在CentOS 5.x上安装全功能的Rsyslog 5.7.x
本教程将介绍如何使用Rsyslog安装新一代的syslog服务器。 根据Rsyslog网站(www.rsyslog.com),Rsyslog是一个增强的syslogd支持,其中包括MySQL,PostgreSQL,故障转移日志目标,syslog / tcp,精细粒度输出格式控制,高精度时间戳,排队操作和能力对任何消息部分进行过滤。 它与库存sysklogd相当兼容,可以作为替代品。 其先进的功能使其适用于企业级,加密保护的系统日志中继链,同时非常容易为新手用户设置。
目标
本教程将介绍如何在CentOS 5.5服务器上编译和安装功能齐全的Rsyslog 5.7.9。 我不会保证这将为您工作!
预安装
首先我们需要安装以下软件包:
yum install -y pcre pcre-devel mysql-server mysql-devel gnutls gnutls-devel gnutls-utils net-snmp net-snmp-devel net-snmp-libs net-snmp-perl net-snmp-utils libnet libnet-devel
下载附加包:
librelp(可靠的事件记录协议库)是一个易于使用的RELP协议库。 RELP又通过网络提供可靠的事件记录。 RELP(因此)librelp确保没有消息丢失,即使连接中断,对等体变得不可用。 请注意,RELP是一种通用的可扩展日志记录协议。 尽管它旨在解决rsyslog-to-rsyslog通信的迫切需求,但RELP支持更多应用。
cd /tmp
wget http://sourceforge.net/projects/libestr/files/libestr-0.1.0.tar.gz/download
tar -xvf libestr-0.1.0.tar.gz
cd libestr-0.1.0
./configure --prefix=/usr
make
make install
cd /tmp
wget http://www.libee.org/files/download/libee-0.1.0.tar.gz
tar -xvf libee-0.1.0.tar.gz
cd libee-0.1.0
./configure --prefix=/usr
make
make install
cd /tmp
wget http://honeynet.ir/software/rsyslog/librelp-1.0.0.tar.gz
tar -xvf librelp-1.0.0.tar.gz
cd librelp-1.0.0
./configure --prefix=/usr
make
make install
下载Rsyslog软件包:
在编写本教程时,我发现rsyslog 5.7.9是Rsyslog的最佳版本,它支持您可能需要的大部分功能。
cd /tmp
wget http://www.rsyslog.com/files/download/rsyslog/rsyslog-5.7.9.tar.gz
tar -xvf rsyslog-5.7.9.tar.gz
cd rsyslog-5.7.9
编译和安装Rsyslog:
有关Rsyslog中可用的选项的更多信息,可以运行./configure --help
以下命令可以启用大部分rsyslog功能,如压缩,多线程,MySql,SNMP,邮件,RELP支持等。
./configure --enable-regexp --enable-zlib --enable-pthreads --enable-klog --enable-inet --enable-unlimited-select --enable-debug --enable-rtinst --enable-memcheck --enable-diagtools --enable-mysql --enable-snmp --enable-gnutls --enable-rsyslogrt --enable-rsyslogd --enable-extended-tests --enable-mail --enable-imptcp --enable-omruleset --enable-valgrind --enable-imdiag --enable-relp --enable-testbench --enable-imfile --enable-omstdout --enable-omdbalerting --enable-omuxsock --enable-imtemplate --enable-omtemplate --enable-pmlastmsg --enable-omudpspoof --enable-omprog --enable-impstats
make
make install
准备MySQL数据库:
如果要将syslog记录保存到db,则安装mySQL是必需的,否则跳过此部分
mysql -u root -p < plugins/ommysql/createDB.sql
mysql -u root -p mysql
GRANT ALL ON Syslog.* TO rsyslog@localhost IDENTIFIED BY 'your-mysql-password';
flush privileges;
配置init脚本
vi /etc/init.d/rsyslog
#!/bin/bash
#
# rsyslog Starts rsyslogd/rklogd.
#
#
# chkconfig: - 12 88
# description: Syslog is the facility by which many daemons use to log \
# messages to various system log files. It is a good idea to always \
# run rsyslog.
### BEGIN INIT INFO
# Provides: $syslog
# Required-Start: $local_fs $network $remote_fs
# Required-Stop: $local_fs $network $remote_fs
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: Enhanced system logging and kernel message trapping daemons
# Description: Rsyslog is an enhanced multi-threaded syslogd supporting,
# among others, MySQL, syslog/tcp, RFC 3195, permitted
# sender lists, filtering on any message part, and fine
# grain output format control.
### END INIT INFO
# Source function library.
. /etc/init.d/functions
RETVAL=0
start() {
[ -x /usr/local/sbin/rsyslogd ] || exit 5
#[ -x /usr/local/sbin/rklogd ] || exit 5
# Do not start rsyslog when sysklogd is running
if [ -e /var/run/syslogd.pid ] ; then
echo $"Shut down sysklogd before you run rsyslog";
exit 1;
fi
# Source config
if [ -f /etc/sysconfig/rsyslog ] ; then
. /etc/sysconfig/rsyslog
else
#SYSLOGD_OPTIONS="-c3"
SYSLOGD_OPTIONS="-c5"
#KLOGD_OPTIONS="-2"
fi
if [ -z "$SYSLOG_UMASK" ] ; then
SYSLOG_UMASK=077;
fi
umask $SYSLOG_UMASK
echo -n $"Starting system logger: "
daemon /usr/local/sbin/rsyslogd $SYSLOGD_OPTIONS
RETVAL=$?
echo
#echo -n $"Starting kernel logger: "
#daemon rklogd $KLOGD_OPTIONS
#echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/rsyslog
return $RETVAL
}
stop() {
#echo -n $"Shutting down kernel logger: "
#killproc rklogd
#echo
echo -n $"Shutting down system logger: "
killproc rsyslogd
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/rsyslog
return $RETVAL
}
reload() {
RETVAL=1
syslog=`cat /var/run/rsyslogd.pid 2>/dev/null`
echo -n "Reloading system logger..."
if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
kill -HUP "$syslog";
RETVAL=$?
fi
if [ $RETVAL -ne 0 ]; then
failure
else
success
fi
echo
RETVAL=1
#echo -n "Reloading kernel logger..."
#klog=`cat /var/run/rklogd.pid 2>/dev/null`
#if [ -n "${klog}" ] && [ -e /proc/"${klog}" ]; then
#kill -USR2 "$klog";
# RETVAL=$?
#fi
#if [ $RETVAL -ne 0 ]; then
#failure
#else
#success
#fi
#echo
return $RETVAL
}
rhstatus() {
status rsyslogd
#status rklogd
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload|force-reload)
reload
;;
status)
rhstatus
;;
condrestart)
[ -f /var/lock/subsys/rsyslog ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart}"
exit 2
esac
exit $?
注意:确保SYSLOGD_OPTIONS =“ - c5”被设置!
配置Syslog和Rsyslog:
service syslog stop
chkconfig syslog off
chmod 755 /etc/init.d/rsyslog
chkconfig --add rsyslog
chkconfig rsyslog on
Init脚本可在伊朗Honeynet项目 - Rsyslog上下载
Rsyslog配置
一些可以在Rsyslog.com网站上提供功能的配置。
vi /etc/rsyslog.conf
# Input Modules -----------------------------------This line is comment
#--------------------------------------------------This line is comment
$ModLoad impstats.so
$PStatsInterval 300
syslog.info /var/log/rsyslog-stats
#--------------------------------------------------This line is comment
$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
#--------------------------------------------------This line is comment
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerAddress * # all local interfaces
$UDPServerRun 514 # start UDP server (log server receiver)
#--------------------------------------------------This line is comment
$ModLoad imtcp.so # provides TCP syslog reception and GSS-API (if compiled)
$InputTCPServerRun 514 # start TCP server (log server receiver)
#--------------------------------------------------This line is comment
$ModLoad imrelp.so # RELP input
$InputRELPServerRun 20514 # start RELP Protocol
#--------------------------------------------------This line is comment
$ModLoad imfile.so # Text file input
$InputFileName /var/log/i-am-a-text-file.log
$InputFileTag my-text-file:
$InputFileStateFile stat-file1
$InputFileSeverity error
$InputFileFacility local7
$InputFilePollInterval 10 # check for new lines every 10 seconds
$InputRunFileMonitor
#--------------------------------------------------This line is comment
#$ModLoad imgssapi.so # Plain TCP and GSSAPI
#$ModLoad im1395.so # Messages via RFC1395
# Output Modules ----------------------------------This line is comment
#--------------------------------------------------This line is comment
$ModLoad omsnmp.so # Send SNMP traps
#$actionsnmptransport udp
#$actionsnmptarget 192.168.x.x
#$actionsnmptargetport 162
#$actionsnmpversion 1
#$actionsnmpcommunity public
#*.* :omsnmp:
#--------------------------------------------------This line is comment
$ModLoad ommysql.so # Log to MySQL
#$ModLoad ompgsql.so # Log to PostgreSQL
#--------------------------------------------------This line is comment
$ModLoad ommail.so # Send mail
#$ActionMailSMTPServer mail.example.net
#$ActionMailFrom rsyslog@example.net
#$ActionMailTo operator@example.net
#$ActionMailTo admin@example.net
#$template mailSubject,"disk problem on %hostname%"
#$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
#$ActionMailSubject mailSubject
#$ActionExecOnlyOnceEveryInterval 21600
#if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
#--------------------------------------------------This line is comment
$ModLoad omrelp.so # Send to another host via RELP
#$ModLoad omlibdbi.so # Log via generic DB output
#$ModLoad omgss.so # GSS enabled output
# Globals -----------------------------------------This line is comment
$umask 0000
$DirCreateMode 0640
$FileCreateMode 0640
$RepeatedMsgReduction on
$WorkDirectory /var/log/rsyslog # default location for work (spool) files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName queue # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
$MainMsgQueueMaxFileSize 100M
$ActionQueueMaxFileSize 5M
#--------------------------------------------------This line is comment
# Below find some samples of what a template can do. Have a good
# time finding out what they do [or just tun them] ;)
# A template that resambles traditional syslogd file output:
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
# a template useful for debugging format issues
$template DEBUG,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-NAME: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-DATA%',\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\n\n"
# A template that resembles RFC 3164 on-the-wire format:
# (yes, there is NO space betwen syslogtag and msg! that's important!)
$template RFC3164fmt,"%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"
# a template resembling traditional wallmessage format:
$template wallmsg,"\r\n\7Message from syslogd@%HOSTNAME% at %timegenerated% ...\r\n %syslogtag%%msg%\n\r"
# The template below emulates winsyslog format, but we need to check the time
# stamps used. for now, it is good enough ;) This format works best with
# other members of the MonitorWare product family. It is also a good sample
# where you can see the property replacer in action.
$template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"
# A template used for database writing (notice it *is* an actual
# sql-statement):
$template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql
$template FileFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
$template ForwardFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
# Selector lines are somewhat different from stock syslogd. With
# rsyslog, you can add a semicolon ";" after the target and then
# the template name. That will assign this template to the respective
# action. If no template name is given, a hardcoded template is used.
# If a template name is given, but the template was not defined, the
# selector line is DEACTIVATED.
#--------------------------------------------------------------------
#--------------------------------------------------This line is comment
# Forward via TCP with maximum compression:
#$AllowedSender TCP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
#*.* @@(z9)192.168.x.x:514
# Forward via UDP with maximum compression:
#$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
#*.* @(z9)192.168.x.x:514
# Forward via RELP Protocol :
#*.* :omrelp:192.168.2.4:20514;TraditionalFormat
# Store all log files in MySQL DB :
#*.* :ommysql:127.0.0.1,Syslog,rsyslog,your-mysql-password
#--------------------------------------------------This line is comment
#--------------------------------------------------This line is comment
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console;TraditionalFileFormat
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#--------------------------------------------------This line is comment
$IncludeConfig /etc/rsyslog.d/*.conf
#--------------------------------------------------This line is comment
#if message contains 'network error' then run the restart-network.sh shell script!!!
#:msg, contains, "network error" ^/root/restart-network.sh
重要提示:有关更多信息,请查看Rsyslog.com
Rsyslog配置文件可在伊朗Honeynet项目 - Rsyslog上下载
启动Rsyslog
chmod 640 /etc/rsyslog.conf
service rsyslog start
tail -f /var/log/messages
测试Rsyslog
logger "this is a test message"
logger -p local0.info -t testtag "this is a test message"
链接
伊朗Honeynet项目 : http : //www.honeynet.ir/
Rsyslog项目 : http : //www.rsyslog.com/
CentOS : http : //www.centos.org/
