Shulou(Shulou.com)06/01 Report--

How to understand the powerful and secure log processing system syslog, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Ryslog is a powerful and secure log processing system. Rsylog receives logs on the network through multiple physical or virtual servers and monitors the health of different services. With Rsyslog, you can monitor the logs of other servers, network devices, and remote applications from a centralized location.

Brief introduction

Logs are useful for analyzing and troubleshooting any problems in Linux. By default, all log files are located in the / var/log directory of Linux. There are several types of log files, including cron, kernel, user, and security, most of which are controlled by Rsyslog services.

Ryslog is a powerful and secure log processing system. Rsylog receives logs on the network through multiple physical or virtual servers and monitors the health of different services. With Rsyslog, you can monitor the logs of other servers, network devices, and remote applications from a centralized location.

Prepare for

Download address for two virtual machines running Ubuntu 18.04 LTS version: http://mirror.freethought-internet.co.uk/ubuntu-releases/18.04.3/ubuntu-18.04.3-live-server-amd64.iso

Configure the static IP address 192.168.0.101 on the Rsylog server and 192.1680.102 on the Rsylog client.

Set the root password on both servers.

Install Rsyslog

By default, Rsyslog is installed on the Ubuntu 18.04 server. If it is not installed, you can install it by running the following command:

Linuxprobe@ubuntu-18-04Mutual LTSV $apt-get install rsyslog-y

After installing Rsyslog, you can check the version of Rsyslog using the following command:

Linuxprobe@ubuntu-18-04MustltsVOV $rsyslogd-vrsyslogd 8.32.0, compiled with: PLATFORM: x86_64-pc-linux-gnu PLATFORM (lsb_release-d): FEATURE_REGEXP: Yes GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build) Slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes memory allocator: system default Runtime Instrumentation (slow code): No uuid support: Yes systemd support: Yes Number of Bits in RainerScript integers: 64See http://www.rsyslog.com for more information.

You can also use this command to check the status of Rsyslog:

Linuxprobe@ubuntu-18-04Mutual LTSV $systemctl status rsyslog? Rsyslog.service-System Logging Service Loaded: loaded (/ lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since Thur 2020-01-16 11:20:32 CST 1min 31s ago Docs: man:rsyslogd (8) Main PID: 724 (rsyslogd) Tasks: 4 (limit: 1114) CGroup: / system.slice/rsyslog.service? 724 / usr/sbin/rsyslogd-nJan 16 04:28:53 ubuntu-18-04-lts systemd [1]: Starting System Logging Service...Jan 16 04:28:54 ubuntu-18-04-lts rsyslogd: imuxsock: Acquired UNIX socket'/ run/systemd/journal/syslog' (fd 3) from systemd. [v8.32.0] Jan 16 04:28:54 ubuntu-18-04-lts rsyslogd: rsyslogd's groupid changed to 106Jan 16 04:28:54 ubuntu-18-04-lts rsyslogd: rsyslogd's userid changed to 102Jan 16 04:28:54 ubuntu-18-04-lts rsyslogd: [origin software= "rsyslogd" swVersion= "8.32.0" x origin software= startJan 16 04:28:55 ubuntu -18-04-lts systemd [1]: Started System Logging Service.

Configure the Rsyslog server

Linuxprobe@ubuntu-18-04Mutual LTSMA $vim / etc/rsyslog.conf

Uncomment the previous lines, colleagues use port 514 of the UDP and TCP protocols

$ModLoad imudp$UDPServerRun 514$ ModLoad imtcp$InputTCPServerRun 514

Specify a subnet, IP, or domain name to restrict access, as follows:

$AllowedSender TCP, 127.0.0.1, 192.168.0 example.com 24, * .example.com$AllowedSender UDP, 127.0.0.1, 192.168.0 example.com

Create a template to tell Rsyslog how to store incoming syslog messages. Add the following lines before the GLOBAL DIRECTIVES section:

$template remote-incoming-logs, "/ var/log/%HOSTNAME%/%PROGRAMNAME%.log" *. *? remote-incoming-logs

Check the Rsyslog configuration information for syntax errors with the following command:

Linuxprobe@ubuntu-18-04 rsyslogd-f / etc/rsyslog.conf-N1rsyslogd: version 8.32.0, config validation run (level 1), master config / etc/rsyslog.confrsyslogd: End of config validation run. Bye.

Restart Rsyslog:

Linuxprobe@ubuntu-18-04Mutual LTSV $systemctl restart rsyslog

Verify that Rsyslog is listening on TCP/UDP using the following command:

Linuxprobe@ubuntu-18-04LTS 4altunp grep 514tcp $LISTEN 1332/rsyslogd udp-4altunp | grep 514tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0.

Configure the Rsyslog client

Configure the Rsyslog client to send Syslog messages to the remote server. Log in to the client and open / etc/rsyslog.conf to add the following information:

Linuxprobe@ubuntu-18-04Mutual etc/rsyslog.conf##Enable sending of logs over UDP add the following line:*.* etc/rsyslog.conf##Enable sending of logs over UDP add the following line:*.* 192.168.0.101:514##Enable sending of logs over TCP add the following line:*.* @ @ 192.168.0.101:514##Set disk queue when rsyslog server will be down:$ActionQueueFileName queue$ActionQueueMaxDiskSpace 1g$ActionQueueSaveOnShutdown on$ActionQueueType LinkedList$ActionResumeRetryCount-1

Restart Rsyslog:

Linuxprobe@ubuntu-18-04Mutual LTSV $systemtcl restart rsyslog

View the log

At this point, Rsyslog clients are configured to send their logs to the Rsyslog server.

Now, log in to the Rsyslog server and check the / var/log directory. See the hostname of the client machine, including several log files:

Linuxprobe@ubuntu-18-04Mutual LTSMA $ls / var/log/rsyslog-client/CRON.log kernel.log rsyslogd-2039.log rsyslogd.log sudo.log wpa_supplicant.log

Summary

In the above article, we learned how to install and configure RysLogServer on a Ubuntu 18.04 server. We also learned how to configure the rsyslog client to send logs to the rsyslog server.

After reading the above, have you mastered how to understand the powerful and secure log processing system syslog? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.