【RSYSLOG系列】rsyslog远程服务器搭建

前言

在Linux系统中，rsyslog经常作为一个日志记录工具。Rsyslog的全称是rocket-fast system for log，它提供了高性能、高安全功能和模块化涉及，它能够接受各种各样来源的日志，输出到不同的目的地。同时，rsyslog可以通过多种协议，如UDP、TCP；也可以进行加密传输，如TLS。

本文章将介绍在centos上进行rsyslog远程服务器搭建。

一、TCP和UDP协议环境搭建

1. 确保服务器段与客户段网络连接正常

在服务端与客户端进行ping操作，可互相ping通即可。

2. 配置/etc/rsyslog.conf

2.1 打开rsyslog中TCP/UDP监听

ModLoad imudp与ModLoad imtcp两项配置为是否开启UDP/TCP监听
UDPServerRun与InputTCPServerRun两项配置为配置UDP/TCP监听端口

2.2 设置日志消息存储位置与文件命名

$template Remote配置项用于定义日志文件存放的位置，以及文件名的模板，详细细节如下：

$template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"

Remote为模板名称，可自定义名称；
"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR$MONTH%-%$DAY$YEAR%-%$MONTH$DAY%"是远程日志发送过来的时间（年月日），所以本模板的含义是将远程日志存放在/var/log/remote_syslog目录下，根据远程日志的IP与日志时间来创建不同的文件夹与日志文件。

:fromhost-ip, !isequal, "127.0.0.1" ?Remote

标识运行用模板Remote接受所有远程日志。

2.3 自定义日志接收格式

可选，一般情况下使用默认模板即可。

针对远程日志，rsyslog可以对接收到的日志消息的格式进行处理，若未设置，默认使用rsyslog自带的默认模板。

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

1. 将rsyslog默认的版本注释掉
2. 通过template指令自定义远程日志模板

$template myFormat,"%timegenerated% %FROMHOST-IP% %syslogtag% %msg%\n"

%timegenerated%： 日志生成时间
%FROMHOST-IP%： 日志来源主机IP
%syslogtag%： 日志生成服务
%msg%： 日志内容

注：
如果仅想要存储远程日志的原始数据，可使用以下模板：

$template myFormat,"%syslogtag% %msg%\n"

3. 套用自定义的模板

$ActionFileDefaultTemplate myFormat

3. 关闭防火墙服务

在日志服务器端输入以下命令：

systemctl stop firewalld
setenforce 0
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config

4. 重启与查看rsyslog服务

systemctl restart rsyslog 重启rsyslog服务
systemctl status rsyslog 查看rsyslog服务当前状态

5. 配置日志客户端

在日志客户端（即发送日志的服务器）中配置搭建的远程服务器IP端口等信息

6. 查看当前rsyslog监听状态

在日志服务端输入以下命令：

netstat -pan | grep syslog

查看syslog监听情况

7. 查看接收日志记录文件及内容

二、TLS协议环境搭建

TLS协议是一种基于TCP协议的加密传输协议，分为单向认证、双向认证。

1. 按照上一章节搭建服务器

2. 证书使用情况

客户端（发送日志端）证书使用情况：

	单向认证	双向认证
根证书	Y	Y
本地证书	N	Y
密钥	N	Y

服务端（接收日志端）证书使用情况：

	单向认证	双向认证
根证书	Y	Y
本地证书	Y	Y
密钥	Y	Y

3. 在/etc/rsyslog.conf文件中引用证书，并确保TCP监听处于开启

此处TCP开启使用新版rsyslog推荐格式。

3.1 单向认证

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem
$DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem
$DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem

# load TCP listener
module(
load="imtcp"
#StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="anon"
)

$InputTCPServerRun 514

3.2 双向认证

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem
$DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem
$DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem

# load TCP listener

module(
load="imtcp"
#StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="x509/certvalid"
)

$InputTCPServerRun 514

单向认证和双向认证在配置上的区别主要是"StreamDriver.Authmode"配置项。

三、 不同协议conf文件

1. TCP/UDP

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state
$EscapeControlCharactersOnReceive off

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514

$template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote

# ### end of the forwarding rule ###

2. TLS

2.1 单向认证

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
#$DefaultNetstreamDriverCAFile /var/syslog/tls/cacert.pem
#$DefaultNetstreamDriverCertFile /var/syslog/tls/server/cert.pem
#$DefaultNetstreamDriverKeyFile /var/syslog/tls/server/key.pem
$DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem
$DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem
$DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem

# load TCP listener

module(
load="imtcp"
#StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="anon"
)

$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state
$EscapeControlCharactersOnReceive off

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514

$template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote

# ### end of the forwarding rule ###

2.2 双向认证

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
#$DefaultNetstreamDriverCAFile /var/syslog/tls/cacert.pem
#$DefaultNetstreamDriverCertFile /var/syslog/tls/server/cert.pem
#$DefaultNetstreamDriverKeyFile /var/syslog/tls/server/key.pem
$DefaultNetstreamDriverCAFile /var/log/certtool/cacert.pem
$DefaultNetstreamDriverCertFile /var/log/certtool/cert.pem
$DefaultNetstreamDriverKeyFile /var/log/certtool/key.pem

# load TCP listener

module(
load="imtcp"
#StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="x509/certvalid"
)

$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state
$EscapeControlCharactersOnReceive off

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514

$template Remote,"/var/log/remote_syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote

# ### end of the forwarding rule ###