RSYSLOG搭建集中日志管理服务
2012-06-17 22:30:56 来源:我爱运维网 评论:0 点击:
服务器被黑,日志被删除,让我们在发生安全事件后查找原因时很难入手。日志作为一个重要的切入点,如果不能保证其完整性以及正确性,无疑将对分析安全事件加大了难度。因此,搭建一套完整的集中的日志管理服务系统是非常必要的。同时,还要养成每天查看日志、检查异常的良好习惯。
利用开源软件rsyslog可以很好的实现这样一套集中日志管理服务系统.本文主要描述在Linux操作系统上安装调试rsyslog的搭建。大致的步骤如下:
1.下载并安装最新版本的 rsyslog。目前最新的版本是rsyslog 6.2.2 (v6-stable) released,下载地址:http://www.rsyslog.com/rsyslog-6-2-2-v6-stable/
2.安装
(1)把源代码解压,并进入源代码中执行:
./configure --enable-mysql
(2)依次执行:make和make install
3.配置rsyslog.conf
在源代码下有一个示例文件,把它拷贝到/etc
(1)接受远程设备的syslog则要把以下三行的#去掉:
# UDP Syslog Server:
#$ModLoad imudp.so? # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514
并同时在iptables中开放514端口
(2)配置rsyslog自动启动
(3)记录到mysql
如果要使用sql来记录日志则先要建表,找到rsyslog-3.20.0\plugins\ommysql下的createDB.sql文件,打开它, 把里面的建表语句在数据库里执行,当然也可以自建一个新数据库。之后加载mysql模块,一定要确认ommysql.so在lib文件夹里存在,如果之前使用./configure --enable-mysql进行配置则会在/usr/local/lib/rsyslog下存在ommysql.so文件(操作系统不同,目录可能不一 样),然后在rsyslog.conf文件中加上:
$ModLoad ommysql
local4.* mmysql:127.0.0.1,Syslog,root,rootpass;MySQLInsert
注意这里是local4来接受远程的syslog在交换机上的配置:
1.华为
info-center loghost 1.1.1.1 facility local4 //local4要和rsyslog.conf 里配置的一致,1.1.1.1为你的syslog服务器地址
info-center loghost source Vlan-interface 11//你的网管VLAN接口,要改的
info-center source SHELL channel loghost log level notifications//只想要操作日志
2.思科
logging 1.1.1.1(配置 syslog服务器地址,可以定义多个)
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec (syslog 信息包含时间戳)
logging facility local4 (定义 facility 级别,缺省为local7,可以设置从 local0到 local7)
logging trap warning (定义severity 级别缺省为 infor 级别)
到mysql 服务器查看:
select * from SystemEvents
但这里还有个小Bug,我们会发现fromhost的这个字段不正确,并不是所用交换机的地址,这是rsyslog的一个bug,那么如何解决?可以自定义模板,不用其默认的模板。定义一个模板:MySQLInsert并用它来执行sql语句,关于模板的概念,请参考http://www.rsyslog.com/docrsyslog_conf.html这 里有详细的解释
参考rsyslog.conf:
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
$ModLoad immark # provides –MARK– message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # kernel logging (formerly provided by rklogd)
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
#$ModLoad imtcp.so # load module
#$InputTCPServerRun 514 # start up TCP listener at port 514
# UDP Syslog Server:
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # start a UDP syslog server at standard port 514
# MySQL log
$ModLoad ommysql
$template MySQLInsert,”insert into SystemEvents (Message, Facility,FromHost, Priority,
DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (‘%msg%’, %syslogfacility%,
‘%fromhost-ip%’,%syslogpriority%, ‘%timereported:::date-mysql%’, ‘%timegenerated:::date-mysql%’,
%iut%, ‘%syslogtag%’)”,SQL
local4.* mmysql:127.0.0.1,Syslog,root,rootpass;MySQLInsert
#user.* mmysql:127.0.0.1,Syslog,root,rootpass;MySQLInsert
*.* mmysql:127.0.0.1,Syslog,root,rootpass;MySQLInsert
注意笔者使用了%fromhost-ip %,而不是%HOSTNAME%。
当然针对Liunx服务器,把syslog发送过来就可以了,具体的配置就不详细说明。这里还需要提到的是Windows操作系统,需要安装一个客户端软件NTSyslog2.msi。
配置rsyslog服务器地址如图1所示。
图1 配置rsyslog服务器地址
创建MYSQL的rsyslog表,以便日志入库:
mysql-table:
CREATE DATABASE Syslog default character set’utf8′;
USE Syslog;
CREATE TABLE SystemEvents
(
ID int unsigned not null auto_increment primary key,
CustomerID bigint,
ReceivedAt datetime NULL,
DeviceReportedTimedatetime NULL,
Facility smallint NULL,
Priority smallint NULL,
FromHost varchar(60) NULL,
Message text,
NTSeverity int NULL,
Importance int NULL,
EventSource varchar(60),
EventUser varchar(60) NULL,
EventCategory int NULL,
EventID int NULL,
EventBinaryData text NULL,
MaxAvailable int NULL,
CurrUsage int NULL,
MinUsage int NULL,
MaxUsage int NULL,
InfoUnitID int NULL ,
SysLogTag varchar(60),
EventLogType varchar(60),
GenericFileName VarChar(60),
SystemID int NULL,
yn int(2) NOT NULL DEFAULT ’0′
) DEFAULT CHARSET=’utf8′;
database:Syslog
tablename:SystemEvents
Linux客户端配置 authpriv.* @rsyslogServer
完整的搭建rsyslog服务器以及相应的设备配置就完成了。
上一篇:第一页
下一篇:log4j输出日志到rsyslog日志服务器
收藏
