5.3、syslog 输入配置
1、接收本地的syslog日志
1.1、logstash配置
# The # character at the beginning of a line indicates a comment. Use
# comments to describe your configuration.
input
{
stdin {}
syslog
{
port =>"514"
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
# filter {
#
# }
output
{
stdout {}
stdout {codec=>rubydebug}
}
在input 字段中增加syslog配置,将端口设置成syslog协议的默认端口514
1.2、对rsyslogd程序进行配置
rsyslogd的配置文件位于/etc/rsyslog.conf,默认的配置内容如下:
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
在配置文件的最后增加一条配置项
*.* @@10.130.203.4:514
其中需要注意的是:
- "@@"前需要是TAB符号 【是否必须未做过验证】
- "@@"后紧跟的是当前服务器的ip地址,这里当前的ip地址是:10.130.203.4,也可以配置成127.0.0.1来表示本地日志。
- ":"后设置的是当前logstash用于接收syslog日志所开放的端口,这里是514
1.3、重启rsyslogd应用
service rsyslog restart
1.4、运行logstash程序
运行如下命令启动logstash
./logstash -f /etc/logstash/conf.d/test_syslog_1.conf
1.5、通过logger命令测试日志收集
1.6、通过telnet命令测试日志收集
2、接收远程的syslog日志
比如要在10.130.203.5服务器上配置syslog客户端,将日志上传到10.130.203.4的服务器上。
2.1、服务端配置
在10.130.203.4服务器上,按照1.1中接收本地syslog日志的方式进行配置。
2.2、客户端配置
在10.130.203.5服务器的/etc/rsyslog.conf配置文件最后增加如下配置:
*.* @@10.130.203.4:514
- 在10.130.203.5服务器上,对syslog服务进行重启
service rsyslog restart
2.3、logger方式测试日志收集
2.4、telnet方式测试日志收集
3、实际数据数据
secure日志:
Jul 25 09:22:09 t0-security-tdas02 sshd[13903]: Accepted password for root from 10.136.17.21 port 50153 ssh2
Jul 25 09:22:09 t0-security-tdas02 sshd[13903]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 25 09:24:54 t0-security-tdas02 sshd[13903]: pam_unix(sshd:session): session closed for user root
Jul 25 13:03:56 t0-security-tdas02 sshd[15185]: Received disconnect from 10.135.52.138: 11: disconnected by user
Jul 25 13:03:56 t0-security-tdas02 sshd[15185]: pam_unix(sshd:session): session closed for user root
Jul 25 13:03:56 t0-security-tdas02 sshd[14990]: Received disconnect from 10.135.52.138: 11: disconnected by user
Jul 25 13:03:56 t0-security-tdas02 sshd[14990]: pam_unix(sshd:session): session closed for user root
Jul 26 14:41:58 t0-security-tdas02 sshd[24520]: Accepted password for root from 10.135.52.138 port 53759 ssh2
Jul 26 14:41:58 t0-security-tdas02 sshd[24520]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 26 14:59:15 t0-security-tdas02 sshd[24520]: Received disconnect from 10.135.52.138: 11: disconnected by user
Jul 26 14:59:15 t0-security-tdas02 sshd[24520]: pam_unix(sshd:session): session closed for user root
Jul 26 17:23:28 t0-security-tdas02 sshd[28496]: Accepted password for root from 10.135.52.137 port 43502 ssh2
Jul 26 17:23:28 t0-security-tdas02 sshd[28496]: pam_unix(sshd:session): session opened for user root by (uid=0)
messages日志
Jul 26 14:01:01 t0-security-tdas02 systemd: Starting user-0.slice.
Jul 26 14:01:01 t0-security-tdas02 systemd: Started Session 154 of user root.
Jul 26 14:01:01 t0-security-tdas02 systemd: Starting Session 154 of user root.
Jul 26 14:01:01 t0-security-tdas02 systemd: Removed slice user-0.slice.
Jul 26 14:01:01 t0-security-tdas02 systemd: Stopping user-0.slice.
Jul 26 14:41:58 t0-security-tdas02 systemd: Created slice user-0.slice.
Jul 26 14:41:58 t0-security-tdas02 systemd: Starting user-0.slice.
Jul 26 14:41:58 t0-security-tdas02 systemd-logind: New session 155 of user root.
Jul 26 14:41:58 t0-security-tdas02 systemd: Started Session 155 of user root.
Jul 26 14:41:58 t0-security-tdas02 systemd: Starting Session 155 of user root.
Jul 26 14:42:47 t0-security-tdas02 yum[24561]: Installed: ftp-0.17-66.el7.x86_64
Jul 26 14:59:15 t0-security-tdas02 systemd-logind: Removed session 155.
Jul 26 14:59:15 t0-security-tdas02 systemd: Removed slice user-0.slice.
Jul 26 14:59:15 t0-security-tdas02 systemd: Stopping user-0.slice.
Jul 26 15:01:01 t0-security-tdas02 systemd: Created slice user-0.slice.
Jul 26 15:01:01 t0-security-tdas02 systemd: Starting user-0.slice.
Jul 26 15:01:01 t0-security-tdas02 systemd: Started Session 156 of user root.
Jul 26 15:01:01 t0-security-tdas02 systemd: Starting Session 156 of user root.
Jul 26 15:01:01 t0-security-tdas02 systemd: Removed slice user-0.slice.
Jul 26 15:01:01 t0-security-tdas02 systemd: Stopping user-0.slice.
Jul 26 16:01:01 t0-security-tdas02 systemd: Created slice user-0.slice.
Jul 26 16:01:01 t0-security-tdas02 systemd: Starting user-0.slice.
Jul 26 16:01:01 t0-security-tdas02 systemd: Started Session 157 of user root.
Jul 26 16:01:01 t0-security-tdas02 systemd: Starting Session 157 of user root.
Jul 26 16:01:01 t0-security-tdas02 systemd: Removed slice user-0.slice.
Jul 26 16:01:01 t0-security-tdas02 systemd: Stopping user-0.slice.
Jul 26 17:01:01 t0-security-tdas02 systemd: Created slice user-0.slice.
Jul 26 17:01:01 t0-security-tdas02 systemd: Starting user-0.slice.
Jul 26 17:01:01 t0-security-tdas02 systemd: Started Session 158 of user root.
Jul 26 17:01:01 t0-security-tdas02 systemd: Starting Session 158 of user root.
Jul 26 17:01:01 t0-security-tdas02 systemd: Removed slice user-0.slice.
Jul 26 17:01:01 t0-security-tdas02 systemd: Stopping user-0.slice.
Jul 26 17:23:28 t0-security-tdas02 systemd: Created slice user-0.slice.
Jul 26 17:23:28 t0-security-tdas02 systemd: Starting user-0.slice.
Jul 26 17:23:28 t0-security-tdas02 systemd: Started Session 159 of user root.
Jul 26 17:23:28 t0-security-tdas02 systemd-logind: New session 159 of user root.
Jul 26 17:23:28 t0-security-tdas02 systemd: Starting Session 159 of user root.
Jul 26 17:23:32 t0-security-tdas02 root: 1111
logstash输出数据
{
"message" => "Accepted password for root from 10.135.52.137 port 43502 ssh2\n",
"@version" => "1",
"@timestamp" => "2016-07-26T09:23:28.000Z",
"host" => "10.130.203.5",
"priority" => 86,
"timestamp" => "Jul 26 17:23:28",
"logsource" => "t0-security-tdas02",
"program" => "sshd",
"pid" => "28496",
"severity" => 6,
"facility" => 10,
"facility_label" => "security/authorization",
"severity_label" => "Informational"
}
{
"message" => "Created slice user-0.slice.\n",
"@version" => "1",
"@timestamp" => "2016-07-26T09:23:28.000Z",
"host" => "10.130.203.5",
"priority" => 30,
"timestamp" => "Jul 26 17:23:28",
"logsource" => "t0-security-tdas02",
"program" => "systemd",
"severity" => 6,
"facility" => 3,
"facility_label" => "system",
"severity_label" => "Informational"
}
{
"message" => "Starting user-0.slice.\n",
"@version" => "1",
"@timestamp" => "2016-07-26T09:23:28.000Z",
"host" => "10.130.203.5",
"priority" => 30,
"timestamp" => "Jul 26 17:23:28",
"logsource" => "t0-security-tdas02",
"program" => "systemd",
"severity" => 6,
"facility" => 3,
"facility_label" => "system",
"severity_label" => "Informational"
}
{
"message" => "Started Session 159 of user root.\n",
"@version" => "1",
"@timestamp" => "2016-07-26T09:23:28.000Z",
"host" => "10.130.203.5",
"priority" => 30,
"timestamp" => "Jul 26 17:23:28",
"logsource" => "t0-security-tdas02",
"program" => "systemd",
"severity" => 6,
"facility" => 3,
"facility_label" => "system",
"severity_label" => "Informational"
}
{
"message" => "New session 159 of user root.\n",
"@version" => "1",
"@timestamp" => "2016-07-26T09:23:28.000Z",
"host" => "10.130.203.5",
"priority" => 38,
"timestamp" => "Jul 26 17:23:28",
"logsource" => "t0-security-tdas02",
"program" => "systemd-logind",
"severity" => 6,
"facility" => 4,
"facility_label" => "security/authorization",
"severity_label" => "Informational"
}
{
"message" => "Starting Session 159 of user root.\n",
"@version" => "1",
"@timestamp" => "2016-07-26T09:23:28.000Z",
"host" => "10.130.203.5",
"priority" => 30,
"timestamp" => "Jul 26 17:23:28",
"logsource" => "t0-security-tdas02",
"program" => "systemd",
"severity" => 6,
"facility" => 3,
"facility_label" => "system",
"severity_label" => "Informational"
}
{
"message" => "pam_unix(sshd:session): session opened for user root by (uid=0)\n",
"@version" => "1",
"@timestamp" => "2016-07-26T09:23:28.000Z",
"host" => "10.130.203.5",
"priority" => 86,
"timestamp" => "Jul 26 17:23:28",
"logsource" => "t0-security-tdas02",
"program" => "sshd",
"pid" => "28496",
"severity" => 6,
"facility" => 10,
"facility_label" => "security/authorization",
"severity_label" => "Informational"
}
2016-07-26T09:23:32.000Z 10.130.203.5 1111
{
"message" => "1111\n",
"@version" => "1",
"@timestamp" => "2016-07-26T09:23:32.000Z",
"host" => "10.130.203.5",
"priority" => 13,
"timestamp" => "Jul 26 17:23:32",
"logsource" => "t0-security-tdas02",
"program" => "root",
"severity" => 5,
"facility" => 1,
"facility_label" => "user-level",
"severity_label" => "Notice"
}