Logging

rsyslog,有沒有辦法查看收到的消息的設施程式碼?

  • August 13, 2020

我有一個 cisco ftd 發送帶有 local3(19) 標記的日誌,但是我仍然看到一些消息最終出現在我的 users.log 中,而不是我將它們配置為發送的位置。如果不加標籤,他們會到哪裡去?或者有沒有辦法驗證他們被標記為“使用者”或設施程式碼 1?我沒有在我的 rsyslog.conf 中註釋掉使用者。(Debian wheezy,rsyslog v5)

root@PHOENILOGOP2:/etc# more rsyslog.conf
#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


########################
### TROUBLESHOOTING ####
########################

$template myFormat,"%rawmsg%\n"
$ActionFileDefaultTemplate myFormat


#################
#### MODULES #### 
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514



###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############
$template Firewall,"/var/log/prd/fwlog-%$YEAR%-%$MONTH%-%$DAY%"
$template Switch,"/var/log/prd/rslog-%$YEAR%-%$MONTH%-%$DAY%"
$template Ironport,"/var/log/prd/iplog-%$YEAR%-%$MONTH%-%$DAY%"
# $template ACS,"/var/log/prd/acslog-%$YEAR%-%$MONTH%-%$DAY%"
$template FTD,"/var/log/prd/ftdlog-%$YEAR%-%$MONTH%-%$DAY%"
$template ISE,"/var/log/prd/iselog-%$YEAR%-%$MONTH%-%$DAY%
$template Meraki,"/var/log/prd/merakilog-%$YEAR%-%$MONTH%-%$DAY%
# $template Umbrella,"/var/log/prd/umbrellalog-%$YEAR%-%$MONTH%-%$DAY%"

#
# First some standard log files.  Log by facility.
#
Local7.* -?Firewall
# Local6.* -?Ironport
Local5.* -?Meraki
Local4.* -?Switch
Local3.* -?FTD
Local2.* -?ISE
# Local1.* -?Umbrella

auth,authpriv.*                 /var/log/auth.log
#*.*;auth,authpriv.none         -/var/log/syslog
#cron.*                         /var/log/cron.log
#daemon.*                       -/var/log/daemon.log
kern.*                          -/var/log/kern.log
#lpr.*                          -/var/log/lpr.log
#mail.*                         -/var/log/mail.log
user.*                          -/var/log/user.log;myFormat

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info                      -/var/log/mail.info
#mail.warn                      -/var/log/mail.warn
#mail.err                       /var/log/mail.err

#
# Logging for INN news system.
#
#news.crit                      /var/log/news/news.crit
#news.err                       /var/log/news/news.err
#news.notice                    -/var/log/news/news.notice
#
#
# Some "catch-all" log files.
#
#*.=debug;\
#       auth,authpriv.none;\
#       news.none;mail.none     -/var/log/debug
#*.=info;*.=notice;*.=warn;\
#       auth,authpriv.none;\
#       cron,daemon.none;\
#       mail,news.none          -/var/log/messages
#
#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*
#
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       /dev/tty8
#
# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
#daemon.*;mail.*;\
#       news.err;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       |/dev/xconsole



root@PHOENILOGOP2:/etc# service --status-all
[ + ]  acpid
[ + ]  atd
[ - ]  bootlogs
[ ? ]  bootmisc.sh
[ ? ]  checkfs.sh
[ ? ]  checkroot-bootclean.sh
[ - ]  checkroot.sh
[ - ]  console-setup
[ + ]  cron
[ - ]  exim4
[ - ]  hostname.sh
[ ? ]  hwclock.sh
[ - ]  kbd
[ - ]  keyboard-setup
[ ? ]  killprocs
[ ? ]  kmod
[ - ]  lvm2
[ - ]  motd
[ ? ]  mountall-bootclean.sh
[ ? ]  mountall.sh
[ ? ]  mountdevsubfs.sh
[ ? ]  mountkernfs.sh
[ ? ]  mountnfs-bootclean.sh
[ ? ]  mountnfs.sh
[ ? ]  mpt-statusd
[ ? ]  mtab.sh
[ ? ]  networking
[ + ]  nfs-common
[ ? ]  open-vm-tools
[ - ]  procps
[ ? ]  rc.local
[ - ]  rmnologin
[ + ]  rpcbind
[ + ]  rsyslog
[ ? ]  sendsigs
[ + ]  ssh
[ - ]  sudo
[ + ]  tftpd-hpa
[ + ]  udev
[ ? ]  udev-mtab
[ ? ]  umountfs
[ ? ]  umountnfs.sh
[ ? ]  umountroot
[ - ]  urandom


user.log example(should be tagged Local3(Facility 19) but is actually being tagged Local7(Facility 23), which doesn't explain why it is in user.log(Facility 1):
Aug 13 2020 13:21:23 TPK-COMCAST-FTD-01  %FTD-6-430003: EventPriority: Low, DeviceUUID: <DeviceUUID obsfucation), InstanceID: 3, FirstPacketSecond: 2020-08-13T13:21:23Z, ConnectionID: 6910, AccessControlRuleAction: Allow, SrcIP: 192.168.91.252, DstIP: 208.67.220.220, SrcPort: 40311, DstPort: 53, Protocol: udp, IngressInterface: TPK-COMCAST-INSIDE, EgressInterface: TPK-COMCAST-OUTSIDE, IngressZone: TPK-COMCAST-INSIDE, EgressZone: TPK-COMCAST-OUTSIDE, IngressVRF: Global, EgressVRF: Global, ACPolicy: TPK-COMCAST-FTD-ACCESS-POLICY, AccessControlRuleName: Umbrella VA DNS Outbound, Prefilter Policy: Default Prefilter Policy, Client: DNS client, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 127, ResponderBytes: 101, NAPPolicy: Balanced Security and Connectivity, DNSQuery: kdp.amazon.com, DNSRecordType: a host address, DNSResponseType: No Error, DNS_TTL: 24

如果您將這些添加到 rsyslog 配置的頂部,您可能會找到所需的資訊:

$template myFormat,"%rawmsg%\n"
$ActionFileDefaultTemplate myFormat

rsyslog.com

引用自:https://serverfault.com/questions/1029269

相關問答

Linux

為什麼像 cisco 這樣的公司遵循不同的 syslog 消息格式,而不是 rfc 3164 (BSD syslog) 和 rfc 5424 (IETF syslog)?

  • March 28, 2022
檢視問答
Linux

讓 Syslog 記錄到 syslog 和自定義日誌文件

  • August 12, 2021
檢視問答
Linux-Networking

從主機上的 /var/log/syslog 中排除遠端 syslog 客戶端日誌

  • February 19, 2021
檢視問答
Iptables

將數據包複製到另一個本地主機(SIEM)

  • September 17, 2020
檢視問答
Ubuntu

在 rsyslog 模板中使用 linux 環境變數

  • August 4, 2020
檢視問答
Bash

如何按標籤過濾 rsyslog 消息

  • May 4, 2020
檢視問答