Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Log Management-rsyslog

2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/03 Report--

Log:

Historical events: time, place, people, date and time of events

Event record format:

Date time host process [pid]: event content

Cpact S architecture: log records are delivered through services of TCP or UDP protocol, and logs distributed on different hosts are managed centrally

Rsyslog

 rsyslog features: CentOS6 and 7  multithreading

 UDP, TCP, SSL, TLS, RELP

 MySQL, PGSQL, Oracle to implement log storage

 powerful filter to filter any part of log information

 custom output format

[root@node4~] # rpm-Q rsyslog # query rsyslog log package rsyslog-8.24.0-12.el7.x86_64 [root@node4~] # rpm-ql rsyslog/etc/logrotate.d/syslog/etc/pki/rsyslog/etc/rsyslog.conf/etc/rsyslog.d/etc/sysconfig/rsyslog/usr/bin/rsyslog-recover-qi.pl/usr/lib/systemd/system/rsyslog.service

ELK:elasticsearch, logstash, kibana

 non-relational distributed database

 is based on the project lucene of the jakarta project team of apache Software Foundation.

 Elasticsearch is an open source distributed search engine

 Logstash collects, analyzes, and stores logs for future use

 kibana can provide a friendly Web interface for log analysis

Rsyslog introduction

Terminology, see man logger

Facility: a facility to categorize logs functionally or programmatically

Auth, authpriv, cron, daemon,ftp,kern, lpr, mail, news, security (auth), user, uucp, local0-local7, syslog

Priority priority, sorted from low to high

Debug, info, notice, warn (warning), err (error), crit (critical), alert, emerg (panic)

 see help: man 3 syslog

Rsyslog

 package: rsyslog

 main program: / usr/sbin/rsyslogd

 CentOS 6:service rsyslog {start | stop | restart | status}  CentOS 7:/usr/lib/systemd/system/rsyslog.service

 configuration file: / etc/rsyslog.conf,/etc/rsyslog.d/*.conf

 library file: / lib64/rsyslog/*.so

Configuration file format: consists of three parts

MODULES: related module configuration

GLOBAL DIRECTIVES: global configuration

RULES: rule configuration related to logging

Rsyslog

 RULES configuration format: facility.priority; facility.priority … Target

 facility:*: all the facility

List of facility specified by facility1,facility2,facility3,...:

 priority: *: all levels

None: no level, that is, no record

PRIORITY: all levels above the specified level (inclusive)

= PRIORITY: only log information at the specified level is recorded

 target:

File path: usually in front of the / var/log/, file path-indicates asynchronous write

User: notifies the specified user of the log event, * indicates all logged-in users

Log server: @ host, send the log to the specified remote server for record

Pipeline: | COMMAND, forward to other commands for processing

Departure log tool: logger [root@node4~] # logger "this is a test log" [root@node4~] # tail / var/log/messages Jan 18 17:40:01 node4 systemd: Starting Session 27 of user root.Jan 18 17:46:26 node4 dbus: [system] Activating via systemd: service name='org.freedesktop.PackageKit' unit='packagekit.service'Jan 18 17:46:26 node4 dbus-daemon: dbus: [system] Activating via systemd: service name='org.freedesktop. PackageKit' unit='packagekit.service'Jan 18 17:46:26 node4 systemd: Starting PackageKit Daemon...Jan 18 17:46:26 node4 dbus [626]: [system] Successfully activated service' org.freedesktop.PackageKit'Jan 18 17:46:26 node4 dbus-daemon: dbus [626]: [system] Successfully activated service' org.freedesktop.PackageKit'Jan 18 17:46:26 node4 systemd: Started PackageKit Daemon.Jan 18 17:50:01 node4 systemd: Started Session 28 of user root.Jan 18 17:50:01 Node4 systemd: Starting Session 28 of user root.Jan 18 17:51:03 node4 root: this is a test log [root@node4~] # egrep-v'^ $| #'/ etc/rsyslog.conf # View the log path related to the configuration file $WorkDirectory / var/lib/rsyslog$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig / etc/rsyslog.d/*.conf$OmitLocalLogging on$IMJournalStateFile imjournal.state*.info Mail.none;authpriv.none Cron.none / var/log/messagesauthpriv.* / var/log/securemail.*-/ var/log/maillogcron.* / var/log/cron*.emerg : omusrmsg:*uucp News.crit / var/log/spoolerlocal7.* / var/log/boot.log

The ssh log is recorded in the secure log.

[root@node4~] # ssh 192.168.137.47 root@192.168.137.47's password: [root@node4~] # tail / var/log/secureJan 18 18:14:56 node4 sshd [4090]: pam_unix (sshd:auth): authentication failure Logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.137.47 user=rootJan 18 18:14:56 node4 sshd [4090]: pam_succeed_if (sshd:auth): requirement "uid > = 1000" not met by user "root" Jan 18 18:14:58 node4 sshd [4090]: Failed password for root from 192.168.137.47 port 52894 ssh3 [root@node4~] # egrep-v "^ $| ^ #" / etc/ssh/sshd_config | grep SyslogFacility SyslogFacility AUTHPRIV

Define log log path

[root@node4~] # vim + 33 / etc/ssh/sshd_config 33 SyslogFacility local7 34 LogLevel INFO [root@node4~] # vim / etc/rsyslog.d/sshd.conf 1 local7.* / var/log/sshd.log [root@node4~] # systemctl restart rsyslog sshd [root@node4~] # ps aux | grep rsyslogd (rpm-Q rsyslog / rpm-ql rsyslog.$packet) root 4665 0.0 0.2 275560 2668? Ssl 18:49 0:00 / usr/sbin/rsyslogd-nroot 4700 0.0 112660 968 pts/1 S + 18:50 0:00 grep-- color=auto rsyslogd [root@node4~] # ssh 192.168.137.47root@192.168.137.47's password: Permission denied, please try again.root@192.168.137.47's password: Permission denied, please try again.root@192.168.137.47's password: Permission denied (publickey Password). [root@node4~] # tail / var/log/sshd.logJan 18 18:49:08 node4 sshd [4664]: Server listening on 0.0.0.0 port 22.Jan 18 18:49:08 node4 sshd [4664]: Server listening on:: port 22.Jan 18 18:49:46 node4 sshd [4681]: Failed password for root from 192.168.137.47 port 52900 ssh3Jan 18 18:49:46 node4 sshd [4681]: Failed password for root from 192.168.137.47 port 52900 ssh3Jan 18 18:49:46 node4 sshd [4681]: Connection closed by 192.168.137.47 port 52900 [preauth] event recording format: date time host process [pid]: event content

Centos7: modify the host name:

[root@node3~] # hostnamectl set-hostname $hostname

[root@node3~] # / etc/host

Log server: @ host, send the log to the specified remote server for record

Enable the web log service

The usual log format of :

Date-time host process (pid) generated by the event: event content

For example,  such as / var/log/messages,cron,secure configures rsyslog to become a log server

# MODULES #

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

# Provides TCP syslog reception

$ModLoad imtcp

$InputTCPServerRun 514

Log server: @ host Send the log to the designated remote server to record the source host: 192.168.137.47 node4 destination host: 192.168.137.37 node3 [root@node4~] # cat / etc/rsyslog.d/sshd.conf local7.* / var/log/sshd.log#udplocal2.* @ 192.168.137.37 recording tcpkeeper local7.* @ @ 192.168.137.37 [ro ot@node3~] # cat / etc/rsyslog.conf | | grep-A1 $ModLoad imudp$ ModLoad imudp$UDPServerRun 514 [root@node3~] # cat / etc/rsyslog.conf | grep local2.* local2.* / var/log/udp.log test: [root@node4~] # ssh 192.168.137.47root@192.168.137.47's password: [root@node3~] # tail / var/log/udp.log-f Jan 18 22:00 | : 59 node4 sshd [7903]: Accepted password for root from 192.168.137.47 port 52916 ssh3Jan 18 22:01:24 node4 sshd [7903]: Received disconnect from 192.168.137.47 port 52916:11: disconnected by userJan 18 22:01:24 node4 sshd [7903]: Disconnected from 192.168.137.47 port 52916Jan 18 22:19:09 node4 sshd [8172]: Failed password for root from 192.168.137.47 port 52920 ssh3Jan 18 22:19:12 node4 sshd [8172]: Accepted password for root from 192.168.137.47 port 52920 ssh3

Other logs

Other log files

# / var/log/secure: system installation log, text format, should be analyzed periodically

# / var/log/btmp: log information related to failed login attempts of users on the current system, binary grid

Style, lastb command to view

# / var/log/wtmp: log information of users logging in to the system normally on the current system, in binary format

Type, the last command can view

# / var/log/lastlog: each user's last login information, binary format, lastlog command

You can view

# / var/log/dmesg: log information during system boot, text format

Text View tool View

Special command dmesg view

# / var/log/messages: most of the information in the system

# / var/log/anaconda: log of anaconda

[root@node4/var/log] # lastb | head | awk'{print $3}'| sort | uniq-c 10 192.168.137.47 [root@node4/var/log] # lastb | head | awk'{ip [$3] +} END {for (i in ip) {print ip [I], I}'10 192.168.137.47

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report