Ubuntu 18.04 伺服器 - 如何更改或調整某個 systemd 服務的作業系統日誌記錄?
我已經嘗試了相當多的Google搜尋,但沒有想出太多,所以我想我會在這裡問。這是我目前的問題:
我正在執行 Ubuntu 18.04 伺服器的庫存。伺服器的目的是執行視覺應用程序。我遇到的問題是,當我檢查視覺應用程序服務的 journalctl 時,PAM(可插入身份驗證模組)和其他一些與作業系統相關的服務過度記錄到視覺應用程序,我不希望他們這樣做。這是一個例子:
journalctl -u visionapp.service | less
輸出:
(some stuff omitted) Jan 08 10:43:12 visionapp sudo[2483]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -F Jan 08 10:43:12 visionapp sudo[2483]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 08 10:43:12 visionapp sudo[2483]: pam_unix(sudo:session): session closed for user root Jan 08 10:43:12 visionapp sudo[2490]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/sysctl net.ipv4.conf.xxx999.forwarding=1 Jan 08 10:43:12 visionapp sudo[2490]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 08 10:43:12 visionapp VisionApp[2471]: net.ipv4.conf.xxx999.forwarding = 1 Jan 08 10:43:12 visionapp sudo[2490]: pam_unix(sudo:session): session closed for user root Jan 08 10:43:12 visionapp sudo[2493]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/sysctl net.ipv4.conf.yyy888.forwarding=1 Jan 08 10:43:12 visionapp sudo[2493]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 08 10:43:13 visionapp VisionApp[2471]: net.ipv4.conf.yyy888.forwarding = 1 Jan 08 10:43:13 visionapp sudo[2493]: pam_unix(sudo:session): session closed for user root Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 77777 -j DNAT --to-destination 99.99.99.35:77777 Jan 08 10:43:13 visionapp sudo[2496]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 77777 -j DNAT --to-destination 99.99.99.35:77777 Jan 08 10:43:13 visionapp sudo[2496]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 08 10:43:13 visionapp sudo[2496]: pam_unix(sudo:session): session closed for user root Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 5555 -j DNAT --to-destination 99.99.99.11:80 Jan 08 10:43:13 visionapp sudo[2499]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 5555 -j DNAT --to-destination 99.99.99.11:80 Jan 08 10:43:13 visionapp sudo[2499]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 08 10:43:13 visionapp sudo[2499]: pam_unix(sudo:session): session closed for user root Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 6666 -j DNAT --to-destination 99.99.99.30:80 Jan 08 10:43:13 visionapp sudo[2502]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 6666 -j DNAT --to-destination 99.99.99.30:80 Jan 08 10:43:13 visionapp sudo[2502]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 08 10:43:13 visionapp sudo[2502]: pam_unix(sudo:session): session closed for user root Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p udp -d 88.88.88.63 --dport 23456 -j DNAT --to-destination 99.99.99.30:23456 Jan 08 10:43:13 visionapp sudo[2505]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p udp -d 88.88.88.63 --dport 23456 -j DNAT --to-destination 99.99.99.30:23456 Jan 08 10:43:13 visionapp sudo[2505]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 08 10:43:13 visionapp sudo[2505]: pam_unix(sudo:session): session closed for user root Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 28208 -j DNAT --to-destination 99.99.99.30:28208 Jan 08 10:43:13 visionapp sudo[2508]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 28208 -j DNAT --to-destination 99.99.99.30:28208 Jan 08 10:43:13 visionapp sudo[2508]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 08 10:43:13 visionapp sudo[2508]: pam_unix(sudo:session): session closed for user root Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 2112 -j DNAT --to-destination 99.99.99.36:2112 Jan 08 10:43:13 visionapp sudo[2511]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 2112 -j DNAT --to-destination 99.99.99.36:2112 Jan 08 10:43:13 visionapp sudo[2511]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 08 10:43:13 visionapp sudo[2511]: pam_unix(sudo:session): session closed for user root Jan 08 10:43:13 visionapp VisionApp[2471]: Make Routable: sudo iptables -t nat -A POSTROUTING -j MASQUERADE Jan 08 10:43:13 visionapp sudo[2514]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE Jan 08 10:43:13 visionapp sudo[2514]: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 08 10:43:13 visionapp sudo[2514]: pam_unix(sudo:session): session closed for user root (some stuff omitted)
我更改了一些名稱和數字以保護公司的匿名性,否則這是實際輸出。我希望能夠以某種方式抑制這種情況。
在查閱這篇文章https://unix.stackexchange.com/questions/327301/how-to-stop-sudo-pam-messages-in-auth-log-for-a-specific-user-on-ubuntu-16- 04我寧願遠離 PAM 配置文件,原因有 3 個:
1)我嘗試了文章的建議,但沒有成功,導致視覺應用程序崩潰。
- 錯誤編輯 PAM 日誌可能導致鎖定 root 訪問權限
3)上面的一些消息似乎不是由 PAM 生成的
上述文章中的最後一個答案提到了 syslog 級別的過濾。我已嘗試閱讀此內容,但到目前為止還沒有完成很多工作。我至少能夠確定關鍵文件似乎
/etc/rsyslog.conf
是/etc/rsyslog.d/
.這是我的
/etc/rsyslog.conf/
:$ cat /etc/rsyslog.conf # /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf ################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception #module(load="imudp") #input(type="imudp" port="514") # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") # provides kernel logging support and enable non-kernel klog messages module(load="imklog" permitnonkernelfacility="on") ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Filter duplicated messages $RepeatedMsgReduction on # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup syslog # # Where to place spool and state files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf
有3個文件
rsyslog.d
:$ cd /etc/rsyslog.d $ ls -l -rw-r--r-- 1 root root 314 Aug 15 2017 20-ufw.conf -rw-r--r-- 1 root root 255 Apr 27 2018 21-cloudinit.conf -rw-r--r-- 1 root root 1124 Jan 30 2018 50-default.conf
我的印像是,
20-ufw.conf
並且21-cloudinit.conf
是出於其他一些特定目的。這裡是50-default.conf
:$ cat 50-default.conf # Default rules for rsyslog. # # For more information see rsyslog.conf(5) and /etc/rsyslog.conf # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log #daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log #user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # #mail.info -/var/log/mail.info #mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # # Some "catch-all" log files. # #*.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug #*.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg :omusrmsg:* # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8
據我所知,這些文件是 Ubuntu 18.04 伺服器安裝的庫存。
所以這是我在這一點上的問題:
1)我應該編輯上述文件之一,還是創建另一個文件
/etc/rsyslog.d
,例如。20-visionapp.conf
或類似的?
- 有沒有辦法將上述文件更改為有條件地不包含日誌消息
visionapp.service
?即如果日誌行包含pam_unix(sudo:session)
或root : TTY=unknown
不包含它?如果有人可以建議這樣一條線,請澄清它是否適用於所有systemd
服務或僅適用於visionapp.service
特定服務,以及它是否適用於所有使用者或特定使用者?如果可以選擇這兩個選項,那就更好了。
- 更新 -
更多Google搜尋後,我做了以下事情:
cd /etc/rsyslog.d sudo nano 20-visionapp.conf
在
nano
我輸入::msg,contains,"pam_unix" /var/log/PAM.log & stop
然後再次從命令行我做了:
service rsyslog restart
然後再次啟動和停止視覺應用程序。我希望現在包含的任何消息
pam_unix
都會轉到文件/var/log/PAM.log
中,但是當我執行時journalctl -u visionapp.service | less
,pam_unix
消息仍然存在。我想我至少在這裡接近了。我究竟做錯了什麼?有什麼建議麼?
– 更新 2 –
基於此文件https://www.rsyslog.com/discarding-unwanted-messages/ for
/etc/rsyslog.d/20-visionapp.conf
,我還嘗試了::msg,contains,"pam_unix" ~
和
:msg, contains, "pam_unix" ~
這些都不起作用,即
journalctl -u visionapp.service | less
仍然顯示pam_unix
消息。我還應該提到這篇文章https://unix.stackexchange.com/questions/133898/why-does-rsyslogd-not-honor-the-following-lines-in-rsyslog-d描述了一個非常相似的問題並且沒有仍然有一個公認的答案。
– 更新3 –
如果我這樣做:
sudo nano /etc/rsyslog.d/19-visionapp.conf
然後輸入:
:msg, contains, "pam_unix" /var/log/visionapp-other.log & stop
然後將所有帶有
pam_unix
日誌的消息都記錄到/var/log/visionapp-other.log
和journalctl -u visionapp.service | less
。從這篇文章https://unix.stackexchange.com/questions/8737/rsyslog-is-not-discarding-message-as-it-should這似乎是過去已知的錯誤。有人對此有解決方法或更多資訊嗎?– 更新4 –
經過更多Google搜尋後,我確信我在上一次更新中提到的步驟是正確的,並且Ubuntu 18.04 伺服器中存在錯誤
rsyslog
或集成。rsyslog
我目前確定的解決方法是在主目錄中創建一個腳本,其中包含:journalctl -u visionapp.service | grep -v "pam_unix" | grep -v "TTY=unknown" | less
這會屏蔽掉我不想看到
pam_unix
的消息。TTY=unknown
這顯然不是一個很好的解決方案,我對 rsyslog 和 Ubuntu 感到失望,因為它們沒有提供更好的方法來修改 systemd 日誌輸出。
你可以通過編輯來做到這一點
/etc/syslog.conf
像這樣:
*.=info;*.=notice;*.=warning;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages
您可以根據所需的日誌記錄級別更改
=warning
為etc=notice
=info