Logging

Rsyslogd 沒有監聽埠

  • December 5, 2018

我在 ubuntu 伺服器上安裝了 rsyslogd,啟動它,一切看起來都很好,但是伺服器應該監聽的埠沒有打開。

ubuntu@node7:~$ sudo service rsyslog restart
rsyslog stop/waiting
rsyslog start/running, process 14114

Netstat 顯示它沒有在聽:

ubuntu@node7:~$ netstat -tlan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0    320 172.22.0.17:22          10.8.8.38:61335         ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::2776                 :::*                    LISTEN     
tcp6       0      0 :::2777                 :::*                    LISTEN     
tcp6       0      0 172.22.0.17:2777        172.22.0.11:56554       ESTABLISHED
tcp6       0      0 172.22.0.17:2776        172.22.0.11:39780       ESTABLISHED

這是 /etc/rsyslog.conf 的樣子(大部分註釋被省略):

ubuntu@node7:~$ cat /etc/rsyslog.conf     
#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)

$ModLoad imtcp
$InputTCPServerRun 514

###########################
#### GLOBAL DIRECTIVES ####
###########################

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$WorkDirectory /var/spool/rsyslog

$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup adm

$IncludeConfig /etc/rsyslog.d/*.conf

/etc/rsyslog.d/35-server-per-host.conf我有以下幾行,我懷疑這可能是原因。這是什麼意思?

# Stop processing of all non-local messages. You can process remote messages
# on levels less than 35.
:fromhost-ip,!isequal,"127.0.0.1" ~

如果是,我怎麼能改變它讓伺服器監聽、接收和記錄消息?

更新:

我註釋掉了可疑的線路,但它仍然沒有在埠 514 上監聽

AppArmor可能會阻止 rsyslogd 偵聽此埠。您可以通過查看系統日誌來驗證這一點:

grep apparmor /var/log/syslog

如果您看到提到 rsyslog 的行,那麼這可能就是原因。編輯/etc/apparmor.d/local/usr.sbin.rsyslogd(或者/etc/apparmor.d/usr.sbin.rsyslogd如果不存在)並在大括號之間添加:

network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,

然後執行service apparmor reloadservice rsyslog restart

預設情況下,rsyslod 監聽 unix 套接字,而不是 TCP 套接字。取消註釋或添加這兩行:

module(load="imtcp")
input(type="imtcp" port="514")

就是這樣,玩得開心!

在上面

引用自:https://serverfault.com/questions/450546