在CentOS 5和6上安装或升级到Rsyslog的最新稳定版本

安装或升级到CentOS 5和6上的最新稳定版本的Rsyslog

本教程将介绍如何使用CentOS 5上的Rsyslog安装新一代的syslog服务器。它还显示了如何在CentOS 6上升级过时的Rsyslog 4.0。根据Rsyslog网站（www.rsyslog.com），Rsyslog是一个增强型syslogd支持，其中包括MySQL，PostgreSQL，故障转移日志目标，syslog / tcp，精细粒度输出格式控制，高精度时间戳，排队操作以及对任何消息部分进行过滤的能力。 它与库存sysklogd相当兼容，可以作为替代品。 其先进的功能使其适用于企业级，加密保护的系统日志中继链，同时非常容易为新手用户设置。

目标

本教程将介绍如何在CentOS 5.0和CentOS 6.0上编译和安装最新的稳定版本的Rsyslog。 我不会保证这将为您工作！

启用其他存储库（仅适用于CentOS 5.x）

如果您正在使用CentOS 5.x，则需要为常规CentOS存储库中不可用的软件包启用额外的存储库。 我们可以启用此存储库，如下所示：

注意：仅在CentOS 5.x上运行以下命令

#########
 # Warning! Run the following command on CentOS 5.x x86_64 ONLY
 #########

 wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

 #########
 # Warning! Run the following command on CentOS 5.x i386 ONLY
 #########

 wget http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

 #########
 # Warning! Run the following command on both CentOS 5.x i386 and x86_64
 #########

 rpm -ivh epel-release-5-4.noarch.rpm

启用其他存储库（仅适用于CentOS 6.x）

如果您使用CentOS 6.x，则需要为常规CentOS存储库中不可用的软件包启用额外的存储库。 您可以如下启用此存储库：

注意：仅在CentOS 6.x上运行以下命令

#########
 # Warning! Run the following command on CentOS 6.x x86_64 ONLY
 #########

 wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-6.noarch.rpm

 #########
 # Warning! Run the following command on CentOS 6.x i386 ONLY
 #########

 wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-6.noarch.rpm

 #########
 # Warning! Run the following command on both CentOS 6.x i386 and x86_64
 #########

 rpm -ivh epel-release-6-6.noarch.rpm

预安装（CentOS 5和6）

使用YUM命令安装所需的软件包：

yum install gcc glibc-devel glibc-headers kernel-headers libgomp cpp glibc glibc-common libgcc nscd make 
 yum install zlib zlib-devel pcre pcre-devel mysql-server mysql-devel gnutls gnutls-devel gnutls-utils 
 yum install libxml2-devel net-snmp net-snmp-devel net-snmp-libs net-snmp-perl net-snmp-utils libxml2 
 yum install libnet libnet-devel --disablerepo=* --enablerepo=epel

通常，CentOS安装所有相关软件包，但在某些情况下，您可能还需要以下软件包：

yum install beecrypt beecrypt-devel e2fsprogs-devel 
 yum install elfutils-devel elfutils-devel-static elfutils-libelf-devel elfutils-libelf-devel-static elfutils-libs 
 yum install keyutils-libs-devel krb5-devel libgcrypt-devel libgpg-error-devel libselinux-devel libsepol-devel 
 yum install lm_sensors lm_sensors-devel mysql nspr-devel nss-devel openssl-devel perl-DBD-MySQL perl-DBI rpm-devel sqlite-devel 
 yum install e2fsprogs e2fsprogs-libs krb5-libs krb5-workstation libgcrypt libselinux libselinux-python libselinux-utils 
 yum install nspr nss nss-tools openssl popt rpm rpm-libs rpm-python

下载附加软件包（CentOS 5和6）

librelp（可靠的事件记录协议库）是一个易于使用的RELP协议库。 RELP又通过网络提供可靠的事件记录。 RELP（因此）librelp确保没有消息丢失，即使连接中断，对等体变得不可用。 请注意，RELP是一种通用的可扩展日志记录协议。 尽管它旨在解决rsyslog-to-rsyslog通信的迫切需求，但RELP支持更多应用。

注意：如果您运行的是64位系统，则将--libdir = / usr / lib64添加到./configure命令的末尾

cd /tmp
 wget http://libestr.adiscon.com/files/download/libestr-0.1.2.tar.gz
tar -xvf libestr-0.1.2.tar.gz 
 cd libestr-0.1.2
 ./configure --prefix=/usr
 make
 make install 

 cd /tmp
 wget http://www.libee.org/files/download/libee-0.4.1.tar.gz
 tar -xvf libee-0.4.1.tar.gz 
 cd libee-0.4.1
 ./configure --prefix=/usr
 make
 make install 

 cd /tmp
 wget http://download.rsyslog.com/librelp/librelp-1.0.0.tar.gz
 tar -xvf librelp-1.0.0.tar.gz 
 cd librelp-1.0.0
 ./configure --prefix=/usr 
 make
 make install

下载Rsyslog软件包

在编写本教程时，我发现rsyslog 5.8.12是Rsyslog的最新稳定版本，它支持大部分可能需要的功能。

cd /tmp
 wget http://www.rsyslog.com/files/download/rsyslog/rsyslog-5.8.12.tar.gz 
 tar -xvf rsyslog-5.8.12.tar.gz
 cd rsyslog-5.8.12

编译安装Rsyslog

有关Rsyslog中可用的选项的更多信息，可以运行

./configure --help

以下命令启用几乎所有的rsyslog功能，如压缩，多线程，MySql，SNMP，邮件，RELP支持等。

./configure \ 
 --prefix= --enable-regexp \ 
 --enable-zlib --enable-pthreads --enable-klog \ 
 --enable-inet --enable-unlimited-select --enable-debug --enable-rtinst \ 
 --enable-memcheck --enable-diagtools --enable-mysql --enable-snmp \ 
 --enable-gnutls --enable-rsyslogrt --enable-rsyslogd --enable-extended-tests \ 
 --enable-mail --enable-valgrind --enable-relp --enable-testbench \ 
 --enable-pmlastmsg --enable-imptcp --enable-omruleset \ 
 --enable-imdiag --enable-imfile --enable-omstdout --enable-omdbalerting \ 
 --enable-omuxsock --enable-imtemplate --enable-omtemplate --enable-omudpspoof \ 
 --enable-omprog --enable-impstats --enable-mmsnmptrapd 
 make
 make install

注意：--prefix =告诉系统在/ sbin文件夹上安装rsyslog。 它在CentOS 6.0中非常重要

后安装

mkdir -p /etc/rsyslog.d/ 
 mkdir -p /var/spool/rsyslog 
 chmod 755 /var/spool/rsyslog

#########
 # Warning! Run the following commands on CentOS 5.x ONLY
 #########

 cp /etc/syslog.conf /etc/rsyslog.d/syslog.conf 
 rpm -ev --nodeps sysklogd 
 touch /etc/rsyslog.conf 
 chmod 644 /etc/rsyslog.conf 

 #########
 # Warning! Run the following commands on CentOS 6.x ONLY
 #########

 cp /etc/rsyslog.conf /etc/rsyslog.d/syslog.conf 
 vi /etc/rsyslog.d/syslog.conf 
 
 #Open syslog.conf file and CUT ALL LINES BEFORE #### RULES #### AND AFTER ### begin forwarding rule ###

强烈建议专门使用新语法。
将“* .emerg *”更改为“* .emerg：omusrmsg：*”

Rsyslog配置

vi /etc/init.d/rsyslog

#rsyslog v5 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
#### MODULES ####
$ModLoad imuxsock.so    # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)
$ModLoad immark.so     # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerAddress *
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp.so  
#$InputTCPServerRun 514
#$ModLoad imrelp.so
#$InputRELPServerRun 20514 
#ModLoad ommail.so 
#$ActionMailSMTPServer mail.example.net
#$ActionMailFrom rsyslog@example.net
#$ActionMailTo operator@example.net
#$ActionMailTo admin@example.net
#$template mailSubject,"disk problem on %hostname%"
#$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
#$ActionMailSubject mailSubject
#$ActionExecOnlyOnceEveryInterval 21600
#if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
#### GLOBAL DIRECTIVES ####
$umask 0000
$DirCreateMode 0640
$FileCreateMode 0640
$RepeatedMsgReduction on
$WorkDirectory /var/spool/rsyslog
$ActionQueueType LinkedList      
$ActionQueueFileName queue       
$ActionResumeRetryCount -1       
$ActionQueueSaveOnShutdown on
$MainMsgQueueMaxFileSize 100M  
$ActionQueueMaxFileSize 5M     
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required, 
# not useful and an extreme performance hit
#$ActionFileEnableSync on
#### START OF RULES ####
$IncludeConfig /etc/rsyslog.d/*.conf
#### END OF RULES ####
#### Forward via TCP with maximum compression: ####
#$AllowedSender TCP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
#*.*       @@(z9)192.168.x.x:514
#### Forward via UDP with maximum compression: ####
#$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
#*.*       @(z9)192.168.x.x:514
#### Forward via RELP Protocol : ####
#$ModLoad omrelp.so
#*.*      :omrelp:192.168.x.x:20514
#$ModLoad ommysql.so
#*.*      :ommysql:127.0.0.1,Syslog,rsyslog,your-mysql-password

vi /etc/rsyslog.d/syslog.conf

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg 						:omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

配置Init脚本

vi /etc/init.d/rsyslog

#!/bin/bash
#
# rsyslog        Starts rsyslogd/rklogd.
#
# chkconfig: 2345 12 88
# description: Syslog is the facility by which many daemons use to log \
# messages to various system log files.  It is a good idea to always \
# run rsyslog.
### BEGIN INIT INFO
# Provides: $syslog
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start:  2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Enhanced system logging and kernel message trapping daemons
# Description: Rsyslog is an enhanced multi-threaded syslogd supporting, 
#              among others, MySQL, syslog/tcp, RFC 3195, permitted 
#              sender lists, filtering on any message part, and fine 
#              grain output format control.
### END INIT INFO
# Source function library.
. /etc/init.d/functions
RETVAL=0
PIDFILE=/var/run/syslogd.pid
prog=rsyslog
exec=/sbin/rsyslogd
lockfile=/var/lock/subsys/$prog
# Source config
if [ -f /etc/sysconfig/$prog ] ; then
    . /etc/sysconfig/$prog
fi
start() {
        [ -x $exec ] || exit 5
        umask 077
        echo -n $"Starting system logger: "
        daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch $lockfile
        return $RETVAL
}
stop() {
        echo -n $"Shutting down system logger: "
        killproc -p "$PIDFILE" $exec
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f $lockfile
        return $RETVAL
}
reload()  {
    RETVAL=1
    syslog=$(cat "${PIDFILE}" 2>/dev/null)
    echo -n "Reloading system logger..."
    if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
        kill -HUP "$syslog";
        RETVAL=$?
    fi
    if [ $RETVAL -ne 0 ]; then
        failure
    else
        success
    fi
    echo
    return $RETVAL
}
rhstatus() {
        status -p "$PIDFILE" $exec
}
restart() {
        stop
        start
}
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload|force-reload)
        reload
        ;;
  status)
        rhstatus
        ;;
  condrestart|try-restart)
        rhstatus >/dev/null 2>&1 || exit 0
        restart
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status}"
        exit 2
esac
exit $?

准备MySQL数据库

如果要将syslog记录保存到db，则安装mySQL是必需的，否则跳过此部分

mysql -u root -p < plugins/ommysql/createDB.sql
 mysql -u root -p mysql
 GRANT ALL ON Syslog.* TO rsyslog@localhost IDENTIFIED BY 'your-mysql-password';
 flush privileges;

配置Rsyslog守护进程

echo 'SYSLOGD_OPTIONS="-c5"' > /etc/sysconfig/rsyslog 
 chmod 755 /etc/init.d/rsyslog 

 #########
 # Warning! Run the following commands on CentOS 5.x ONLY
 #########

 chkconfig --add rsyslog 
 chkconfig rsyslog on 
 touch /etc/logrotate.d/syslog 
 chmod 644 /etc/logrotate.d/syslog

Rsyslog日志旋转

vi /etc/logrotate.d/syslog

/var/log/boot.log
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

启动Rsyslog

chmod 644 /etc/rsyslog.conf
 service rsyslog start 
 tail -f /var/log/messages

测试Rsyslog

logger "this is a test message" 
 logger -p local0.info -t testtag "this is a test message"

链接

伊朗Honeynet项目： http ： //www.honeynet.ir/
Rsyslog项目： http : //www.rsyslog.com/
CentOS： http : //www.centos.org/