安装或升级到CentOS 5和6上的最新稳定版本的Rsyslog
本教程将介绍如何使用CentOS 5上的Rsyslog安装新一代的syslog服务器。它还显示了如何在CentOS 6上升级过时的Rsyslog 4.0。根据Rsyslog网站(www.rsyslog.com),Rsyslog是一个增强型syslogd支持,其中包括MySQL,PostgreSQL,故障转移日志目标,syslog / tcp,精细粒度输出格式控制,高精度时间戳,排队操作以及对任何消息部分进行过滤的能力。 它与库存sysklogd相当兼容,可以作为替代品。 其先进的功能使其适用于企业级,加密保护的系统日志中继链,同时非常容易为新手用户设置。
目标
本教程将介绍如何在CentOS 5.0和CentOS 6.0上编译和安装最新的稳定版本的Rsyslog。 我不会保证这将为您工作!
启用其他存储库(仅适用于CentOS 5.x)
如果您正在使用CentOS 5.x,则需要为常规CentOS存储库中不可用的软件包启用额外的存储库。 我们可以启用此存储库,如下所示:
注意:仅在CentOS 5.x上运行以下命令
#########
# Warning! Run the following command on CentOS 5.x x86_64 ONLY
#########
wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
#########
# Warning! Run the following command on CentOS 5.x i386 ONLY
#########
wget http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
#########
# Warning! Run the following command on both CentOS 5.x i386 and x86_64
#########
rpm -ivh epel-release-5-4.noarch.rpm
启用其他存储库(仅适用于CentOS 6.x)
如果您使用CentOS 6.x,则需要为常规CentOS存储库中不可用的软件包启用额外的存储库。 您可以如下启用此存储库:
注意:仅在CentOS 6.x上运行以下命令
#########
# Warning! Run the following command on CentOS 6.x x86_64 ONLY
#########
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-6.noarch.rpm
#########
# Warning! Run the following command on CentOS 6.x i386 ONLY
#########
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-6.noarch.rpm
#########
# Warning! Run the following command on both CentOS 6.x i386 and x86_64
#########
rpm -ivh epel-release-6-6.noarch.rpm
预安装(CentOS 5和6)
使用YUM命令安装所需的软件包:
yum install gcc glibc-devel glibc-headers kernel-headers libgomp cpp glibc glibc-common libgcc nscd make
yum install zlib zlib-devel pcre pcre-devel mysql-server mysql-devel gnutls gnutls-devel gnutls-utils
yum install libxml2-devel net-snmp net-snmp-devel net-snmp-libs net-snmp-perl net-snmp-utils libxml2
yum install libnet libnet-devel --disablerepo=* --enablerepo=epel
通常,CentOS安装所有相关软件包,但在某些情况下,您可能还需要以下软件包:
yum install beecrypt beecrypt-devel e2fsprogs-devel
yum install elfutils-devel elfutils-devel-static elfutils-libelf-devel elfutils-libelf-devel-static elfutils-libs
yum install keyutils-libs-devel krb5-devel libgcrypt-devel libgpg-error-devel libselinux-devel libsepol-devel
yum install lm_sensors lm_sensors-devel mysql nspr-devel nss-devel openssl-devel perl-DBD-MySQL perl-DBI rpm-devel sqlite-devel
yum install e2fsprogs e2fsprogs-libs krb5-libs krb5-workstation libgcrypt libselinux libselinux-python libselinux-utils
yum install nspr nss nss-tools openssl popt rpm rpm-libs rpm-python
下载附加软件包(CentOS 5和6)
librelp(可靠的事件记录协议库)是一个易于使用的RELP协议库。 RELP又通过网络提供可靠的事件记录。 RELP(因此)librelp确保没有消息丢失,即使连接中断,对等体变得不可用。 请注意,RELP是一种通用的可扩展日志记录协议。 尽管它旨在解决rsyslog-to-rsyslog通信的迫切需求,但RELP支持更多应用。
注意:如果您运行的是64位系统,则将--libdir = / usr / lib64添加到./configure命令的末尾
cd /tmp
wget http://libestr.adiscon.com/files/download/libestr-0.1.2.tar.gz
tar -xvf libestr-0.1.2.tar.gz
cd libestr-0.1.2
./configure --prefix=/usr
make
make install
cd /tmp
wget http://www.libee.org/files/download/libee-0.4.1.tar.gz
tar -xvf libee-0.4.1.tar.gz
cd libee-0.4.1
./configure --prefix=/usr
make
make install
cd /tmp
wget http://download.rsyslog.com/librelp/librelp-1.0.0.tar.gz
tar -xvf librelp-1.0.0.tar.gz
cd librelp-1.0.0
./configure --prefix=/usr
make
make install
下载Rsyslog软件包
在编写本教程时,我发现rsyslog 5.8.12是Rsyslog的最新稳定版本,它支持大部分可能需要的功能。
cd /tmp
wget http://www.rsyslog.com/files/download/rsyslog/rsyslog-5.8.12.tar.gz
tar -xvf rsyslog-5.8.12.tar.gz
cd rsyslog-5.8.12
编译安装Rsyslog
有关Rsyslog中可用的选项的更多信息,可以运行
./configure --help
以下命令启用几乎所有的rsyslog功能,如压缩,多线程,MySql,SNMP,邮件,RELP支持等。
./configure \
--prefix= --enable-regexp \
--enable-zlib --enable-pthreads --enable-klog \
--enable-inet --enable-unlimited-select --enable-debug --enable-rtinst \
--enable-memcheck --enable-diagtools --enable-mysql --enable-snmp \
--enable-gnutls --enable-rsyslogrt --enable-rsyslogd --enable-extended-tests \
--enable-mail --enable-valgrind --enable-relp --enable-testbench \
--enable-pmlastmsg --enable-imptcp --enable-omruleset \
--enable-imdiag --enable-imfile --enable-omstdout --enable-omdbalerting \
--enable-omuxsock --enable-imtemplate --enable-omtemplate --enable-omudpspoof \
--enable-omprog --enable-impstats --enable-mmsnmptrapd
make
make install
注意:--prefix =告诉系统在/ sbin文件夹上安装rsyslog。 它在CentOS 6.0中非常重要
后安装
mkdir -p /etc/rsyslog.d/
mkdir -p /var/spool/rsyslog
chmod 755 /var/spool/rsyslog
#########
# Warning! Run the following commands on CentOS 5.x ONLY
#########
cp /etc/syslog.conf /etc/rsyslog.d/syslog.conf
rpm -ev --nodeps sysklogd
touch /etc/rsyslog.conf
chmod 644 /etc/rsyslog.conf
#########
# Warning! Run the following commands on CentOS 6.x ONLY
#########
cp /etc/rsyslog.conf /etc/rsyslog.d/syslog.conf
vi /etc/rsyslog.d/syslog.conf
#Open syslog.conf file and CUT ALL LINES BEFORE #### RULES #### AND AFTER ### begin forwarding rule ###
强烈建议专门使用新语法。
将“* .emerg *”更改为“* .emerg:omusrmsg:*”
Rsyslog配置
vi /etc/init.d/rsyslog
#rsyslog v5 config file # if you experience problems, check # http://www.rsyslog.com/troubleshoot for assistance #### MODULES #### $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ModLoad immark.so # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp.so #$UDPServerAddress * #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp.so #$InputTCPServerRun 514 #$ModLoad imrelp.so #$InputRELPServerRun 20514 #ModLoad ommail.so #$ActionMailSMTPServer mail.example.net #$ActionMailFrom rsyslog@example.net #$ActionMailTo operator@example.net #$ActionMailTo admin@example.net #$template mailSubject,"disk problem on %hostname%" #$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'" #$ActionMailSubject mailSubject #$ActionExecOnlyOnceEveryInterval 21600 #if $msg contains 'hard disk fatal failure' then :ommail:;mailBody #### GLOBAL DIRECTIVES #### $umask 0000 $DirCreateMode 0640 $FileCreateMode 0640 $RepeatedMsgReduction on $WorkDirectory /var/spool/rsyslog $ActionQueueType LinkedList $ActionQueueFileName queue $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on $MainMsgQueueMaxFileSize 100M $ActionQueueMaxFileSize 5M $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on #### START OF RULES #### $IncludeConfig /etc/rsyslog.d/*.conf #### END OF RULES #### #### Forward via TCP with maximum compression: #### #$AllowedSender TCP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com #*.* @@(z9)192.168.x.x:514 #### Forward via UDP with maximum compression: #### #$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com #*.* @(z9)192.168.x.x:514 #### Forward via RELP Protocol : #### #$ModLoad omrelp.so #*.* :omrelp:192.168.x.x:20514 #$ModLoad ommysql.so #*.* :ommysql:127.0.0.1,Syslog,rsyslog,your-mysql-password
vi /etc/rsyslog.d/syslog.conf
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
配置Init脚本
vi /etc/init.d/rsyslog
#!/bin/bash # # rsyslog Starts rsyslogd/rklogd. # # chkconfig: 2345 12 88 # description: Syslog is the facility by which many daemons use to log \ # messages to various system log files. It is a good idea to always \ # run rsyslog. ### BEGIN INIT INFO # Provides: $syslog # Required-Start: $local_fs # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Enhanced system logging and kernel message trapping daemons # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, # among others, MySQL, syslog/tcp, RFC 3195, permitted # sender lists, filtering on any message part, and fine # grain output format control. ### END INIT INFO # Source function library. . /etc/init.d/functions RETVAL=0 PIDFILE=/var/run/syslogd.pid prog=rsyslog exec=/sbin/rsyslogd lockfile=/var/lock/subsys/$prog # Source config if [ -f /etc/sysconfig/$prog ] ; then . /etc/sysconfig/$prog fi start() { [ -x $exec ] || exit 5 umask 077 echo -n $"Starting system logger: " daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $lockfile return $RETVAL } stop() { echo -n $"Shutting down system logger: " killproc -p "$PIDFILE" $exec RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f $lockfile return $RETVAL } reload() { RETVAL=1 syslog=$(cat "${PIDFILE}" 2>/dev/null) echo -n "Reloading system logger..." if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then kill -HUP "$syslog"; RETVAL=$? fi if [ $RETVAL -ne 0 ]; then failure else success fi echo return $RETVAL } rhstatus() { status -p "$PIDFILE" $exec } restart() { stop start } case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload|force-reload) reload ;; status) rhstatus ;; condrestart|try-restart) rhstatus >/dev/null 2>&1 || exit 0 restart ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status}" exit 2 esac exit $?
准备MySQL数据库
如果要将syslog记录保存到db,则安装mySQL是必需的,否则跳过此部分
mysql -u root -p < plugins/ommysql/createDB.sql
mysql -u root -p mysql
GRANT ALL ON Syslog.* TO rsyslog@localhost IDENTIFIED BY 'your-mysql-password';
flush privileges;
配置Rsyslog守护进程
echo 'SYSLOGD_OPTIONS="-c5"' > /etc/sysconfig/rsyslog
chmod 755 /etc/init.d/rsyslog
#########
# Warning! Run the following commands on CentOS 5.x ONLY
#########
chkconfig --add rsyslog
chkconfig rsyslog on
touch /etc/logrotate.d/syslog
chmod 644 /etc/logrotate.d/syslog
Rsyslog日志旋转
vi /etc/logrotate.d/syslog
/var/log/boot.log /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript }
启动Rsyslog
chmod 644 /etc/rsyslog.conf
service rsyslog start
tail -f /var/log/messages
测试Rsyslog
logger "this is a test message"
logger -p local0.info -t testtag "this is a test message"
链接
伊朗Honeynet项目: http : //www.honeynet.ir/
Rsyslog项目: http : //www.rsyslog.com/
CentOS: http : //www.centos.org/