Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how the CentOS7 system configures the rsyslog service to send and receive logs". In the daily operation, I believe many people have doubts about how to configure the rsyslog service to send and receive logs in the CentOS7 system. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the questions of "how to configure the rsyslog service to send and receive logs" in the CentOS7 system. Next, please follow the editor to study!

1. Operation purpose and application scenario

In order to facilitate log monitoring and prevent log tampering, rsyslog is usually used to set up log servers in the working environment to store the logs of other servers. Rsyslog supports remote sending and receiving of logs.

Rsyslog client: responsible for sending logs to the remote log server, supporting the udp,tcp,relp protocol.

Rsyslog server: responsible for receiving the logs sent by the client and storing them locally, supporting file storage and database storage.

For intrusion troubleshooting, the operating system's authentication log, scheduled task log, and historical commands are very important. In order to strengthen log management, it is required to save the corresponding log information of each system to a dedicated rsyslog log server. The path format of the log is: source IP address / facility name (log category) / year and month .log.

II. Platform and tool version

Software: rsyslog

Log client (sender): CentOS 7

Log server (receiver): CentOS 7

Operation steps (1) Log client configuration 1. Send authentication and plan task logs (auth, authpriv, cron)

Vi / etc/rsyslog.conf / / Edit the rsyslog service configuration file with a line at the end of the file

Auth.*;authpriv.*;cron.* @ @ 192.168.43.234pur514

One @ means to send logs over the UDP protocol, and here are two @, which means to send logs in tcp mode. Compared with UDP, TCP transmission is more stable.

Save exit. In this way, the authentication and scheduling task logs are saved to the remote log server as well as locally.

2. Send history commands

(1) configure the historical commands for sending root accounts

Vi / root/.bashrc / / Edit the configuration file for root, adding the following at the end of the file

Function log2syslog

{

Declare command

Command=$ (fc-ln-0)

Logger-p local1.notice-t bash-I-$USER: "$command"

}

Trap log2syslog DEBUG

Save exit

Fc is a built-in command for shell to get the command history, and $(fc-ln-0) returns the most recently executed command.

The logger command sends the message to the system log, and-p sets the facility for the message to be named local1 and the priority is notice.

Note that double quotation marks are required at both ends of $command.

(2) configure to send historical commands for ordinary users

Vi / home/sec/.bashrc / / Edit the configuration file for the sec user, adding the following at the end of the file

Function log2syslog

{

Declare command

Command=$ (fc-ln-0)

Logger-p local1.notice-t bash-I-$USER: "$command"

}

Trap log2syslog DEBUG

Save exit

(3) modify the user configuration template

Vi / etc/skel/.bashrc / / Edit the .bashrc file in the user configuration template directory and add the following

Function log2syslog

{

Declare command

Command=$ (fc-ln-0)

Logger-p local1.notice-t bash-I-$USER: "$command"

}

Trap log2syslog DEBUG

Save exit. After the file is modified, the new users created by the system will contain the above instructions for sending historical commands in their .bashrc files.

3. Configure rsyslog service

Vi / etc/rsyslog.conf / / Edit configuration file

/ / add local1.none to the following line

* .info;mail.none;authpriv.none;cron.none;local1.none / var/log/messages

/ / local1.none means that messages with the facility name local1 are not written to the file specified by this line. In this way, the local user's history commands are not saved in the messages file. (command history has been saved to the user's .bash_history file by default.)

/ / add a line at the end of the document to send the history command to the log server

Local1.notice @ @ 192.168.43.234pur514

Save exit.

Systemctl restart rsyslog / / restart the service for the configuration changes to take effect

(2) Log server configuration 1. Rsyslog service configuration

Vi / etc/rsyslog.conf / / uncomment the following two lines

$ModLoad imtcp

$InputTCPServerRun 514

/ / comment out the original ActionFileDefaultTemplate instruction (using the traditional format)

# $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

/ / use a custom time format

$template myformat, "% $NOW%% TIMESTAMP:8:15%% hostname%% syslogtag%% msg%\ n"

$ActionFileDefaultTemplate myformat

/ / write the following line in front of the RULES section

$template local1_path, "/ var/log/%FROMHOST-IP%/bash_history/%$YEAR%%$MONTH%.log"

$template remote_path, "/ var/log/%FROMHOST-IP%/%syslogfacility-text%/%$YEAR%%$MONTH%.log"

If $fromhost-ip! = '127.0.0.1' and $syslogfacility-text = = 'local1' then? local1_path

& ~

If $fromhost-ip! = '127.0.0.1' then? remote_path

& ~

Save exit.

Template defines two templates named local1_path and remote_path, followed by a path to the log file to which the message is saved.

The instruction that begins with if is an expression-based filter. The first if instruction means that if the source IP address of the log message is not native and the syslogfacility-text of the message is local1, the message is written to the file corresponding to the template local1_path.

The meaning of & ~ is to make messages that meet the above filter criteria no longer match subsequent rules. By default, log messages match each rule in rsyslog.conf sequentially. & ~ here the message skips the following rules so that the message is not written to other log files.

The second instruction at the beginning of if writes all log messages from outside the local machine (because of the previous & ~, only auth, authpriv, and cron messages meet this condition) to the file corresponding to remote_path.

Systemctl restart rsyslog / / restart the service

2. Firewall configuration

Firewall-cmd-zone=public-add-port=514/tcp

IV. Summary

Through the above configuration, the logs sent by different log clients can be saved separately, and the corresponding logs can be quickly found when security events occur. In addition, the rsyslog server can also be configured for relay forwarding, which is simple by configuring the log server as a client of rsyslog. In this way, the rsyslog server retains a copy of the log locally after receiving it, and sends it out, such as to audit equipment or log display platform such as graylog, ELK, etc.

At this point, the study on "how the CentOS7 system configures the rsyslog service to send and receive logs" is over. I hope to be able to solve everyone's doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.