Logging
rsyslog,有沒有辦法查看收到的消息的設施程式碼?
我有一個 cisco ftd 發送帶有 local3(19) 標記的日誌,但是我仍然看到一些消息最終出現在我的 users.log 中,而不是我將它們配置為發送的位置。如果不加標籤,他們會到哪裡去?或者有沒有辦法驗證他們被標記為“使用者”或設施程式碼 1?我沒有在我的 rsyslog.conf 中註釋掉使用者。(Debian wheezy,rsyslog v5)
root@PHOENILOGOP2:/etc# more rsyslog.conf # /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html ######################## ### TROUBLESHOOTING #### ######################## $template myFormat,"%rawmsg%\n" $ActionFileDefaultTemplate myFormat ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support #$ModLoad immark # provides --MARK-- message capability # provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Set the default permissions for all log files. # $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 # # Where to place spool and state files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf ############### #### RULES #### ############### $template Firewall,"/var/log/prd/fwlog-%$YEAR%-%$MONTH%-%$DAY%" $template Switch,"/var/log/prd/rslog-%$YEAR%-%$MONTH%-%$DAY%" $template Ironport,"/var/log/prd/iplog-%$YEAR%-%$MONTH%-%$DAY%" # $template ACS,"/var/log/prd/acslog-%$YEAR%-%$MONTH%-%$DAY%" $template FTD,"/var/log/prd/ftdlog-%$YEAR%-%$MONTH%-%$DAY%" $template ISE,"/var/log/prd/iselog-%$YEAR%-%$MONTH%-%$DAY% $template Meraki,"/var/log/prd/merakilog-%$YEAR%-%$MONTH%-%$DAY% # $template Umbrella,"/var/log/prd/umbrellalog-%$YEAR%-%$MONTH%-%$DAY%" # # First some standard log files. Log by facility. # Local7.* -?Firewall # Local6.* -?Ironport Local5.* -?Meraki Local4.* -?Switch Local3.* -?FTD Local2.* -?ISE # Local1.* -?Umbrella auth,authpriv.* /var/log/auth.log #*.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log #daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #lpr.* -/var/log/lpr.log #mail.* -/var/log/mail.log user.* -/var/log/user.log;myFormat # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # #mail.info -/var/log/mail.info #mail.warn -/var/log/mail.warn #mail.err /var/log/mail.err # # Logging for INN news system. # #news.crit /var/log/news/news.crit #news.err /var/log/news/news.err #news.notice -/var/log/news/news.notice # # # Some "catch-all" log files. # #*.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug #*.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages # # # Emergencies are sent to everybody logged in. # *.emerg :omusrmsg:* # # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # #daemon.*;mail.*;\ # news.err;\ # *.=debug;*.=info;\ # *.=notice;*.=warn |/dev/xconsole root@PHOENILOGOP2:/etc# service --status-all [ + ] acpid [ + ] atd [ - ] bootlogs [ ? ] bootmisc.sh [ ? ] checkfs.sh [ ? ] checkroot-bootclean.sh [ - ] checkroot.sh [ - ] console-setup [ + ] cron [ - ] exim4 [ - ] hostname.sh [ ? ] hwclock.sh [ - ] kbd [ - ] keyboard-setup [ ? ] killprocs [ ? ] kmod [ - ] lvm2 [ - ] motd [ ? ] mountall-bootclean.sh [ ? ] mountall.sh [ ? ] mountdevsubfs.sh [ ? ] mountkernfs.sh [ ? ] mountnfs-bootclean.sh [ ? ] mountnfs.sh [ ? ] mpt-statusd [ ? ] mtab.sh [ ? ] networking [ + ] nfs-common [ ? ] open-vm-tools [ - ] procps [ ? ] rc.local [ - ] rmnologin [ + ] rpcbind [ + ] rsyslog [ ? ] sendsigs [ + ] ssh [ - ] sudo [ + ] tftpd-hpa [ + ] udev [ ? ] udev-mtab [ ? ] umountfs [ ? ] umountnfs.sh [ ? ] umountroot [ - ] urandom user.log example(should be tagged Local3(Facility 19) but is actually being tagged Local7(Facility 23), which doesn't explain why it is in user.log(Facility 1): Aug 13 2020 13:21:23 TPK-COMCAST-FTD-01 %FTD-6-430003: EventPriority: Low, DeviceUUID: <DeviceUUID obsfucation), InstanceID: 3, FirstPacketSecond: 2020-08-13T13:21:23Z, ConnectionID: 6910, AccessControlRuleAction: Allow, SrcIP: 192.168.91.252, DstIP: 208.67.220.220, SrcPort: 40311, DstPort: 53, Protocol: udp, IngressInterface: TPK-COMCAST-INSIDE, EgressInterface: TPK-COMCAST-OUTSIDE, IngressZone: TPK-COMCAST-INSIDE, EgressZone: TPK-COMCAST-OUTSIDE, IngressVRF: Global, EgressVRF: Global, ACPolicy: TPK-COMCAST-FTD-ACCESS-POLICY, AccessControlRuleName: Umbrella VA DNS Outbound, Prefilter Policy: Default Prefilter Policy, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 127, ResponderBytes: 101, NAPPolicy: Balanced Security and Connectivity, DNSQuery: kdp.amazon.com, DNSRecordType: a host address, DNSResponseType: No Error, DNS_TTL: 24
如果您將這些添加到 rsyslog 配置的頂部,您可能會找到所需的資訊:
$template myFormat,"%rawmsg%\n" $ActionFileDefaultTemplate myFormat