Logging
Rsyslog 未從遠端伺服器記錄
我正在嘗試設置一個集中式日誌伺服器。我有中央伺服器 (A) 通過埠 514 上的遠端伺服器 (B) 接收日誌。我知道它正在接收這些日誌。以下是來自
tcpdump
埠 514的一些條目# tcpdump port 514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:49:52.136520 IP IP_FROM_SERVER_B.55558 > IP_FROM_SERVER_A.syslog: SYSLOG local0.notice, length: 474 10:49:52.136792 IP IP_FROM_SERVER_B.55558 > IP_FROM_SERVER_A.syslog: SYSLOG user.notice, length: 671 10:49:52.136838 IP IP_FROM_SERVER_B.55558 > IP_FROM_SERVER_A.syslog: SYSLOG user.info, length: 79
這就是文件應該記錄到的樣子(我稱之為
/var/log/test.log
)。May 16 10:43:19 SERVER_A kernel: imklog 3.22.1, log source = /proc/kmsg started. May 16 10:43:19 SERVER_A rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="12974" x-info="http://www.rsyslog.com"] (re)start May 16 10:49:08 SERVER_A kernel: device eth0 entered promiscuous mode May 16 10:49:53 SERVER_A kernel: device eth0 left promiscuous mode
這是我的
rsyslog.conf
# Use traditional timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Provides kernel logging support (previously done by rklogd) $ModLoad imklog # Provides support for local system logging (e.g. via logger command) $ModLoad imuxsock $ModLoad imtcp $ModLoad imudp $InputTCPServerRun 514 $UDPServerRun 514 # Write everything to test.log *.* /var/log/test.log *.info;mail;.none;authpriv.none;cron.none /var/log/messages #----------DEFAULT-SETTINGS-----------# #----------HAVE-NOT-CHANGED------------# # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
我確保每次編輯時都重新啟動 rsyslog
rsyslog.conf
,並且我正在執行帶有-r
and-t
標誌的啟動守護程序,即使它們在我目前的版本中已被棄用。那麼為什麼沒有任何東西進入埠 514 被寫入
test.log
呢?編輯: MadHatter 要求查看我的
iptables
輸出:# iptables -L -n -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 33 2988 udp -- eth0 * IP_ADDRESS_A 0.0.0.0/0 725K 420M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 231K packets, 189M bytes) pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 135K 92M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 17 1808 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 66 9195 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 90284 11M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 7 420 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 500K 317M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
我不是
rsyslog
專家,但閱讀您可能需要的文件
$UDPServerRun 514
因為你只有一個類似的 TCP 指令。
執行
ps -eaf | grep syslog
以確保它與 option 一起執行-r
。否則,您應該
/etc/default/rsyslog
使用以下選項進行編輯:RSYSLOGD_OPTIONS="-m 0 -r"
重新啟動 syslogd 並檢查。