debian 查看日志
介绍 (Introduction)
System logs are an extremely important component of managing Linux systems. They provide an invaluable insight into how the systems are working and also how they are being used because, in addition to errors, they record operational information such as security events. The standard configuration for Linux systems is to store their logs locally on the same system where they occurred. This works for standalone systems but quickly becomes a problem as the number of systems increases. The solution to managing all these logs is to create a centralized logging server where each Linux host sends its logs, in real-time, to a dedicated log management server.
系统日志是管理Linux系统的极其重要的组成部分。 它们提供了有关系统如何工作以及如何使用它们的宝贵见解,因为它们除了记录错误外,还记录诸如安全事件之类的操作信息。 Linux系统的标准配置是将日志本地存储在发生日志的同一系统上。 这适用于独立系统,但是随着系统数量的增加很快成为问题。 管理所有这些日志的解决方案是创建一个集中式日志服务器,每个Linux主机在其中将其日志实时发送到专用日志管理服务器。
A centralized logging solution offers several benefits compared with storing logs on each host:
与将日志存储在每个主机上相比,集中式日志记录解决方案具有多个优点:
- Reduces the amount of disk space needed on each host to store log files. 减少每个主机上存储日志文件所需的磁盘空间量。
- Logs can be retained for longer as the dedicated log server can be configured with more storage capacity. 可以将日志保留更长的时间,因为可以为专用日志服务器配置更多的存储容量。
- Advanced log analysis can be carried out that requires logs from multiple systems and also more compute resources than may be available on the hosts. 可以执行高级日志分析,这需要来自多个系统的日志,并且还需要比主机上可用的计算资源更多的计算资源。
- Systems administrators can access the logs for all their systems that they may not be able to log in to directly for security reasons. 系统管理员可以访问他们出于安全原因可能无法直接登录的所有系统的日志。
In this guide, you will configure a component of the systemd suite of tools to relay log messages from client systems to a centralized log collection server. You will configure the server and client to use TLS certificates to encrypt the log messages as they are transmitted across insecure networks such as the internet and also to authenticate each other.
在本指南中,您将配置systemd工具套件的组件,以将日志消息从客户端系统中继到集中式日志收集服务器。 您将配置服务器和客户端使用TLS证书来加密日志消息,因为它们是通过不安全的网络(例如Internet)传输的,并且还可以彼此进行身份验证。
先决条件 (Prerequisites)
Before you begin this guide you’ll need the following:
在开始本指南之前,您需要满足以下条件:
- Two Debian 10 servers. 两台Debian 10服务器。
A non-root user with sudo privileges on both servers. Follow the Initial Server Setup with Debian 10 guide for instructions on how to do this. You should also configure the UFW firewall on both servers as explained in the guide.
两台服务器上均具有sudo特权的非root用户。 请遵循《 带Debian 10的初始服务器设置》指南中有关如何执行此操作的说明。 您还应该按照指南中的说明在两台服务器上配置UFW防火墙。
Two hostnames that point to your servers. One hostname for the client system that generates the logs and another one for the log collection server. Learn how to point hostnames to DigitalOcean Droplets by consulting the Domains and DNS documentation.
指向您的服务器的两个主机名。 用于生成日志的客户端系统的一个主机名,以及用于日志收集服务器的另一个主机名。 通过查询域和DNS文档,了解如何将主机名指向DigitalOcean Droplet。
This guide will use the following two example hostnames:
本指南将使用以下两个示例主机名:
client.your_domain: The client system that generates the logs.client.your_domain:生成日志的客户端系统。server.your_domain: The log collection server.server.your_domain:日志收集服务器。
Log in to both the client and server in separate terminals via SSH as the non-root sudo user to begin this tutorial.
以非root用户sudo用户身份通过SSH登录到单独终端中的客户端和服务器,以开始本教程。
Note: Throughout the tutorial, command blocks are labeled with the server name (client or server) that the command should be run on.
注意 :在整个教程中,命令块都标有应在其上运行命令的服务器名称( client或server )。
第1步-安装systemd-journal-remote (Step 1 — Installing systemd-journal-remote)
In this step, you will install the systemd-journal-remote package on the client and the server. This package contains the components that the client and server use to relay log messages.
在此步骤中,您将在客户端和服务器上安装systemd-journal-remote软件包。 该软件包包含客户端和服务器用来中继日志消息的组件。
First, on both the client and server, run a system update to ensure that the package database and the system is current:
首先,在客户端和服务器上 ,运行系统更新以确保软件包数据库和系统是最新的:
- sudo apt update sudo apt更新
- sudo apt upgrade sudo apt升级
Next, install the systemd-journal-remote package:
接下来,安装systemd-journal-remote软件包:
- sudo apt install systemd-journal-remote 须藤apt install systemd-journal-remote
On the server, enable and start the two systemd components that it needs to receive log messages with the following command:
在服务器上 ,使用以下命令启用并启动接收日志消息所需的两个systemd组件:
- sudo systemctl enable --now systemd-journal-remote.socket sudo systemctl enable --now systemd-journal-remote.socket
- sudo systemctl enable systemd-journal-remote.service sudo systemctl启用systemd-journal-remote.service
The --now option in the first command starts the services immediately. You did not use it in the second command because this service will not start until it has TLS certificates, which you will create in the next step.
第一个命令中的--now选项将立即启动服务。 您没有在第二个命令中使用它,因为该服务只有在拥有TLS证书(您将在下一步创建)之后才会启动。
On the client, enable the component that systemd uses to send the log messages to the server:
在客户端上 ,启用systemd用于将日志消息发送到服务器的组件:
- sudo systemctl enable systemd-journal-upload.service sudo systemctl启用systemd-journal-upload.service
Next, on the server, open ports 19532 and 80 in the UFW firewall. This will allow the server to receive the log messages from the client. Port 80 is the port that certbot will use to generate the TLS certificate. The following commands will open these ports:
接下来,在服务器上,打开UFW防火墙中的端口19532和80 。 这将允许服务器从客户端接收日志消息。 端口80是certbot将用于生成TLS证书的端口。 以下命令将打开这些端口:
- sudo ufw allow in 19532/tcp sudo ufw在19532 / tcp中允许
- sudo ufw allow in 80/tcp sudo ufw允许80 / tcp
On the client, you only need to open port 80 with this command:
在客户端上,您只需要使用以下命令打开端口80 :
- sudo ufw allow in 80/tcp sudo ufw允许80 / tcp
You have now installed the required components and completed the base system configuration on the client and server. Before you can configure these components to start relaying log messages you will register the Let’s Encrypt TLS certificates for the client and server using the certbot utility.
现在,您已经安装了必需的组件,并在客户端和服务器上完成了基本系统配置。 在配置这些组件开始中继日志消息之前,您将使用certbot实用程序为客户端和服务器注册“ 让我们加密 TLS”证书。
第2步-安装Certbot并注册证书 (Step 2 — Installing Certbot and Registering Certificates)
Let’s Encrypt is a Certificate Authority that issues free TLS certificates. These certificates allow computers to both encrypt the data that they send between them and also verify each other’s identity. These certificates are what allow you to secure your internet browsing with HTTPS. The same certificates can be used by any other application that wants the same level of security. The process of registering the certificate is the same no matter what you use them for.
让我们加密是一个颁发免费的TLS证书的证书颁发机构 。 这些证书使计算机既可以加密它们之间发送的数据,也可以验证彼此的身份。 这些证书使您可以使用HTTPS保护互联网浏览的安全。 需要其他安全级别的任何其他应用程序都可以使用相同的证书。 不管您使用什么证书,注册证书的过程都是相同的。
In this step, you will install the certbot utility and use it to register the certificates. It will also automatically take care of renewing the certificates when they expire. The registration process here is the same on the client and server. You only need to change the hostname to match the host where you are running the registration command.
在此步骤中,您将安装certbot实用程序并将其用于注册证书。 证书过期时,它还将自动负责更新证书。 客户端和服务器上的注册过程相同。 您只需要更改主机名即可与运行注册命令的主机匹配。
First, install certbot and the curl utility on both hosts:
首先,在两台主机上安装certbot和curl实用程序:
- sudo apt install certbot curl sudo apt安装certbot curl
Now you’ve installed certbot, run the following command to register the certificates on the client and server:
现在,您已经安装了certbot ,运行以下命令在客户端和服务器上注册证书:
sudo certbot certonly --standalone --agree-tos --email sammy@your_domain -d your_domain
sudo certbot certonly --standalone --agree-tos-电子邮件sammy @ your_domain -d your_domain
The options in this command mean as follows:
此命令中的选项含义如下:
certonly: Register the certificate and make no other changes on the system.certonly:注册证书,并且在系统上没有其他更改。--standalone: Use certbot’s built-in web server to verify the certificate request.--standalone:使用certbot的内置Web服务器来验证证书请求。--agree-tos: Automatically agree to the Let’s Encrypt Terms of Service.--agree-tos:自动同意“让我们加密服务条款”。--email your-email: This is the email address that Let’s Encrypt will use to notify you about certificate expiry and other important information.--email your-email:这是Let's Encrypt用来通知您证书到期和其他重要信息的电子邮件地址。-d your_domain: The hostname that the certificate will be registered for. This must match the system where you run it.-d your_domain:将为其注册证书的主机名。 这必须与您运行它的系统匹配。
When you run this command you will be asked if you want to share the email address with Let’s Encrypt so they can email you news and other information about their work. Doing this is optional, if you do not share your email address the certificate registration will still complete normally.
运行此命令时,系统将询问您是否要与“加密”共享电子邮件地址,以便他们可以向您发送新闻和有关其工作的其他信息。 这样做是可选的,如果您不共享电子邮件地址,则证书注册仍将正常完成。
When the certificate registration process completes it will place the certificate and key files in /etc/letsencrypt/live/your_domain/ where your_domain is the hostname that you registered the certificate for.
证书注册过程完成后,它将证书和密钥文件放在/etc/letsencrypt/live/ your_domain / ,其中your_domain是您为其注册证书的主机名。
Finally, you need to download a copy of the Let’s Encrypt CA and intermediate certificates and put them into the same file. journald will use this file to verify the authenticity of the certificates on the client and server when they communicate with each other.
最后,您需要下载Let's Encrypt CA和中间证书的副本,并将它们放入同一文件中。 当客户端和服务器彼此通信时, journald将使用此文件来验证证书在客户端和服务器上的真实性。
The following command will download the two certificates from the Let’s Encrypt website and put them into a single file called letsencrypt-combined-certs.pem in your user’s home directory.
以下命令将从Let's Encrypt网站下载这两个证书,并将它们放入用户主目录中的一个名为letsencrypt-combined-certs.pem的文件中。
Run this command on the client and server to download the certificates and create the combined file:
在客户端和服务器上运行此命令以下载证书并创建组合文件:
- curl -s https://letsencrypt.org/certs/{isrgrootx1.pem.txt,letsencryptauthorityx3.pem.txt} > ~/letsencrypt-combined-certs.pem curl -s https://letsencrypt.org/certs/{isrgrootx1.pem.txt,letsencryptauthorityx3.pem.txt}>〜/ letsencrypt-combined-certs.pem
Next, move this file into the Let’s Encrypt directory containing the certificates and keys:
接下来,将此文件移动到包含证书和密钥的“让我们加密”目录中:
sudo cp ~/letsencrypt-combined-certs.pem /etc/letsencrypt/live/your_domain/
须藤cp〜/ letsencrypt-combined-certs.pem / etc / letsencrypt / live / your_domain /
You’ve now registered the certificates and keys. In the next step, you will configure the log collection server to start listening for and storing log messages from the client.
现在,您已经注册了证书和密钥。 在下一步中,您将配置日志收集服务器以开始侦听和存储来自客户端的日志消息。
步骤3 —配置服务器 (Step 3 — Configuring the Server)
In this step, you will configure the server to use the certificate and key files that you generated in the last step so that it can start accepting log messages from the client.
在此步骤中,您将配置服务器以使用在上一步中生成的证书和密钥文件,以便它可以开始接受来自客户端的日志消息。
systemd-journal-remote is the component that listens for log messages. Open its configuration file at /etc/systemd/journal-remote.conf with a text editor to start configuring it on the server:
systemd-journal-remote是侦听日志消息的组件。 使用文本编辑器在/etc/systemd/journal-remote.conf打开其配置文件,以开始在服务器上对其进行配置 :
- sudo nano /etc/systemd/journal-remote.conf 须藤纳米/etc/systemd/journal-remote.conf
Next, uncomment all the lines under the [Remote] section and set the paths to point to the TLS files you just created:
接下来,取消注释[Remote]部分下的所有行,并设置路径以指向刚创建的TLS文件:
[Remote]
Seal=false
SplitMode=host
ServerKeyFile=/etc/letsencrypt/live/server.your_domain/privkey.pem
ServerCertificateFile=/etc/letsencrypt/live/server.your_domain/fullchain.pem
TrustedCertificateFile=/etc/letsencrypt/live/server.your_domain/letsencrypt-combined-certs.pemHere are the options you’ve used here:
这是您在此处使用的选项:
Seal=false: Sign the log data in the journal. Enable this if you need maximum security; otherwise, you can leave it asfalse.Seal=false:在日志中签名日志数据。 如果需要最大的安全性,请启用此选项。 否则,您可以将其保留为false。SplitMode=host: The logs from the remote clients will be split by host in/var/log/journal/remote. If you would prefer all the logs to be added to a single file set this toSplitMode=false.SplitMode=host:来自远程客户端的日志将由/var/log/journal/remote主机拆分。 如果您希望将所有日志添加到单个文件中,请将其设置为SplitMode=false。ServerKeyFile: The server’s private key file.ServerKeyFile:服务器的私钥文件。ServerCertificateFile: The server’s certificate file.ServerCertificateFile:服务器的证书文件。TrustedCertificateFile: The file containing the Let’s Encrypt CA certificates.TrustedCertificateFile:包含“让我们加密CA”证书的文件。
Now, you need to change the permissions on the Let’s Encrypt directories that contain the certificates and key so that the systemd-journal-remote can read and use them.
现在,您需要更改包含证书和密钥的“让我们加密”目录的权限,以便systemd-journal-remote可以读取和使用它们。
First, change the permissions so that the certificate and private key are readable:
首先,更改权限 ,以使证书和私钥可读:
- sudo chmod 0755 /etc/letsencrypt/{live,archive} sudo chmod 0755 / etc / letsencrypt / {live,archive}
sudo chmod 0640 /etc/letsencrypt/live/server.your_domain/privkey.pem
sudo chmod 0640 / etc / letsencrypt / live / server.your_domain /privkey.pem
Next, change the group ownership of the private key to systemd-journal-remote’s group:
接下来,将私钥的组所有权更改为systemd-journal-remote的组:
sudo chgrp systemd-journal-remote /etc/letsencrypt/live/server.your_domain/privkey.pem
sudo chgrp systemd-journal-remote / etc / letsencrypt / live / server.your_domain /privkey.pem
You can now start systemd-journal-remote:
您现在可以启动systemd-journal-remote :
- sudo systemctl start systemd-journal-remote.service sudo systemctl启动systemd-journal-remote.service
Your log collection server is now running and ready to start accepting log messages from a client. In the next step, you will configure the client to relay the logs to your collection server.
您的日志收集服务器现在正在运行,并准备开始接受来自客户端的日志消息。 在下一步中,您将配置客户端以将日志中继到收集服务器 。
步骤4 —配置客户端 (Step 4 — Configuring the Client)
In this step, you will configure the component that relays the log messages to the log collection server. This component is called systemd-journal-upload.
在此步骤中,您将配置将日志消息中继到日志收集服务器的组件。 该组件称为systemd-journal-upload 。
The default configuration for systemd-journal-upload is that it uses a temporary user that only exists while the process is running. This makes allowing systemd-journal-upload to read the TLS certificates and keys more complicated. To resolve this you will create a new system user with the same name as the temporary user that will get used in its place.
systemd-journal-upload的默认配置是它使用仅在进程运行时存在的临时用户。 这使得允许systemd-journal-upload读取TLS证书和密钥更加复杂。 要解决此问题,您将创建一个与临时用户同名的新系统用户。
First, create the new user called systemd-journal-upload on the client with the following adduser command:
首先,使用以下adduser命令在客户端上创建一个名为systemd-journal-upload的新用户:
- sudo adduser --system --home /run/systemd --no-create-home --disabled-login --group systemd-journal-upload sudo adduser --system --home / run / systemd --no-create-home --disabled-login --group systemd-journal-upload
These options to the command are:
这些命令的选项是:
--system: Create the new user as a system user. This gives the user a UID (User Identifier) number under1000. UID’s over1000are usually given to user accounts that a human will use to log in with.--system:将新用户创建为系统用户。 这为用户提供了一个1000的UID(用户标识符)编号。 通常会将超过1000UID分配给用户用于登录的用户帐户。--home /run/systemd: Set/run/systemdas the home directory for this user.--home /run/systemd:将/run/systemd设置为该用户的主目录。--no-create-home: Don’t create the home directory set, as it already exists.--no-create-home:不要创建主目录集,因为它已经存在。--disabled-login: The user cannot log in to the server via, for example, SSH.--disabled-login:用户无法通过例如SSH登录服务器。--group: Create a group with the same name as the user.--group:创建一个与用户同名的组。
Next, set the permissions and ownership of the Let’s Encrypt certificate files:
接下来,设置“加密”证书文件的权限和所有权:
- sudo chmod 0755 /etc/letsencrypt/{live,archive} sudo chmod 0755 / etc / letsencrypt / {live,archive}
sudo chmod 0640 /etc/letsencrypt/live/client.your_domain/privkey.pem
须藤chmod 0640 / etc / letsencrypt / live / client.your_domain /privkey.pem
sudo chgrp systemd-journal-upload /etc/letsencrypt/live/client.your_domain/privkey.pem
sudo chgrp systemd-journal-upload / etc / letsencrypt / live / client.your_domain /privkey.pem
Now, edit the configuration for systemd-journal-upload, which is at /etc/systemd/journal-upload.conf. Open this file with a text editor:
现在,在/etc/systemd/journal-upload.conf编辑systemd-journal-upload的配置。 使用文本编辑器打开此文件:
- sudo nano /etc/systemd/journal-upload.conf 须藤纳米/etc/systemd/journal-upload.conf
Edit this file so that it looks like the following:
编辑此文件,使其看起来如下所示:
[Upload]
URL=https://server.your_domain:19532
ServerKeyFile=/etc/letsencrypt/live/client.your_domain/privkey.pem
ServerCertificateFile=/etc/letsencrypt/live/client.your_domain/fullchain.pem
TrustedCertificateFile=/etc/letsencrypt/live/client.your_domain/letsencrypt-combined-certs.pemFinally, restart the systemd-journal-upload service so it uses the new configuration:
最后,重新启动systemd-journal-upload服务,使其使用新配置:
- sudo systemctl restart systemd-journal-upload.service sudo systemctl重新启动systemd-journal-upload.service
Your client is now set up and running and is sending its log messages to the log collection server. In the next step, you will check that the logs are being sent and recorded correctly.
您的客户端现在已设置并正在运行,并且正在将其日志消息发送到日志收集服务器。 在下一步中,您将检查是否正确发送和记录了日志。
第5步-测试客户端和服务器 (Step 5 — Testing the Client and Server)
In this step, you will test that the client is relaying log messages to the server and that the server is storing them correctly.
在此步骤中,您将测试客户端是否将日志消息中继到服务器 ,以及服务器是否正确存储了它们。
The log collection server stores the logs from the clients in a directory at /var/log/journal/remote/. When you restarted the client at the end of the last step it began sending log messages so there is now a log file in /var/log/journal/remote/. The file will be named after the hostname you used for the TLS certificate.
日志收集服务器将来自客户端的日志存储在/var/log/journal/remote/ 。 当您在最后一步的末尾重新启动客户端时,它开始发送日志消息,因此/var/log/journal/remote/现在有一个日志文件。 该文件将以您用于TLS证书的主机名命名。
Use the ls command to check that the client’s log file is present on the server:
使用ls命令检查服务器上是否存在客户端的日志文件:
- sudo ls -la /var/log/journal/remote/ 须藤ls -la / var / log / journal / remote /
This will print the directory contents showing the log file:
这将打印显示日志文件的目录内容:
Output
total 16620
drwxr-xr-x 2 systemd-journal-remote systemd-journal-remote 4096 Jun 30 16:17 .
drwxr-sr-x+ 4 root systemd-journal 4096 Jun 30 15:55 ..
-rw-r----- 1 systemd-journal-remote systemd-journal-remote 8388608 Jul 1 10:46 'remote-CN=client.your_domain'
Next, write a log message on the client to check that the server is receiving the client’s messages as you expect. You will use the logger utility to create a custom log message on the client. If everything is working systemd-journal-upload will relay this message to the server.
接下来,在客户端上写一条日志消息,以检查服务器是否按预期接收了客户端的消息。 您将使用logger实用程序在客户端上创建自定义日志消息。 如果一切正常,那么systemd-journal-upload会将此消息中继到服务器 。
On the client run the following logger command:
在客户端上,运行以下logger命令:
sudo logger -p syslog.debug "### TEST MESSAGE from client.your_domain ###"
sudo logger -p syslog.debug“ ###来自client.your_domain ###的测试消息”
The -p syslog.debug in this command sets the facility and severity of the message. Setting this to syslog.debug will make clear it’s a test message. This command will record the message ### TEST MESSAGE from client.your_domain ### to the client’s journal, which systemd-journal-upload then relays to the server.
此命令中的-p syslog.debug设置消息的功能和严重性 。 将此设置为syslog.debug可以清楚地表明这是一条测试消息。 该命令将记录### TEST MESSAGE from client.your_domain ###的消息### TEST MESSAGE from client.your_domain ###到客户端的日志,然后systemd-journal-upload中继该消息到服务器 。
Next, read the client’s journal file on the server to check that the log messages are arriving from the client. This file is a binary log file so you will not be able to read it with tools like less. Instead, read the file using journalctl with the --file= option that allows you to specify a custom journal file:
接下来,在服务器上阅读客户端的日记文件,以检查日志消息是否从客户端到达。 该文件是二进制日志文件,因此您将无法使用less工具读取该文件。 而是使用带有--file=选项的journalctl读取文件,该选项允许您指定自定义日记文件:
sudo journalctl --file=/var/log/journal/remote/remote-CN=client.your_domain.journal
须藤journalctl --file = / var / log / journal / remote / remote-CN = client.your_domain.journal
The log message will appear as follows:
日志消息将显示如下:
Test log message
. . .
Jun 29 13:10:09 client root[3576]: ### TEST MESSAGE from client.your_domain ###
Your log centralization server is now successfully collecting logs from your client system.
您的日志集中化服务器现在已成功从客户端系统收集日志。
结论 (Conclusion)
In this article, you set up a log central collection server and configured a client to relay a copy of its system logs to the server. You can configure as many clients as you need to relay messages to the log collection server using the client configuration steps you used here.
在本文中,您设置了一个日志中央收集服务器,并配置了一个客户端以将其系统日志的副本中继到该服务器。 您可以根据在此处使用的客户端配置步骤配置所需数量的客户端,以将消息中继到日志收集服务器。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-centralize-logs-with-journald-on-debian-10
debian 查看日志
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
