日志管理-rsyslog

日志：

歷史事件:時(shí)間，地點(diǎn)，人物，事件日期時(shí)間

事件記錄格式：
日期時(shí)間 主機(jī) 進(jìn)程[pid]: 事件內(nèi)容

C/S架構(gòu)：通過TCP或UDP協(xié)議的服務(wù)完成日志記錄傳送，將分布在不同主機(jī)的日志實(shí)現(xiàn)集中管理

rsyslog
?rsyslog特性：CentOS6和7 ?多線程
?UDP, TCP, SSL, TLS, RELP
?MySQL, PGSQL, Oracle實(shí)現(xiàn)日志存儲(chǔ)
?強(qiáng)大的過濾器，可實(shí)現(xiàn)過濾記錄日志信息中任意部分
?自定義輸出格式

[root@node4~]#rpm?-q?rsyslog???#查詢r(jià)syslog日志包
rsyslog-8.24.0-12.el7.x86_64
[root@node4~]#rpm?-ql?rsyslog
/etc/logrotate.d/syslog
/etc/pki/rsyslog
/etc/rsyslog.conf
/etc/rsyslog.d
/etc/sysconfig/rsyslog
/usr/bin/rsyslog-recover-qi.pl
/usr/lib/systemd/system/rsyslog.service

ELK：elasticsearch, logstash, kibana
?非關(guān)系型分布式數(shù)據(jù)庫
?基于apache軟件基金會(huì)jakarta項(xiàng)目組的項(xiàng)目lucene
?Elasticsearch是個(gè)開源分布式搜索引擎
?Logstash對(duì)日志進(jìn)行收集、分析，并將其存儲(chǔ)供以后使用
?kibana 可以提供的日志分析友好的 Web 界面

rsyslog 介紹

術(shù)語，參見man logger
facility：設(shè)施，從功能或程序上對(duì)日志進(jìn)行歸類
?????auth, authpriv, cron, daemon,ftp,kern, lpr, mail, news, security(auth), user, uucp, local0-local7, syslog
Priority 優(yōu)先級(jí)別，從低到高排序
? ? debug, info, notice, warn(warning), err(error), crit(critical), alert, emerg(panic)
? 參看幫助： man 3 syslog

rsyslog
?程序包：rsyslog
?主程序：/usr/sbin/rsyslogd
?CentOS 6：service rsyslog {start|stop|restart|status} ?CentOS 7：/usr/lib/systemd/system/rsyslog.service
?配置文件：/etc/rsyslog.conf，/etc/rsyslog.d/*.conf
?庫文件： /lib64/rsyslog/*.so
配置文件格式：由三部分組成
MODULES：相關(guān)模塊配置
GLOBAL DIRECTIVES：全局配置
RULES：日志記錄相關(guān)的規(guī)則配置

rsyslog
? RULES配置格式： facility.priority; facility.priority… target
? facility：*: 所有的facility
facility1,facility2,facility3,...：指定的facility列表
? priority： *: 所有級(jí)別
none：沒有級(jí)別，即不記錄
PRIORITY：指定級(jí)別（含）以上的所有級(jí)別
=PRIORITY：僅記錄指定級(jí)別的日志信息
? target：
文件路徑：通常在/var/log/，文件路徑前的-表示異步寫入
用戶：將日志事件通知給指定的用戶，* 表示登錄的所有用戶
日志服務(wù)器：@host，把日志送往至指定的遠(yuǎn)程服務(wù)器記錄
管道： | COMMAND，轉(zhuǎn)發(fā)給其它命令處理

出發(fā)日志工具:logger?
[root@node4~]#logger?"this?is?a?test?log"
[root@node4~]#tail?/var/log/messages?
Jan?18?17:40:01?node4?systemd:?Starting?Session?27?of?user?root.
Jan?18?17:46:26?node4?dbus[626]:?[system]?Activating?via?systemd:?service?name='org.freedesktop.PackageKit'?unit='packagekit.service'
Jan?18?17:46:26?node4?dbus-daemon:?dbus[626]:?[system]?Activating?via?systemd:?service?name='org.freedesktop.PackageKit'?unit='packagekit.service'
Jan?18?17:46:26?node4?systemd:?Starting?PackageKit?Daemon...
Jan?18?17:46:26?node4?dbus[626]:?[system]?Successfully?activated?service?'org.freedesktop.PackageKit'
Jan?18?17:46:26?node4?dbus-daemon:?dbus[626]:?[system]?Successfully?activated?service?'org.freedesktop.PackageKit'
Jan?18?17:46:26?node4?systemd:?Started?PackageKit?Daemon.
Jan?18?17:50:01?node4?systemd:?Started?Session?28?of?user?root.
Jan?18?17:50:01?node4?systemd:?Starting?Session?28?of?user?root.
Jan?18?17:51:03?node4?root:?this?is?a?test?log

[root@node4~]#egrep?-v?'^$|#'?/etc/rsyslog.conf???#查看配置文件相關(guān)的日志路徑
$WorkDirectory?/var/lib/rsyslog
$ActionFileDefaultTemplate?RSYSLOG_TraditionalFileFormat
$IncludeConfig?/etc/rsyslog.d/*.conf
$OmitLocalLogging?on
$IMJournalStateFile?imjournal.state
*.info;mail.none;authpriv.none;cron.none????????????????/var/log/messages
authpriv.*??????????????????????????????????????????????/var/log/secure
mail.*??????????????????????????????????????????????????-/var/log/maillog
cron.*??????????????????????????????????????????????????/var/log/cron
*.emerg?????????????????????????????????????????????????:omusrmsg:*
uucp,news.crit??????????????????????????????????????????/var/log/spooler
local7.*????????????????????????????????????????????????/var/log/boot.log

ssh 的相關(guān)日志記錄在secure 日志里

[root@node4~]#ssh?192.168.137.47???????????????
root@192.168.137.47's?password:?

[root@node4~]#tail?/var/log/secure
Jan?18?18:14:56?node4?sshd[4090]:?pam_unix(sshd:auth):?authentication?failure;?logname=?uid=0?euid=0?tty=ssh?ruser=?rhost=192.168.137.47??user=root
Jan?18?18:14:56?node4?sshd[4090]:?pam_succeed_if(sshd:auth):?requirement?"uid?>=?1000"?not?met?by?user?"root"
Jan?18?18:14:58?node4?sshd[4090]:?Failed?password?for?root?from?192.168.137.47?port?52894?ssh3

[root@node4~]#egrep?-v?"^$|^#"?/etc/ssh/sshd_config?|grep??SyslogFacility?

SyslogFacility?AUTHPRIV

定義log日志路徑；

[root@node4~]#vim?+33?/etc/ssh/sshd_config?

?33?SyslogFacility?local7
?34?LogLevel?INFO
?
?[root@node4~]#vim?/etc/rsyslog.d/sshd.conf?
??1?local7.*??????/var/log/sshd.log
??
[root@node4~]#systemctl?restart?rsyslog?sshd???
?
[root@node4~]#ps?aux?|grep?rsyslogd??(rpm?-q?rsyslog?/rpm?-ql?rsyslog.$packet?)
root???????4665??0.0??0.2?275560??2668??????????Ssl??18:49???0:00?/usr/sbin/rsyslogd?-n
root???????4700??0.0??0.0?112660???968?pts/1????S+???18:50???0:00?grep?--color=auto?rsyslogd


[root@node4~]#?ssh??192.168.137.47
root@192.168.137.47's?password:?
Permission?denied,?please?try?again.
root@192.168.137.47's?password:?
Permission?denied,?please?try?again.
root@192.168.137.47's?password:?
Permission?denied?(publickey,password).
[root@node4~]#tail?/var/log/sshd.log
Jan?18?18:49:08?node4?sshd[4664]:?Server?listening?on?0.0.0.0?port?22.
Jan?18?18:49:08?node4?sshd[4664]:?Server?listening?on?::?port?22.
Jan?18?18:49:46?node4?sshd[4681]:?Failed?password?for?root?from?192.168.137.47?port?52900?ssh3
Jan?18?18:49:46?node4?sshd[4681]:?Failed?password?for?root?from?192.168.137.47?port?52900?ssh3
Jan?18?18:49:46?node4?sshd[4681]:?Connection?closed?by?192.168.137.47?port?52900?[preauth]

事件記錄格式：
日期時(shí)間?主機(jī)?進(jìn)程[pid]:?事件內(nèi)容

centos7:修改主機(jī)名：

[root@node3~]#hostnamectl set-hostname $hostname?
[root@node3~]#/etc/host

日志服務(wù)器：@host，把日志送往至指定的遠(yuǎn)程服務(wù)器記錄

啟用網(wǎng)絡(luò)日志服務(wù)
?通常的日志格式：
事件產(chǎn)生的日期時(shí)間 主機(jī) 進(jìn)程(pid)：事件內(nèi)容
如： /var/log/messages,cron,secure等 ?配置rsyslog成為日志服務(wù)器
#### MODULES ####
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

日志服務(wù)器：@host，把日志送往至指定的遠(yuǎn)程服務(wù)器記錄

源主機(jī)：192.168.137.47????node4
目標(biāo)主機(jī)：192.168.137.37??node3?

[root@node4~]#cat?/etc/rsyslog.d/sshd.conf?
local7.*??????/var/log/sshd.log
#udp
local2.*??????@192.168.137.37
#tcp
#local7.*?????@@192.168.137.37

[root@node3~]#cat?/etc/rsyslog.conf???|grep?-A1??$ModLoad?imudp??
$ModLoad?imudp
$UDPServerRun?514

[root@node3~]#cat?/etc/rsyslog.conf??|grep?local2.*??
local2.*????????????????????????????????????????????????/var/log/udp.log

測試：
[root@node4~]#ssh??192.168.137.47
root@192.168.137.47's?password:?


[root@node3~]#tail?/var/log/udp.log?-f???????????????
Jan?18?22:00:59?node4?sshd[7903]:?Accepted?password?for?root?from?192.168.137.47?port?52916?ssh3
Jan?18?22:01:24?node4?sshd[7903]:?Received?disconnect?from?192.168.137.47?port?52916:11:?disconnected?by?user
Jan?18?22:01:24?node4?sshd[7903]:?Disconnected?from?192.168.137.47?port?52916
Jan?18?22:19:09?node4?sshd[8172]:?Failed?password?for?root?from?192.168.137.47?port?52920?ssh3
Jan?18?22:19:12?node4?sshd[8172]:?Accepted?password?for?root?from?192.168.137.47?port?52920?ssh3

其它日志
其它的日志文件
#/var/log/secure：系統(tǒng)安裝日志，文本格式，應(yīng)周期性分析
#/var/log/btmp：當(dāng)前系統(tǒng)上，用戶的失敗嘗試登錄相關(guān)的日志信息，二進(jìn)制格
式，lastb命令進(jìn)行查看
#/var/log/wtmp：當(dāng)前系統(tǒng)上，用戶正常登錄系統(tǒng)的相關(guān)日志信息，二進(jìn)制格
式，last命令可以查看
#/var/log/lastlog:每一個(gè)用戶最近一次的登錄信息，二進(jìn)制格式，lastlog命令
可以查看
#/var/log/dmesg：系統(tǒng)引導(dǎo)過程中的日志信息，文本格式
文本查看工具查看
專用命令dmesg查看
#/var/log/messages ：系統(tǒng)中大部分的信息
#/var/log/anaconda : anaconda的日志

[root@node4/var/log]#lastb??|head?|awk?'{print?$3}'?|sort?|uniq?-c?
?????10?192.168.137.47
?????
[root@node4/var/log]#lastb?|head?|awk?'{ip?[$3]++}END?{for?(i?in?ip?)?{print?ip?[i]?,i?}}'?
10?192.168.137.47