Logging

Rsyslog 未從遠端伺服器記錄

  • May 17, 2013

我正在嘗試設置一個集中式日誌伺服器。我有中央伺服器 (A) 通過埠 514 上的遠端伺服器 (B) 接收日誌。我知道它正在接收這些日誌。以下是來自tcpdump埠 514的一些條目

# tcpdump port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:49:52.136520 IP IP_FROM_SERVER_B.55558 > IP_FROM_SERVER_A.syslog: SYSLOG local0.notice, length: 474
10:49:52.136792 IP IP_FROM_SERVER_B.55558 > IP_FROM_SERVER_A.syslog: SYSLOG user.notice, length: 671
10:49:52.136838 IP IP_FROM_SERVER_B.55558 > IP_FROM_SERVER_A.syslog: SYSLOG user.info, length: 79

這就是文件應該記錄到的樣子(我稱之為/var/log/test.log)。

May 16 10:43:19 SERVER_A kernel: imklog 3.22.1, log source = /proc/kmsg started.
May 16 10:43:19 SERVER_A rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="12974" x-info="http://www.rsyslog.com"] (re)start
May 16 10:49:08 SERVER_A kernel: device eth0 entered promiscuous mode
May 16 10:49:53 SERVER_A kernel: device eth0 left promiscuous mode

這是我的rsyslog.conf

# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock

$ModLoad imtcp
$ModLoad imudp

$InputTCPServerRun 514
$UDPServerRun 514

# Write everything to test.log
*.*                                                     /var/log/test.log

*.info;mail;.none;authpriv.none;cron.none               /var/log/messages

#----------DEFAULT-SETTINGS-----------#
#----------HAVE-NOT-CHANGED------------#

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                         /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

我確保每次編輯時都重新啟動 rsyslog rsyslog.conf,並且我正在執行帶有-rand-t標誌的啟動守護程序,即使它們在我目前的版本中已被棄用。

那麼為什麼沒有任何東西進入埠 514 被寫入test.log呢?

編輯: MadHatter 要求查看我的iptables輸出:

# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
  33  2988            udp  --  eth0   *       IP_ADDRESS_A          0.0.0.0/0           
725K  420M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 231K packets, 189M bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target     prot opt in     out     source               destination         
135K   92M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  17  1808 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
   0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
  66  9195 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
90284   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   7   420 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
500K  317M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

我不是rsyslog專家,但閱讀您可能需要的文件

$UDPServerRun 514

因為你只有一個類似的 TCP 指令。

執行ps -eaf | grep syslog以確保它與 option 一起執行-r

否則,您應該/etc/default/rsyslog使用以下選項進行編輯:

RSYSLOGD_OPTIONS="-m 0 -r"

重新啟動 syslogd 並檢查。

引用自:https://serverfault.com/questions/508349