日志服务配置及日志滚动的方式

rsyslog日志服务是一个极速的日志处理系统，它基于syslog协议完成系统日志的处理转发。该服务提供了高性能、极好的安全功能和模块化设计，具有以下特性：

1. 高性能：rsyslog采用了高效的线程模型和异步处理机制，能够快速而稳定地处理大量的日志数据。其性能可以达到每秒百万级别。
2. 灵活强大：rsyslog支持多种输入和输出模块，可以与各种设备和系统集成，例如syslog、tcp、udp、tls等。同时，它还支持多种过滤和处理规则，可以根据需求定制化日志的存储、转发和处理方式。
3. 可扩展性：rsyslog具有良好的可扩展性，可以根据需求进行定制开发和插件扩展，满足不同场景下的日志管理需求。
4. 安全性：rsyslog支持加密传输和认证机制，保证日志数据的安全性和完整性。

此外，rsyslog还可以用来采集日志，但不生产日志。它支持输出日志到各种数据库，如MySQL、PostgreSQL、MongoDB、ElasticSearch等。rsyslog在Linux系统中可以分类记录两种日志：klogd（记录内核相关的日志）和syslogd（记录应用程序的日志）。

总之，rsyslog日志服务是一个功能强大的日志管理系统，广泛应用于Linux系统中，用于处理、转发和存储各种日志数据。

环境

Redhat 1 192.168.200.133

Redhat 2 192.168.200.129

步骤

部署rsyslog日志服务

部署完成后查看日志是否已经开始记录了

查看完成之后把Redhat2的日志记录到Redhat 1中，并且验证

[root@admin ~]# hostnamectl  hostname  redhat1
[root@admin ~]# bash
[root@redhat1 ~]# 
[root@redhat1 ~]# systemctl  status  rsyslog.service 
● rsyslog.service - System Logging Service
     Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-05-02 12:52:52 CST; 14min ago
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 857 (rsyslogd)
      Tasks: 3 (limit: 10804)
     Memory: 2.4M
        CPU: 150ms
     CGroup: /system.slice/rsyslog.service
             └─857 /usr/sbin/rsyslogd -n

5月 02 12:52:52 admin systemd[1]: Starting System Logging Service...
5月 02 12:52:52 admin systemd[1]: Started System Logging Service.
5月 02 12:52:52 admin rsyslogd[857]: [origin software="rsyslogd" swVersion="8.2102.0-111.el9" x-pid="857" x-info="https://www.rsyslog.com"] start
5月 02 12:52:53 admin rsyslogd[857]: imjournal: journal files changed, reloading...  [v8.2102.0-111.el9 try https://www.rsyslog.com/e/0 ]
[root@redhat1 ~]# systemctl  stop firewalld.service 
[root@redhat1 ~]# systemctl  disable firewalld.service 
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@redhat1 ~]# setenforce  0
[root@redhat1 ~]# 

[root@static ~]# hostnamectl  hostname redhat2
[root@static ~]# bash
[root@redhat2 ~]# systemctl  stop firewalld
[root@redhat2 ~]# systemctl  disable firewalld
[root@redhat2 ~]# setenforce 0
setenforce: SELinux is disabled
[root@redhat2 ~]# systemctl  status  rsyslog.service 
● rsyslog.service - System Logging Service
     Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-05-02 12:53:38 CST; 15min ago
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 1003 (rsyslogd)
      Tasks: 3 (limit: 48630)
     Memory: 2.7M
        CPU: 239ms
     CGroup: /system.slice/rsyslog.service
             └─1003 /usr/sbin/rsyslogd -n

5月 02 12:53:38 static systemd[1]: Starting System Logging Service...
5月 02 12:53:38 static rsyslogd[1003]: [origin software="rsyslogd" swVersion="8.2102.0-111.el9" x-pid="1003" x-info="https://www.rsyslog.com"] st>
5月 02 12:53:38 static systemd[1]: Started System Logging Service.
5月 02 12:53:38 static rsyslogd[1003]: imjournal: journal files changed, reloading...  [v8.2102.0-111.el9 try https://www.rsyslog.com/e/0 ]
lines 1-16/16 (END)

 通过ssh连接Redhat2 ，检查登录记录是否出现在日志文件

[root@redhat1 ~]# ssh root@192.168.200.129
The authenticity of host '192.168.200.129 (192.168.200.129)' can't be established.
ED25519 key fingerprint is SHA256:AW6CbI38rOspHzJ9HwZlKrdMF7grkizUFrHF4loe1DU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.200.129' (ED25519) to the list of known hosts.
root@192.168.200.129's password: 
Web console: https://static.localdomain:9090/ or https://192.168.200.129:9090/

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Thu May  2 12:54:16 2024 from 192.168.200.1
[root@redhat2 ~]# 

[root@redhat2 ~]# tail -f /var/log/secure
May  2 12:53:49 static gdm-password][2688]: gkr-pam: stashed password to try later in open session
May  2 12:53:50 static gdm-password][2688]: pam_unix(gdm-password:session): session opened for user root(uid=0) by (uid=0)
May  2 12:53:50 static gdm-password][2688]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
May  2 12:53:51 static polkitd[1002]: Registered Authentication Agent for unix-session:4 (system bus name :1.71 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
May  2 12:53:54 static gdm-launch-environment][1365]: pam_unix(gdm-launch-environment:session): session closed for user gdm
May  2 12:53:54 static polkitd[1002]: Unregistered Authentication Agent for unix-session:c1 (system bus name :1.30, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
May  2 12:54:16 static sshd[3488]: Accepted password for root from 192.168.200.1 port 5236 ssh2
May  2 12:54:16 static sshd[3488]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
May  2 13:11:54 static sshd[3752]: Accepted password for root from 192.168.200.133 port 51610 ssh2       //发现有登录IP
May  2 13:11:54 static sshd[3752]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

把Redhat2 的日志记录到1里面，并且验证

修改1的配置文件

 [root@redhat1 ~]# vim  /etc/rsyslog.conf
 30 module(load="imudp") # needs to be done just once   //取消注释
 31 input(type="imudp" port="514")                    //取消注释
 32 
 33 # Provides TCP syslog reception
 34 # for parameters see http://www.rsyslog.com/doc/imtcp.html
 35 module(load="imtcp") # needs to be done just once       //取消注释
 36 input(type="imtcp" port="514")                   //取消注释
[root@redhat1 ~]# systemctl  restart  rsyslog.service 
[root@redhat1 ~]# 

修改2的配置文件

 [root@redhat2 ~]# vim /etc/rsyslog.conf 
 30 module(load="imudp") # needs to be done just once   //取消注释
 31 input(type="imudp" port="514")                    //取消注释
 32 
 33 # Provides TCP syslog reception
 34 # for parameters see http://www.rsyslog.com/doc/imtcp.html
 35 module(load="imtcp") # needs to be done just once       //取消注释
 36 input(type="imtcp" port="514")                   //取消注释
 48 # The authpriv file has restricted access.
 49 authpriv.*                                    @192.168.200.133   //此处写1的IP地址
 [root@redhat2 ~]# systemctl restart  rsyslog.service 

测试验证

退出重新登录

[root@redhat2 ~]# exit
注销
Connection to 192.168.200.129 closed.
[root@redhat1 ~]# ssh root@192.168.200.129
root@192.168.200.129's password: 
Web console: https://static.localdomain:9090/ or https://192.168.200.129:9090/

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Thu May  2 13:11:54 2024 from 192.168.200.133
[root@redhat2 ~]# 

#打开1的另一个窗口 ，查看日志文件已经有Redhat2的记录
[root@redhat1 ~]# tail -f /var/log/secure
May  2 12:53:35 admin sshd[2275]: Accepted password for root from 192.168.200.1 port 5215 ssh2
May  2 12:53:35 admin systemd[2282]: pam_unix(systemd-user:session): session opened for user root(uid=0) by (uid=0)
May  2 12:53:35 admin sshd[2275]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
May  2 13:14:01 admin sshd[2523]: Accepted password for root from 192.168.200.1 port 5801 ssh2
May  2 13:14:01 admin sshd[2523]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
May  2 13:22:15 redhat2 sshd[3754]: Received disconnect from 192.168.200.133 port 51610:11: disconnected by user
May  2 13:22:15 redhat2 sshd[3754]: Disconnected from user root 192.168.200.133 port 51610
May  2 13:22:15 redhat2 sshd[3752]: pam_unix(sshd:session): session closed for user root
May  2 13:22:35 redhat2 sshd[3926]: Accepted password for root from 192.168.200.133 port 54072 ssh2
May  2 13:22:35 redhat2 sshd[3926]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)    //已经可以看到redhat2的日志记录了