在CentOS 5和6上安装或升级到Rsyslog的最新稳定版本

安装或升级到CentOS 5和6上的最新稳定版本的Rsyslog

本教程将介绍如何使用CentOS 5上的Rsyslog安装新一代的syslog服务器。它还显示了如何在CentOS 6上升级过时的Rsyslog 4.0。根据Rsyslog网站(www.rsyslog.com),Rsyslog是一个增强型syslogd支持,其中包括MySQL,PostgreSQL,故障转移日志目标,syslog / tcp,精细粒度输出格式控制,高精度时间戳,排队操作以及对任何消息部分进行过滤的能力。 它与库存sysklogd相当兼容,可以作为替代品。 其先进的功能使其适用于企业级,加密保护的系统日志中继链,同时非常容易为新手用户设置。

目标

本教程将介绍如何在CentOS 5.0和CentOS 6.0上编译和安装最新的稳定版本的Rsyslog。 我不会保证这将为您工作!

启用其他存储库(仅适用于CentOS 5.x)

如果您正在使用CentOS 5.x,则需要为常规CentOS存储库中不可用的软件包启用额外的存储库。 我们可以启用此存储库,如下所示:

注意:仅在CentOS 5.x上运行以下命令

#########
# Warning! Run the following command on CentOS 5.x x86_64 ONLY
#########

wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

#########
# Warning! Run the following command on CentOS 5.x i386 ONLY
#########

wget http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

#########
# Warning! Run the following command on both CentOS 5.x i386 and x86_64
#########

rpm -ivh epel-release-5-4.noarch.rpm

启用其他存储库(仅适用于CentOS 6.x)

如果您使用CentOS 6.x,则需要为常规CentOS存储库中不可用的软件包启用额外的存储库。 您可以如下启用此存储库:

注意:仅在CentOS 6.x上运行以下命令

#########
# Warning! Run the following command on CentOS 6.x x86_64 ONLY
#########

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-6.noarch.rpm

#########
# Warning! Run the following command on CentOS 6.x i386 ONLY
#########

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-6.noarch.rpm

#########
# Warning! Run the following command on both CentOS 6.x i386 and x86_64
#########

rpm -ivh epel-release-6-6.noarch.rpm

预安装(CentOS 5和6)

使用YUM命令安装所需的软件包:

yum install gcc glibc-devel glibc-headers kernel-headers libgomp cpp glibc glibc-common libgcc nscd make 
yum install zlib zlib-devel pcre pcre-devel mysql-server mysql-devel gnutls gnutls-devel gnutls-utils
yum install libxml2-devel net-snmp net-snmp-devel net-snmp-libs net-snmp-perl net-snmp-utils libxml2
yum install libnet libnet-devel --disablerepo=* --enablerepo=epel

通常,CentOS安装所有相关软件包,但在某些情况下,您可能还需要以下软件包:

yum install beecrypt beecrypt-devel e2fsprogs-devel 
yum install elfutils-devel elfutils-devel-static elfutils-libelf-devel elfutils-libelf-devel-static elfutils-libs
yum install keyutils-libs-devel krb5-devel libgcrypt-devel libgpg-error-devel libselinux-devel libsepol-devel
yum install lm_sensors lm_sensors-devel mysql nspr-devel nss-devel openssl-devel perl-DBD-MySQL perl-DBI rpm-devel sqlite-devel
yum install e2fsprogs e2fsprogs-libs krb5-libs krb5-workstation libgcrypt libselinux libselinux-python libselinux-utils
yum install nspr nss nss-tools openssl popt rpm rpm-libs rpm-python

下载附加软件包(CentOS 5和6)

librelp(可靠的事件记录协议库)是一个易于使用的RELP协议库。 RELP又通过网络提供可靠的事件记录。 RELP(因此)librelp确保没有消息丢失,即使连接中断,对等体变得不可用。 请注意,RELP是一种通用的可扩展日志记录协议。 尽管它旨在解决rsyslog-to-rsyslog通信的迫切需求,但RELP支持更多应用。

注意:如果您运行的是64位系统,则将--libdir = / usr / lib64添加到./configure命令的末尾

cd /tmp
wget http://libestr.adiscon.com/files/download/libestr-0.1.2.tar.gz
tar -xvf libestr-0.1.2.tar.gz
cd libestr-0.1.2
./configure --prefix=/usr
make
make install

cd /tmp
wget http://www.libee.org/files/download/libee-0.4.1.tar.gz
tar -xvf libee-0.4.1.tar.gz
cd libee-0.4.1
./configure --prefix=/usr
make
make install

cd /tmp
wget http://download.rsyslog.com/librelp/librelp-1.0.0.tar.gz
tar -xvf librelp-1.0.0.tar.gz
cd librelp-1.0.0
./configure --prefix=/usr
make
make install

下载Rsyslog软件包

在编写本教程时,我发现rsyslog 5.8.12是Rsyslog的最新稳定版本,它支持大部分可能需要的功能。

cd /tmp
wget http://www.rsyslog.com/files/download/rsyslog/rsyslog-5.8.12.tar.gz
tar -xvf rsyslog-5.8.12.tar.gz
cd rsyslog-5.8.12

编译安装Rsyslog

有关Rsyslog中可用的选项的更多信息,可以运行

./configure --help

以下命令启用几乎所有的rsyslog功能,如压缩,多线程,MySql,SNMP,邮件,RELP支持等。

./configure \ 
--prefix= --enable-regexp \
--enable-zlib --enable-pthreads --enable-klog \
--enable-inet --enable-unlimited-select --enable-debug --enable-rtinst \
--enable-memcheck --enable-diagtools --enable-mysql --enable-snmp \
--enable-gnutls --enable-rsyslogrt --enable-rsyslogd --enable-extended-tests \
--enable-mail --enable-valgrind --enable-relp --enable-testbench \
--enable-pmlastmsg --enable-imptcp --enable-omruleset \
--enable-imdiag --enable-imfile --enable-omstdout --enable-omdbalerting \
--enable-omuxsock --enable-imtemplate --enable-omtemplate --enable-omudpspoof \
--enable-omprog --enable-impstats --enable-mmsnmptrapd
make
make install

注意:--prefix =告诉系统在/ sbin文件夹上安装rsyslog。 它在CentOS 6.0中非常重要

后安装

mkdir -p /etc/rsyslog.d/ 
mkdir -p /var/spool/rsyslog
chmod 755 /var/spool/rsyslog
#########
# Warning! Run the following commands on CentOS 5.x ONLY
#########

cp /etc/syslog.conf /etc/rsyslog.d/syslog.conf
rpm -ev --nodeps sysklogd
touch /etc/rsyslog.conf
chmod 644 /etc/rsyslog.conf

#########
# Warning! Run the following commands on CentOS 6.x ONLY
#########

cp /etc/rsyslog.conf /etc/rsyslog.d/syslog.conf
vi /etc/rsyslog.d/syslog.conf

#Open syslog.conf file and CUT ALL LINES BEFORE #### RULES #### AND AFTER ### begin forwarding rule ###

强烈建议专门使用新语法。
将“* .emerg *”更改为“* .emerg:omusrmsg:*”

Rsyslog配置

vi /etc/init.d/rsyslog
#rsyslog v5 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
#### MODULES ####
$ModLoad imuxsock.so    # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)
$ModLoad immark.so     # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerAddress *
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp.so  
#$InputTCPServerRun 514
#$ModLoad imrelp.so
#$InputRELPServerRun 20514 
#ModLoad ommail.so 
#$ActionMailSMTPServer mail.example.net
#$ActionMailFrom rsyslog@example.net
#$ActionMailTo operator@example.net
#$ActionMailTo admin@example.net
#$template mailSubject,"disk problem on %hostname%"
#$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
#$ActionMailSubject mailSubject
#$ActionExecOnlyOnceEveryInterval 21600
#if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
#### GLOBAL DIRECTIVES ####
$umask 0000
$DirCreateMode 0640
$FileCreateMode 0640
$RepeatedMsgReduction on
$WorkDirectory /var/spool/rsyslog
$ActionQueueType LinkedList      
$ActionQueueFileName queue       
$ActionResumeRetryCount -1       
$ActionQueueSaveOnShutdown on
$MainMsgQueueMaxFileSize 100M  
$ActionQueueMaxFileSize 5M     
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required, 
# not useful and an extreme performance hit
#$ActionFileEnableSync on
#### START OF RULES ####
$IncludeConfig /etc/rsyslog.d/*.conf
#### END OF RULES ####
#### Forward via TCP with maximum compression: ####
#$AllowedSender TCP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
#*.*       @@(z9)192.168.x.x:514
#### Forward via UDP with maximum compression: ####
#$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
#*.*       @(z9)192.168.x.x:514
#### Forward via RELP Protocol : ####
#$ModLoad omrelp.so
#*.*      :omrelp:192.168.x.x:20514
#$ModLoad ommysql.so
#*.*      :ommysql:127.0.0.1,Syslog,rsyslog,your-mysql-password
vi /etc/rsyslog.d/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg 						:omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

配置Init脚本

vi /etc/init.d/rsyslog
#!/bin/bash
#
# rsyslog        Starts rsyslogd/rklogd.
#
# chkconfig: 2345 12 88
# description: Syslog is the facility by which many daemons use to log \
# messages to various system log files.  It is a good idea to always \
# run rsyslog.
### BEGIN INIT INFO
# Provides: $syslog
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start:  2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Enhanced system logging and kernel message trapping daemons
# Description: Rsyslog is an enhanced multi-threaded syslogd supporting, 
#              among others, MySQL, syslog/tcp, RFC 3195, permitted 
#              sender lists, filtering on any message part, and fine 
#              grain output format control.
### END INIT INFO
# Source function library.
. /etc/init.d/functions
RETVAL=0
PIDFILE=/var/run/syslogd.pid
prog=rsyslog
exec=/sbin/rsyslogd
lockfile=/var/lock/subsys/$prog
# Source config
if [ -f /etc/sysconfig/$prog ] ; then
    . /etc/sysconfig/$prog
fi
start() {
        [ -x $exec ] || exit 5
        umask 077
        echo -n $"Starting system logger: "
        daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch $lockfile
        return $RETVAL
}
stop() {
        echo -n $"Shutting down system logger: "
        killproc -p "$PIDFILE" $exec
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f $lockfile
        return $RETVAL
}
reload()  {
    RETVAL=1
    syslog=$(cat "${PIDFILE}" 2>/dev/null)
    echo -n "Reloading system logger..."
    if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
        kill -HUP "$syslog";
        RETVAL=$?
    fi
    if [ $RETVAL -ne 0 ]; then
        failure
    else
        success
    fi
    echo
    return $RETVAL
}
rhstatus() {
        status -p "$PIDFILE" $exec
}
restart() {
        stop
        start
}
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload|force-reload)
        reload
        ;;
  status)
        rhstatus
        ;;
  condrestart|try-restart)
        rhstatus >/dev/null 2>&1 || exit 0
        restart
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status}"
        exit 2
esac
exit $?

准备MySQL数据库

如果要将syslog记录保存到db,则安装mySQL是必需的,否则跳过此部分

mysql -u root -p < plugins/ommysql/createDB.sql
mysql -u root -p mysql
GRANT ALL ON Syslog.* TO rsyslog@localhost IDENTIFIED BY 'your-mysql-password';
flush privileges;

配置Rsyslog守护进程

echo 'SYSLOGD_OPTIONS="-c5"' > /etc/sysconfig/rsyslog 
chmod 755 /etc/init.d/rsyslog

#########
# Warning! Run the following commands on CentOS 5.x ONLY
#########

chkconfig --add rsyslog
chkconfig rsyslog on
touch /etc/logrotate.d/syslog
chmod 644 /etc/logrotate.d/syslog

Rsyslog日志旋转

vi /etc/logrotate.d/syslog
/var/log/boot.log
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

启动Rsyslog

chmod 644 /etc/rsyslog.conf
service rsyslog start
tail -f /var/log/messages

测试Rsyslog

logger "this is a test message" 
logger -p local0.info -t testtag "this is a test message"

链接

伊朗Honeynet项目: http//www.honeynet.ir/
Rsyslog项目: http : //www.rsyslog.com/
CentOS: http : //www.centos.org/

赞(52) 打赏
未经允许不得转载:优客志 » 系统运维
分享到:

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏