ea3d) - partition with quorum Last updated: Thu Sep 5 11:50:18 2019 Last change: Thu Sep 5 10:27:51 2019 by root via cibadmin on fwdr-primary 2 nodes configured 2 resources configured Online: [ fwdr-primary fwdr-secondary ] Full list of resources: virtual_ip (ocf::heartbeat:IPaddr2): Started fwdr-primary syslog-ng (ocf::heartbeat-git:syslog-ng): Started fwdr-primary Daemon Status: corosync: active/enabled pacemaker: active/enabled pcsd: active/enabled
系統日誌-ng.conf:
@version: 3.5 source incoming { udp( ip("VIP") port(514) flags(no-parse) ); tcp( ip("VIP") port(514) flags(no-parse) ); }; filter pi_duplication { netmask("someip/32") or netmask("someip/32") or netmask("someip/32") ...a bunch of these... or netmask("someip/32") }; destination dl { udp( "<REDACTED:dl hostname>" port(514) spoof_source(yes) template( "${MESSAGE}\n" ) ); }; destination ci { tcp( "<REDACTED:ci hostname>" port(11468) template( "${MESSAGE}\n" ) ); }; log { source(incoming); filter(pi); destination(ci); };
現在,禁用 syslog-ng 資源:
# pcs resource disable syslog-ng
... Full list of resources: virtual_ip (ocf::heartbeat:IPaddr2): Started fwdr-primary syslog-ng (ocf::heartbeat-git:syslog-ng): Stopped (disabled)
現在以調試模式啟動它:
# syslog-ng -f /etc/syslog-ng/syslog-ng.conf --foreground --debug Reading path for candidate modules; path='//usr/lib64/syslog-ng' ... Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling incoming reference [source] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling incoming sequence [source] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:1] Compiling pi_duplication reference [filter] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling pi_duplication sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:1] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:1] Compiling ci reference [destination] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling ci sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling incoming reference [source] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling dl reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling dl sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5] Syslog connection established; fd='9', server='AF_INET(<REDACTED:dl host's IP>:514)', local='AF_INET(0.0.0.0:0)' Running application hooks; hook='1' Running application hooks; hook='3' syslog-ng starting up; version='3.5.6' Syslog connection established; fd='8', server='AF_INET(<REDACTED:is host's IP>:11468)', local='AF_INET(0.0.0.0:0)' Syslog connection accepted; fd='16', client='AF_INET(<REDACTED:ci host's IP>:47876)', local='AF_INET(10.68.233.48:514)' Incoming log entry; line='<REDACTED>' Filter rule evaluation begins; rule='pi_duplication', location='/etc/syslog-ng/syslog-ng.conf:17:32' Filter node evaluation result; result='not-match' Filter node evaluation result; result='not-match' Filter node evaluation result; result='not-match', type='OR' Filter node evaluation result; result='not-match' Filter node evaluation result; result='not-match', type='OR' Filter node evaluation result; result='not-match' Filter node evaluation result; result='not-match', type='OR' ...repeated... Filter node evaluation result; result='not-match' Filter node evaluation result; result='not-match', type='OR' Filter node evaluation result; result='match' Filter node evaluation result; result='match', type='OR' Filter node evaluation result; result='match', type='OR' Filter node evaluation result; result='match', type='OR' Filter node evaluation result; result='match', type='OR' Filter node evaluation result; result='match', type='OR' Filter node evaluation result; result='match', type='OR' Filter rule evaluation result; result='match', rule='pi_duplication', location='/etc/syslog-ng/syslog-ng.conf:17:32'
依此類推,每條傳入線路都匹配並正確發送到兩個目標。流量範例,其中source是生成主機,destination是ci主機,myvip是我監聽的VIP,myrealip是fwdr-primary的真實IP:
# tcpdump -nn -i enp15s0f0 "port 514 or port 11468" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp15s0f0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:03:14.545138 IP source.48100 > myvip.514: Flags [P.], seq 2372587949:2372588369, ack 3533250116, win 29, length 420 12:03:14.545185 IP myvip.514 > source.48100: Flags [R], seq 3533250116, win 0, length 0 12:03:15.227043 IP source.48112 > myvip.514: Flags [S], seq 2965678208, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0 12:03:15.227107 IP myvip.514 > source.48112: Flags [S.], seq 280396112, ack 2965678209, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 12:03:15.260720 IP source.48112 > myvip.514: Flags [.], ack 1, win 29, length 0 12:03:15.260773 IP source.48112 > myvip.514: Flags [P.], seq 1:401, ack 1, win 29, length 400 12:03:15.260796 IP myvip.514 > source.48112: Flags [.], ack 401, win 237, length 0 12:03:15.262926 IP source.48112 > dlhost.514: SYSLOG local0.info, length: 400 12:03:15.263037 IP myrealip.41003 > destination.11468: Flags [P.], seq 2022253190:2022253590, ack 3273547315, win 229, options [nop,nop,TS val 3195491935 ecr 501321261], length 400 12:03:15.263175 IP destination.11468 > myrealip.41003: Flags [.], ack 400, win 235, options [nop,nop,TS val 501331496 ecr 3195491935], length 0
現在,重新啟用集群資源:
# pcs resource enable syslog-ng
現在網路靜默:
12:08:24.610741 IP source.48240 > myvip.514: Flags [S], seq 3387574314, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0 12:08:24.610796 IP myvip.514 > source.48240: Flags [S.], seq 2754922833, ack 3387574315, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 12:08:24.644579 IP source.48240 > myvip.514: Flags [.], ack 1, win 29, length 0 12:09:01.941077 IP source.48240 > myvip.514: Flags [P.], seq 1:484, ack 1, win 29, length 483 12:09:01.941127 IP myvip.514 > source.48240: Flags [.], ack 484, win 237, length 0 12:09:01.942064 IP source.48240 > dlhost.514: SYSLOG local0.info, length: 483
(直接來自 source > dlhost 的數據包是我根據 dl 規則欺騙源的地方)。換句話說,在集群下執行時的跟踪顯示它只匹配 dl 規則,而在調試模式下在前台執行時,它正確匹配兩個規則!這使得調試變得非常困難,我無法弄清楚發生了什麼。
從您的 syslog-ng 版本,我猜您在 RHEL/CentOS 7 上使用 EPEL 的 syslog-ng。
現在無法驗證它,但我有一些遙遠的記憶,當從 systemd 啟動 syslog-ng 時,SELinux 會阻止網路連接。如果有任何與 syslog-ng 相關的內容,您應該檢查您的審核日誌。
我關於該主題的部落格可能會有所幫助:https ://www.syslog-ng.com/community/b/blog/posts/using-syslog-ng-with-selinux-in-enforcing-mode