LINUX-21 SYSTEM
LOGGING (RHEL-7)
(PART-4)
INCOMPLETE……UNDER PREPARATION……
RHEL7 SYSTEM LOGGING-P1
RHEL7 SYSTEM LOGGING-P2
RHEL7 SYSTEM LOGGING-P3
RHEL7 SYSTEM LOGGING-P4
RHEL7 SYSTEM LOGGING-P5
RHEL7 SYSTEM LOGGING-P6
RHEL7 SYSTEM LOGGING-P2
RHEL7 SYSTEM LOGGING-P3
RHEL7 SYSTEM LOGGING-P4
RHEL7 SYSTEM LOGGING-P5
RHEL7 SYSTEM LOGGING-P6
RSYSLOG SERVER…………………………..
Configuration File,
/etc/rsyslog.conf
Detailed file analysis already done at,
CLIENT:
Who send logs to rsyslog server
[root@rhel7-server /]# vi /etc/rsyslog.conf
*.* @@192.168.234.144:514
On the client, open /etc/rsyslog.conf and enter the name:port of the
centralized rsyslog server.
*.* @<ip address>:514
Where *.* means all logs, a single "@" means UDP, IP
Address or Hostname of the Centralized syslog Server and port No.
If you want to use TCP instead of UDP you can place the following.
The only difference is add extra "@"
*.* @@<ip address>:514
[root@rhel7-server log]# vi /etc/rsyslog.conf
*.* @@192.168.234.146:514
[root@rhel7-server log]# rsyslogd -N 1
rsyslogd: version 7.4.7, config validation run (level 1), master
config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
[root@rhel7-server log]# systemctl restart rsyslog
[root@rhel7-server log]# setenforce 0
[root@rhel7-server log]# firewall-cmd --permanent --add-port=514/tcp
FirewallD is not running
SERVER:
Who receive logs from different clients
[root@rhel7-test-3 ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.org
[root@rhel7-test-3 ~]# vi /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp ç
$UDPServerRun 514 ç
# Provides TCP syslog reception
$ModLoad imtcp ç
$InputTCPServerRun 514 ç
Uncomment above as per requirement, if we want the connection
oriented logging then uncomment TCP part, if there is no connection oriented
channel required for logging then uncomment UDP part.
[root@rhel7-test-3 ~]# systemctl restart rsyslog
[root@rhel7-test-3 ~]# setenforce 0
[root@rhel7-test-3 ~]# getenforce
Permissive
[root@rhel7-test-3 log]# systemctl disable firewalld
[root@rhel7-test-3 log]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded
(/usr/lib/systemd/system/firewalld.service; disabled)
Active: active (running)
since Mon 2017-01-16 18:38:48 IST; 33min ago
Main PID: 737 (firewalld)
CGroup:
/system.slice/firewalld.service
ââ737
/usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jan 16 18:38:48 rhel7-test-3 systemd[1]: Started firewalld - dynamic
firewall daemon.
[root@rhel7-test-3 ~]# systemctl restart rsyslog
[root@rhel7-test-3 log]# netstat -antup | grep 514
tcp 0
0 0.0.0.0:514
0.0.0.0:* LISTEN 2666/rsyslogd
tcp 0
0 192.168.234.146:514 192.168.234.142:41821 ESTABLISHED 2666/rsyslogd
tcp6 0
0 :::514
:::* LISTEN 2666/rsyslogd
udp 0
0 0.0.0.0:514
0.0.0.0:*
2666/rsyslogd
udp6 0
0 :::514
:::*
2666/rsyslogd
[root@rhel7-test-3 ~]# tail -f /var/log/secure
Jan 16 18:58:34 rhel7-server su: pam_unix(su-l:session): session
opened for user user1 by root( uid=0)
Jan 16 18:58:55 rhel7-server su: pam_unix(su-l:session): session
closed for user user1
I did “su” with user1 from client.
[root@rhel7-test-3 log]# tail -f /var/log/messages
Jan 16 18:59:32 rhel7-server root: hhhheeeeelllloooo
I did following from client,
[root@rhel7-server log]# logger "hhhheeeeelllloooo"
This is a successful configuration, but…
1st problem is,
Messing with its own log. All logs are captured at one place, means
client is also logging at same place where server is logging.
2nd problem is,
Logs from client are logging twice, first at their own place and then
at remote location.
How to resolve these…??
We need to use “template” to solve this problem,
$template MyTemplateName,"\7Text %property% some more
text\n",
# where:
# * $template - tells rsyslog
that this line contains a template.
# * MyTemplateName - template
name. All other config lines refer to this name.
# * "\7Text %property%
some more text\n" - templage text
# The backslash is an escape character, i.e. \7 rings the bell, \n is
a new line.
# To escape:
# % = \%
# \ = \\
SERVER:
Who receive logs from different clients
[root@rhel7-test-3 ~]# vi /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
Put below entries either above “Global Directives” or at the end of
file.
$template
FILENAME,"/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.%$YEAR%-%$MONTH%-%$DAY%.log"
*.* ?FILENAME
[root@rhel7-test-3 ~]# systemctl restart rsyslog
[root@rhel7-test-3 /]# cd /var/log
[root@rhel7-test-3 log]# ls –ltr
drwx------. 6 root root 82 Jan 18 19:11 rsyslog
[root@rhel7-test-3 log]# cd rsyslog
[root@rhel7-test-3 rsyslog]# ls -ltr
total 8
drwx------. 2 root root 4096 Jan 18 19:12 rhel7-test-3
drwx------. 2 root root 4096 Jan 18 19:12 rhel7-server
[root@rhel7-test-3 rsyslog]# cd rhel7-server
[root@rhel7-test-3 rhel7-server]# ls –ltr
total 12
-rw-r--r--. 1 root root 635
Jan 18 19:15 postfix.2017-01-18.log
-rw-r--r--. 1 root root 2038 Jan 18 19:20 systemd.2017-01-18.log
-rw-r--r--. 1 root root 1035 Jan 18 19:20 CROND.2017-01-18.log
Only 3 log files are here,
CLIENT:
[root@rhel7-server log]# vi /etc/rsyslog.conf
*.* @@192.168.234.146:514
[root@rhel7-server log]# systemctl restart rsyslog
Did some, here and there…
[root@rhel7-server log]# sftp 0
root@0's password:
Connected to 0.
sftp> ls
Desktop
Documents
Downloads
Music
Pictures Public
Templates
Videos
anaconda-ks.cfg
f1
grub.cfg.orig
initial-setup-ks.cfg
log
sde.diskfile
sftp> bye
[root@rhel7-server log]# ssh 0
root@0's password:
Last login: Wed Jan 18 19:08:03 2017 from 192.168.234.1
[root@rhel7-server ~]# ls
anaconda-ks.cfg Downloads initial-setup-ks.cfg Pictures
Templates
Desktop f1 log Public Videos
Documents
grub.cfg.orig Music sde.diskfile
[root@rhel7-server ~]# exit
logout
Connection to 0 closed.
[root@rhel7-server log]#
Now, check the log status at SERVER:
[root@rhel7-test-3 rhel7-server]# ls -ltr
total 36
-rw-r--r--. 1 root root 635
Jan 18 19:15 postfix.2017-01-18.log
-rw-r--r--. 1 root root 233
Jan 18 19:22 dbus.2017-01-18.log
-rw-r--r--. 1 root root 333
Jan 18 19:22 sftp-server.2017-01-18.log
-rw-r--r--. 1 root root 890
Jan 18 19:22 sshd.2017-01-18.log
-rw-r--r--. 1 root root 286
Jan 18 19:22 systemd-logind.2017-01-18.log
-rw-r--r--. 1 root root 700
Jan 18 19:22 root.2017-01-18.log
-rw-r--r--. 1 root root 4659 Jan 18 19:30 systemd.2017-01-18.log
-rw-r--r--. 1 root root 2223 Jan 18 19:30 CROND.2017-01-18.log
No of log files are increased, this depends solely on the
configuration of /etc/rsyslog.conf at CLIENT.
Added new client,
[root@rhel6-server ~]# vi /etc/rsyslog.conf
*.* @192.168.234.146:514
[root@rhel6-server ~]# service
rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@rhel6-server ~]# logger -p mail.info
"hhhhhhheeeelllooo"
[root@rhel6-server ~]# logger -p cron.info
"hhhhhhheeeelllooo"
Now… check this at SERVER:
[root@rhel7-test-3 rsyslog]# ls -ltr
total 12
drwx------. 2 root root 4096 Jan 18 19:22 rhel7-server
drwx------. 2 root root 4096 Jan 18 19:31 rhel7-test-3
drwx------. 2 root root 4096 Jan 18 19:36 rhel6-server
[root@rhel7-test-3 rsyslog]# cd rhel6-server
[root@rhel7-test-3 rhel6-server]# ls -ltr
total 48
-rw-r--r--. 1 root root 1780 Jan 18 19:33 bluetoothd.2017-01-18.log
-rw-r--r--. 1 root root 240
Jan 18 19:34 pam.2017-01-18.log
-rw-r--r--. 1 root root 276
Jan 18 19:34 spice-vdagent.2017-01-18.log
-rw-r--r--. 1 root root 356
Jan 18 19:34 seahorse-daemon.2017-01-18.log
-rw-r--r--. 1 root root 602
Jan 18 19:34 dbus.2017-01-18.log
-rw-r--r--. 1 root root 1094 Jan 18 19:34
polkitd(authority=local).2017-01-18.log
-rw-r--r--. 1 root root 1164 Jan 18 19:34 pulseaudio.2017-01-18.log
-rw-r--r--. 1 root root 414
Jan 18 19:35 sshd.2017-01-18.log
-rw-r--r--. 1 root root 7146 Jan 18 19:36 kernel.2017-01-18.log
-rw-r--r--. 1 root root 446
Jan 18 19:36 rsyslogd.2017-01-18.log
-rw-r--r--. 1 root root 106
Jan 18 19:37 root.2017-01-18.log
$template
RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *
*.* ?RemoteLogs
& ~
This template needs a little explanation.
The $template RemoteLogs directive ("RemoteLogs" string can
be changed to any other descriptive name) forces
rsyslog daemon to write log messages to separate local log files in
/var/log/, where log file names are defined
based on the hostname of the remote sending machine as well as the
remote application that generated the logs.
The second line ("*.* ?RemoteLogs") implies that we apply
RemoteLogs template to all received logs.
The "& ~" sign represents a redirect rule, and is used
to tell rsyslog daemon to stop processing log messages further,
and not write them locally. If this redirection is not used, all the
remote messages would be also written on local log
files besides the log files described above, which means they would
practically be written twice.
Another consequence of using this rule is that the syslog server's
own log messages would only be
written to dedicated files named after machine's hostname.
If you want, you can direct log messages with a specific facility or
severity level to this new template using the following schema.
[facility-level].[severity-level]
?RemoteLogs
For example:
Direct all internal authentication messages of all priority levels to
RemoteLogs template:
authpriv.* ?RemoteLogs
Direct informational messages generated by all system processes,
except mail, authentication and cron messages to RemoteLogs template:
*.info,mail.none,authpriv.none,cron.none ?RemoteLogs
If we want all received messages from remote clients written to a
single file named after their IP address, you can use the following template.
We assign a new name "IpTemplate" to this template.
$template IpTemplate,"/var/log/%FROMHOST-IP%.log"
*.* ?IpTemplate
& ~
No comments:
Post a Comment