标签:sshd log 简介 192 C8 rsyslog var 系统日志
rsyslog
RSYSLOG is the rocket-fast system for log processing.
- rsyslog是CentOS 6 以后版本的系统管理服务.它提供了高性能,出色的安全性和模块化设计。
- 尽管rsyslog最初是常规的syslogd,但已发展成为一种瑞士军刀式的记录工具,能够接受来自各种来源的输入,并将其转换,然后输出到不同的目的地。
- 当应用有限的处理时,RSYSLOG每秒可以将超过一百万的消息传递到本地目的地。 即使在远程的目的地和更精细的处理中,性能通常也被认为是“惊人的”。
rsyslog 特性
- 多线程
- UDP, TCP, SSL, TLS, RELP
- MySQL, PGSQL, Oracle实现日志存储
- 强大的过滤器,可实现过滤记录日志信息中任意部分
- 自定义输出格式
- 适用于企业级中继链
rsyslog是系统自带服务
- 系统安装时已经继承了rsyslog
[root@C8-192 ~]# rpm -qi rsyslog
Name : rsyslog
Version : 8.1911.0
Release : 6.el8
Architecture: x86_64
Install Date: Mon 31 May 2021 06:55:55 PM CST
Group : System Environment/Daemons
Size : 2428362
License : (GPLv3+ and ASL 2.0)
Signature : RSA/SHA256, Tue 21 Jul 2020 09:42:03 AM CST, Key ID 05b555b38483c65d
Source RPM : rsyslog-8.1911.0-6.el8.src.rpm
Build Date : Tue 21 Jul 2020 09:33:16 AM CST
Build Host : x86-02.mbox.centos.org
Relocations : (not relocatable)
Packager : CentOS Buildsys <bugs@centos.org>
Vendor : CentOS
URL : http://www.rsyslog.com/
Summary : Enhanced system logging and kernel message trapping daemon
Description :
Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
and fine grain output format control. It is compatible with stock sysklogd
and can be used as a drop-in replacement. Rsyslog is simple to set up, with
advanced features suitable for enterprise-class, encryption-protected syslog
relay chains.
rsyslog 相关文件
- 程序包:rsyslog
- 主程序:/usr/sbin/rsyslogd
- CentOS 6:/etc/rc.d/init.d/rsyslog {start|stop|restart|status}
- CentOS 7,8:/usr/lib/systemd/system/rsyslog.service
- 配置文件:/etc/rsyslog.conf,/etc/rsyslog.d/*.conf
- 库文件: /lib64/rsyslog/*.so
rsyslog 配置文件
- /etc/rsyslog.conf
cat /etc/rsyslog.conf | sed -n '/^[^#]/p'
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
input(type="imudp" port="514")
input(type="imtcp" port="514")
global(workDirectory="/var/lib/rsyslog")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
include(file="/etc/rsyslog.d/*.conf" mode="optional")
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
配置文件内容:
由三部分组成
- MODULES:相关模块配置
- GLOBAL DIRECTIVES:全局配置
- RULES:日志记录相关的规则配置
模块
#### MODULES ####
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load"immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
- 决定加载哪些模块,需要的加载,不需要的不加载
rpm -ql rsyslog | grep imux
/usr/lib64/rsyslog/imuxsock.so
全局设置
工作路径,配置文件路径,模块格式
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
规则
- 规则是日志的核心
- 规定了什么样的日志往哪放
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
- 内容最多的日志文件:var/log/messages
*.info;mail.none;authpriv.none;cron.none /var/log/messages
-
包括info及以上的任意类型,除了mail、authpriv、cron这三,都放在/var/log/messages里面写
-
文件夹前面的横线-表示异步机制,不立即写磁盘,放到缓冲区里过一会再写,提升性能,单安全性有隐患
配置格式相关说明
配置Priority 优先级别的格式
*: 表示所有级别
none:没有级别,即不记录
PRIORITY:指定级别(含)以上的所有级别
=PRIORITY:仅记录指定级别的日志信息
配置target 目标日志格式
文件路径:通常在/var/log/,文件路径前的-表示异步写入
用户:将日志事件通知给指定的用户,* 表示登录的所有用户
日志服务器:@host,把日志送往至指定的远程UDP日志服务器 @@host 将日志发送到远程TCP日志服务器
管道: | COMMAND,转发给其它命令处理
日志文件的显示格式
- 日志文件有很多,如: /var/log/messages,cron,secure等,
- 基本格式都是类似的。格式如下:
事件产生的日期时间 主机 进程(pid):事件内容
- 查看系统安全日志
[root@C8-192 ~]# tail /var/log/secure
May 31 18:32:13 C8-192 sshd[30815]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.88
Jun 1 17:12:42 C8-192 sshd[821]: Server listening on 0.0.0.0 port 22.
Jun 1 17:12:42 C8-192 sshd[821]: Server listening on :: port 22.
Jun 1 17:12:42 C8-192 polkitd[799]: Loading rules from directory /etc/polkit-1/rules.d
Jun 1 17:12:42 C8-192 polkitd[799]: Loading rules from directory /usr/share/polkit-1/rules.d
Jun 1 17:12:42 C8-192 polkitd[799]: Finished loading, compiling and executing 2 rules
Jun 1 17:12:42 C8-192 polkitd[799]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Jun 1 17:26:36 C8-192 sshd[1704]: Accepted publickey for root from 10.0.0.88 port 49324 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun 1 17:26:36 C8-192 systemd[1707]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Jun 1 17:26:36 C8-192 sshd[1704]: pam_unix(sshd:session): session opened for user root by (uid=0)
日志配置实例
建立ssh服务自定义日志记录
- 默认sshd服务日志是写进/var/log/messages及对应级别的系统日志中
- 我们可以通过修改配置文件,将sshd服务记录至自定义目录
修改sshd服务的配置文件
- 找到sshd配置文件并将其中日志相关内容进行修改
sed -ri.bak '/^SyslogFacility/a SyslogFacility Local2' /etc/ssh/sshd_config
修改rsyslog的配置文件
- 添加自定义local2日志记录位置
echo -e "#sshd.log\nLocal2.* /var/log/sshd.log" >> /etc/rsyslog.conf
重启服务使生效
service sshd reload && systemctl restart rsyslog
写入日志以测试
[root@C8-192 ~]# cat /var/log/sshd.log
Jun 1 23:59:40 C8-192 root[2734]: i am sshd.log
Jun 2 00:03:56 C8-192 sshd[2994]: Server listening on 0.0.0.0 port 22.
Jun 2 00:03:56 C8-192 sshd[2994]: Server listening on :: port 22.
Jun 2 00:04:05 C8-192 sshd[2994]: Received signal 15; terminating.
Jun 2 00:09:43 C8-192 sshd[3132]: Accepted publickey for root from 10.0.0.88 port 49360 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun 2 00:09:45 C8-192 sshd[3135]: Received disconnect from 10.0.0.88 port 49360:11: disconnected by user
Jun 2 00:09:45 C8-192 sshd[3135]: Disconnected from user root 10.0.0.88 port 49360
Jun 2 00:09:46 C8-192 sshd[3159]: Accepted publickey for root from 10.0.0.88 port 49362 ssh2: RSA SHA256:SkkJUczJ2TjwOv/dIQbqe5s9mQlhDLk+YXeNiOK2Fs0
Jun 2 00:09:48 C8-192 sshd[3162]: Received disconnect from 10.0.0.88 port 49362:11: disconnected by user
Jun 2 00:09:48 C8-192 sshd[3162]: Disconnected from user root 10.0.0.88 port 49362
标签:sshd,log,简介,192,C8,rsyslog,var,系统日志 来源: https://blog.csdn.net/timonium/article/details/117443139
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。