差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

兩邊的前次修訂版 前次修改
下次修改		 前次修改
tech:logsrv [2013/05/21 16:01] – [CentOS 啟動 Log Server 功能] jonathantech:logsrv [2016/05/29 23:27] (目前版本) jonathan
行 1: 行 1:
 +====== CentOS 啟動 Log Server 功能 ======
  
 +因為一些 Embeded System 提供送出 log 到 Log Server 的功能, 所以就上網找了一下.. 
 +
 +  * Log Server : 192.168.11.252
 +  * /etc/sysconfig/rsyslog<file>
 +# Options for rsyslogd
 +# Syslogd options are deprecated since rsyslog v3.
 +# If you want to use them, switch to compatibility mode 2 by "-c 2"
 +# See rsyslogd(8) for more details
 +SYSLOGD_OPTIONS="-c 5"
 +</file>
 +  * /etc/rsyslog.conf 將  #### RULES #### 底下全部更換如下: **要將以下的 'mylogserver' 換成 CentOS 的 hostname**<file>
 +:
 +:
 +#### RULES ####
 +$template DYNmessages,"/var/log/hosts/%HOSTNAME%/messages.%$YEAR%-%$MONTH%-%$DAY%.log"
 +$template DYNsecure,"/var/log/hosts/%HOSTNAME%/secure.%$YEAR%-%$MONTH%-%$DAY%.log"
 +$template DYNmaillog,"/var/log/hosts/%HOSTNAME%/maillog.%$YEAR%-%$MONTH%-%$DAY%.log"
 +$template DYNcron,"/var/log/hosts/%HOSTNAME%/cron.%$YEAR%-%$MONTH%-%$DAY%.log"
 +$template DYNspooler,"/var/log/hosts/%HOSTNAME%/spooler.%$YEAR%-%$MONTH%-%$DAY%.log"
 +$template DYNboot,"/var/log/hosts/%HOSTNAME%/boot.%$YEAR%-%$MONTH%-%$DAY%.log"
 +$template DYNdaemon,"/var/log/hosts/%HOSTNAME%/daemon.%$YEAR%-%$MONTH%-%$DAY%.log"
 +$template DYNother,"/var/log/hosts/%HOSTNAME%/other.%$YEAR%-%$MONTH%-%$DAY%.log"
 +
 +
 +# Log all kernel messages to the console.
 +# Logging much else clutters up the screen.
 +#kern.*                                                 /dev/console
 +
 +# Log anything (except mail) of level info or higher.
 +# Don't log private authentication messages!
 +#*.info;mail.none;authpriv.none;cron.none                /var/log/messages
 +if \
 +        $source == 'mylogserver' \
 +        and \
 +               $syslogseverity <= '6' \
 +        and ( \
 +                        $syslogfacility-text != 'mail' \
 +                and \
 +                        $syslogfacility-text != 'authpriv' \
 +                and \
 +                        $syslogfacility-text != 'cron' \
 +        ) \
 +then    /var/log/messages
 +
 +# The authpriv file has restricted access.
 +#authpriv.*                                              /var/log/secure
 +if \
 +        $source == 'mylogserver' \
 +                and \
 +        $syslogfacility-text == 'authpriv' \
 +then    /var/log/secure
 +
 +# Log all the mail messages in one place.
 +#mail.*                                                  -/var/log/maillog
 +if \
 +        $source == 'mylogserver' \
 +                and \
 +        $syslogfacility-text == 'mail' \
 +then    -/var/log/maillog
 +
 +
 +# Log cron stuff
 +#cron.*                                                  /var/log/cron
 +if \
 +        $source == 'mylogserver' \
 +                and \
 +        $syslogfacility-text == 'cron' \
 +then    /var/log/cron
 +
 +# Everybody gets emergency messages
 +#*.emerg                                                 *
 +if \
 +        $source == 'mylogserver' \
 +                and \
 +        $syslogseverity-text == 'emerg' \
 +then    *
 +
 +# Save news errors of level crit and higher in a special file.
 +#uucp,news.crit                                          /var/log/spooler
 +if \
 +        $source == 'mylogserver' \
 +                and \
 +        (\
 +                $syslogfacility-text == 'uucp' \
 +                        or \
 +                $syslogfacility-text == 'news' \
 +        )\
 +                and \
 +        $syslogseverity-text == 'crit' \
 +then    /var/log/spooler
 +
 +# Save boot messages also to boot.log
 +#local7.*                                                /var/log/boot.log
 +if \
 +        $source == 'mylogserver' \
 +                and \
 +        $syslogfacility-text == 'local7' \
 +then    /var/log/boot.log
 +
 +
 +# not log server 's log
 +if \
 +        $source != 'mylogserver' \
 +        and \
 +             $syslogseverity <= '6' \
 +        and ( \
 +                        $syslogfacility-text != 'mail' \
 +                and \
 +                        $syslogfacility-text != 'authpriv' \
 +                and \
 +                        $syslogfacility-text != 'cron' \
 +        ) \
 +then    ?DYNmessages
 +
 +if \
 +        $source != 'mylogserver' \
 +                and \
 +        $syslogfacility-text == 'authpriv' \
 +then    ?DYNsecure
 +
 +if \
 +        $source != 'mylogserver' \
 +                and \
 +        $syslogfacility-text == 'mail' \
 +then    -?DYNmaillog
 +
 +if \
 +        $source != 'mylogserver' \
 +                and \
 +        $syslogfacility-text == 'cron' \
 +then    ?DYNcron
 +
 +if \
 +        $source != 'mylogserver' \
 +                and \
 +        (\
 +                $syslogfacility-text == 'uucp' \
 +                        or \
 +                $syslogfacility-text == 'news' \
 +        )\
 +                and \
 +        $syslogseverity-text == 'crit' \
 +then    ?DYNspooler
 +
 +if \
 +        $source != 'mylogserver' \
 +                and \
 +        $syslogfacility-text == 'local7' \
 +then    ?DYNboot
 +
 +if \
 +        $source != 'mylogserver' \
 +                and \
 +        $syslogfacility-text == 'daemon' \
 +then    ?DYNdaemon
 +if \
 +        $source != 'mylogserver' \
 +        and ( \
 +                        $syslogfacility-text != 'mail' \
 +                and \
 +                        $syslogfacility-text != 'authpriv' \
 +                and \
 +                        $syslogfacility-text != 'cron' \
 +                and \
 +                        $syslogfacility-text != 'uucp' \
 +                and \
 +                        $syslogfacility-text != 'news' \
 +                and \
 +                        $syslogfacility-text != 'local7' \
 +                and \
 +                        $syslogfacility-text != 'daemon' \
 +        ) \
 +then    ?DYNother
 +
 +
 +# ### begin forwarding rule ###
 +# The statement between the begin ... end define a SINGLE forwarding
 +:
 +:
 +</file>
 +  * /etc/rsyslog.d/log-server.conf<file>
 +$ModLoad imudp.so
 +# load the network stuff
 +$UDPServerAddress 0.0.0.0
 +$UDPServerRun 514
 +# reduce any duplicates
 +#$RepeatedMsgReduction on
 +</file>
 +
 +  * CentOS 6.x <code sh>
 +service rsyslog restart
 +</code>
 +
 +<note>
 +  * 如果有 firewall 要開啟 udp port 514
 +</note>
 +
 +然後就可以看到外部主機紀錄出現在 /var/log/hosts/ 內, Exp rt-n56u 出現在 /var/log/hosts/rt-n56u/* , 在 /var/logs/hosts/rt56u/messages.2016-05-29.log 內看到過來的訊息如下:
 +<file>
 +:
 +May 29 23:25:26 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=219.87.151.2 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=12106 DF PROTO=TCP <1>SPT=39452 DPT=10051 SEQ=3368554679 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A11C14BB70000000001030307)
 +May 29 23:25:26 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=175.98.115.161 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1887 DF PROTO=TCP <1>SPT=34673 DPT=10051 SEQ=1821995807 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A6C9378290000000001030307)
 +May 29 23:25:26 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=121.201.8.212 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=35179 DF PROTO=TCP <1>SPT=38778 DPT=10051 SEQ=1970503924 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0ACC0D860000000001030307)
 +May 29 23:25:28 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=175.98.115.161 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1888 DF PROTO=TCP <1>SPT=34673 DPT=10051 SEQ=1821995807 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A6C937FF90000000001030307)
 +May 29 23:25:28 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=121.201.8.212 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=35180 DF PROTO=TCP <1>SPT=38778 DPT=10051 SEQ=1970503924 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0ACC15560000000001030307)
 +May 29 23:25:29 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=219.87.151.2 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=34454 DF PROTO=TCP <1>SPT=39398 DPT=10051 SEQ=2364037294 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A11C157570000000001030307)
 +May 29 23:25:29 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=220.130.139.9 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=56982 DF PROTO=TCP <1>SPT=34513 DPT=10051 SEQ=1186483004 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A49E4B1070000000001030307)
 +May 29 23:25:30 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=219.87.151.2 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=12107 DF PROTO=TCP <1>SPT=39452 DPT=10051 SEQ=3368554679 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A11C15B570000000001030307)
 +May 29 23:25:32 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=175.98.115.161 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=1889 DF PROTO=TCP <1>SPT=34673 DPT=10051 SEQ=1821995807 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405780402080A6C938F990000000001030307)
 +May 29 23:25:32 rt-n56u kernel: DROP  <4>DROP IN=ppp0 OUT= MAC= <1>SRC=121.201.8.212 DST=220.135.245.64 <1>LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=35181 DF PROTO=TCP <1>SPT=38778 DPT=10051 SEQ=1970503924 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A0ACC24F60000000001030307)
 +:
 +</file>
 +
 +<note>
 +其他 Linux 主機的 Log 也可以透過設定 /etc/syslog.conf (CentOS 5.x) /etc/rsyslog.conf (CentOS 6.x)
 +<file>
 +*.*            @192.168.11.252
 +</file>
 +這樣就會將 log 送到 192.168.11.252 Log Server 內了..
 +</note>
 +
 +===== 參考網址 =====
 +  * http://d.hatena.ne.jp/RogerLi2006/20080710/1215676546
 +  * http://linux.vbird.org/linux_basic/0570syslog.php
 +  * http://ssorc.tw/1194
 +
 +{{tag>logServer syslog}}