Yadda ake Ƙirƙirar Sabar Log ta Tsakiya tare da Rsyslog a cikin CentOS/RHEL 7


Domin mai sarrafa tsarin ya gano ko magance matsala akan tsarin uwar garken CentOS 7 ko RHEL 7, dole ne ya sani kuma ya duba abubuwan da suka faru akan tsarin a cikin takamaiman lokaci daga fayilolin log da aka adana a cikin tsarin a cikin /var./kundin adireshi.

Sabar syslog akan na'urar Linux na iya aiki da cibiyar kulawa ta tsakiya akan hanyar sadarwa inda duk sabobin, na'urorin cibiyar sadarwa, masu amfani da hanyoyin sadarwa, masu sauyawa da galibin ayyukansu na cikin gida waɗanda ke samar da rajistan ayyukan, ko da alaƙa da takamaiman batun ciki ko kuma kawai saƙonnin bayanai na iya aika rajistan ayyukan su. .

A tsarin CentOS/RHEL 7, Rsyslog daemon shine babban sabar log ɗin da aka riga aka shigar, sai Systemd Journal Daemon (wanda aka buga).

Sabar Rsyslog a ginawa azaman abokin ciniki/sabis na gine-gine kuma yana iya cimma ayyukan biyu a lokaci guda. Yana iya aiki azaman uwar garken kuma ya tattara duk rajistan ayyukan da wasu na'urori ke watsawa a cikin hanyar sadarwa ko kuma yana iya gudana azaman abokin ciniki ta hanyar aika duk abubuwan da suka faru na tsarin ciki da aka shiga cikin sabar syslog na ƙarshen ƙarshen.

Lokacin da aka saita rsyslog azaman abokin ciniki, ana iya adana rajistan ayyukan a cikin gida a cikin fayiloli akan tsarin fayil na gida ko kuma ana iya aika su da nisa maimakon rubuta su cikin fayilolin da aka adana akan injin ko rubuta fayilolin log ɗin abubuwan da suka faru a gida kuma aika su zuwa uwar garken syslog mai nisa a. lokaci guda.

Syslog uwar garken yana aiki da kowane saƙon log ta amfani da makirci mai zuwa:

type (facility).priority (severity)  destination(where to send the log)

A. Wurin ko nau'in bayanan ana wakilta ta tsarin tsarin ciki wanda ke haifar da saƙon. A cikin tsarin ciki na Linux (kayan aiki) waɗanda ke samar da rajistan ayyukan an daidaita su kamar haka:

  • auth = saƙonnin da aka samar ta hanyoyin tabbatarwa (shiga).
  • cron= saƙon da aka samar ta hanyar tsare-tsare (crontab).
  • daemon = saƙon da daemons (sabis na ciki) suka haifar.
  • kernel = saƙon da Linux Kernel ɗin kansa ya ƙirƙira.
  • mail = saƙon da uwar garken wasiƙa ta fito.
  • syslog = saƙon da rsyslog daemon kansa ya samar.
  • lpr = saƙon da firintocin gida ko sabar bugu ke samarwa.
  • local0 – local7 = saƙon al'ada wanda mai gudanarwa ya bayyana (na gida7 galibi ana sanya shi don Cisco ko Windows).

B. An daidaita matakan fifiko (masu tsanani). Ana ba da kowane fifiko tare da madaidaicin gajarta da lamba kamar yadda aka bayyana a ƙasa. Babban fifiko na 7 shine mafi girman matakin duka.

  • emerg = Gaggawa – 0
  • faɗakarwa = Faɗakarwa – 1
  • err= Kurakurai – 3
  • gargaɗi = Gargaɗi – 4
  • sanarwa = Sanarwa - 5
  • bayanai = Bayani – 6
  • debug= Ana gyara kuskure – 7

Mahimman kalmomi Rsyslog na musamman:

  • * = duk kayan aiki ko fifiko
  • babu = wuraren ba su da fifikon fifiko Misali: mail. babu

C. Kashi na uku na tsarin syslog yana wakilta ta umarnin makowa. Rsyslog daemon na iya aika saƙonnin shiga don rubutawa a cikin fayil akan tsarin fayil na gida (mafi yawa a cikin fayil a/var/log/ directory) ko kuma a buge shi zuwa wani tsari na gida ko a aika zuwa na'ura mai amfani da gida (zuwa stdout) , ko aika saƙon zuwa uwar garken syslog mai nisa ta hanyar TCP/UDP yarjejeniya, ko ma jefar da saƙon zuwa /dev/null.

Domin saita CentOS/RHEL 7 a matsayin tsakiyar Log Server, da farko muna buƙatar bincika da tabbatar da cewa /var bangaren inda aka yi rikodin duk fayil ɗin log ɗin ya isa (ƙadan GB) don samun damar adana duk abubuwan. fayilolin log waɗanda wasu na'urori za su aika. Yana da kyau yanke shawara don amfani da keɓantaccen tuƙi (LVM, RAID) don hawa/var/log/ directory.

  1. Tsarin Shigar CentOS 7.3
  2. Tsarin Shigar RHEL 7.3

Yadda ake Sanya Rsyslog a CentOS/RHEL 7 Server

1. Ta hanyar tsoho, an shigar da sabis na Rsyslog ta atomatik kuma ya kamata ya kasance yana gudana a CentOS/RHEL 7. Domin duba idan an fara daemon a cikin tsarin, ba da umarni mai zuwa tare da tushen gata.

# systemctl status rsyslog.service

Idan sabis ɗin baya gudana ta tsohuwa, aiwatar da umarnin da ke ƙasa don fara rsyslog daemon.

# systemctl start rsyslog.service

2. Idan ba a shigar da kunshin rsyslog akan tsarin da kuke son amfani da shi azaman uwar garken shiga tsakani ba, ba da umarni mai zuwa don shigar da kunshin rsyslog.

# yum install rsyslog

3. Mataki na farko da muke buƙatar yi akan tsarin don saita rsyslog daemon azaman uwar garken log ɗin tsakiya, don haka zai iya karɓar saƙonnin log don abokan ciniki na waje, shine buɗewa da gyarawa, ta amfani da editan rubutu da kuka fi so, babban tsari. fayil daga /etc/rsyslog.conf, kamar yadda aka gabatar a cikin ɓangaren da ke ƙasa.

# vi /etc/rsyslog.conf

A cikin babban fayil ɗin daidaitawa na rsyslog, bincika da rashin jin daɗin waɗannan layukan (cire alamar hashtag #   alamar layin farkon) don samar da liyafar jigilar UDP zuwa uwar garken Rsyslog ta tashar jiragen ruwa 514. UDP ita ce ƙa'idar ƙa'idar da aka yi amfani da ita don watsa log ta Rsyslog.

$ModLoad imudp 
$UDPServerRun 514

4. Ka'idar UDP ba ta da nauyin TCP, wanda ya sa ya fi sauri don watsa bayanai fiye da yarjejeniyar TCP. A gefe guda, ka'idar UDP ba ta tabbatar da amincin bayanan da aka watsa ba.

Koyaya, idan kuna buƙatar amfani da ka'idar TCP don liyafar log dole ne ku bincika da rashin jin daɗin waɗannan layin daga /etc/rsyslog.conf fayil don saita Rsyslog daemon don ɗaure da sauraron soket na TCP akan tashar jiragen ruwa 514. TCP da UDP soket ɗin sauraron liyafar ana iya saita su akan sabar Rsyslog a lokaci guda.

$ModLoad imtcp 
$InputTCPServerRun 514 

5. A mataki na gaba, kar a rufe fayil ɗin tukuna, ƙirƙirar sabon samfuri wanda za a yi amfani da shi don karɓar saƙonnin nesa. Wannan samfuri zai ba da umarni ga uwar garken Rsyslog na gida inda za a adana saƙonnin da aka karɓa daga abokan cinikin cibiyar sadarwar syslog. Dole ne a ƙara samfurin kafin farkon toshewar GLOBAL DIRECTIVES kamar yadda aka kwatanta a cikin ɓangaren da ke ƙasa.

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" 
. ?RemoteLogs & ~

Jagoran sama na $template RemoteLogs  yana ba da umarnin Rsyslog daemon don tattara da rubuta duk saƙonnin log ɗin da aka karɓa zuwa takamaiman fayiloli, dangane da sunan injin abokin ciniki da wurin abokin ciniki na nesa ( aikace-aikacen) wanda ya haifar da saƙon dangane da ƙayyadaddun kaddarorin da aka gabatar a cikin tsarin samfuri. : % HOSTNAME% da % PROGRAMNAME %.

Duk waɗannan fayilolin log ɗin za a rubuta su zuwa tsarin fayil na gida zuwa fayil ɗin da aka keɓe mai suna bayan sunan mai masaukin injin abokin ciniki kuma a adana su a /var/log/ directory.

Ƙa'idar & ~ turawa tana umurtar uwar garken Rsyslog na gida da su daina sarrafa saƙon log ɗin da aka karɓa gaba da watsar da saƙon (ba rubuta su zuwa fayilolin log na ciki ba).

Sunan RemoteLogs suna ne na sabani da aka ba wannan umarnin samfuri. Kuna iya amfani da kowane suna da za ku iya samu mafi dacewa da samfur ɗin ku.

Domin rubuta duk saƙonnin da aka karɓa daga abokan ciniki a cikin fayil guda ɗaya mai suna bayan Adireshin IP na abokin ciniki mai nisa, ba tare da tace wurin da ya samar da saƙon ba, yi amfani da abin da ke ƙasa.

$template FromIp,"/var/log/%FROMHOST-IP%.log" 
. ?FromIp & ~ 

Wani misali na samfuri inda duk saƙonni tare da tutar kayan aiki za a shiga cikin samfuri mai suna TmplAuth.

$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" 
authpriv.*   ?TmplAuth

A ƙasa akwai sigar sigar ma'anar samfuri daga uwar garken Rsyslog 7:

template(name="TmplMsg" type="string"
         string="/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
        )

Hakanan za'a iya rubuta ɓangarorin samfurin da ke sama kamar haka:

template(name="TmplMsg" type="list") {
    constant(value="/var/log/remote/msg/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

Don rubuta hadadden samfuran Rsyslog, karanta jagorar fayil ɗin daidaitawar Rsyslog ta hanyar ba da umarnin man rsyslog.conf ko tuntuɓi takaddun Rsyslog akan layi.

6. Bayan kun gyara fayil ɗin daidaitawar Rsyslog tare da saitunan ku kamar yadda aka bayyana a sama, sake kunna Rsyslog daemon don aiwatar da canje-canje ta hanyar ba da umarni mai zuwa:

# service rsyslog restart

7. A yanzu, ya kamata a saita uwar garken Rsyslog don yin aiki da uwar garken log ɗin tsakiya da rikodin saƙon daga abokan cinikin syslog. Don tabbatar da soket ɗin hanyar sadarwar Rsyslog, gudanar da umarnin netstat tare da tushen gata kuma yi amfani da grep don tace kirtani rsyslog.

# netstat -tulpn | grep rsyslog 

8. Idan kun kunna SELinux a cikin CentOS/RHEL 7, ba da umarni mai zuwa don saita SELinux don ba da izinin zirga-zirgar rsyslog dangane da nau'in soket na cibiyar sadarwa.

# semanage -a -t syslogd_port_t -p udp 514
# semanage -a -t syslogd_port_t -p tcp 514 

9. Idan Firewall ya kunna kuma yana aiki, gudanar da umarnin da ke ƙasa don ƙara ƙa'idodin da ake bukata don buɗe tashar rsyslog a cikin Firewalld.

# firewall-cmd --permanent --add-port=514/tcp
# firewall-cmd --permanent --add-port=514/udp
# firewall-cmd –reload

Shi ke nan! Rsyslog yanzu an saita shi cikin yanayin uwar garken kuma yana iya daidaita rajistan ayyukan daga abokan ciniki masu nisa. A cikin labarin na gaba, zamu ga yadda ake saita abokin ciniki na Rsyslog akan sabar CentOS/RHEL 7.

Yin amfani da uwar garken Rsyslog azaman wurin sa ido na tsakiya don saƙonnin log na nesa zaku iya bincika fayilolin log kuma ku lura da matsayin lafiyar abokan ciniki ko cire matsalolin abokin ciniki cikin sauƙi lokacin da tsarin ya faɗo ko kuma suna ƙarƙashin wani nau'in hari.