Rsyslog - 服务器上未显示日志
[英]Rsyslog - logs not displayed on server
问题描述
Trying to configure Rsyslog Client to Send Logs to Rsyslog Server.
尝试配置Rsyslog客户端以将日志发送到 Rsyslog 服务器。
Both machines run on Centos7 with Vagrant .两台机器都在带有Vagrant 的Centos7 上运行。
See configuration of each machine below.请参阅下面的每台机器的配置。
When I log inside the Client machine - It is not reflected on the server's logs.当我登录客户端机器时 - 它不会反映在服务器的日志中。
For example:例如:
logger "Some message..."
But when I add the server's IP to the command:但是当我将服务器的 IP 添加到命令时:
logger -n 192.168.11.11 "Some message..."
I can see that a directory with the Client's IP is being created on the Server machine:我可以看到在服务器机器上正在创建一个包含客户端 IP 的目录:
[root@server log]# ls -la
total 200
drwxr-xr-x. 11 root root 4096 Aug 1 12:02 .
drwxr-xr-x. 18 root root 254 Jul 31 21:39 ..
drwx------. 2 root root 25 Jul 31 22:18 192.168.11.22 <--- HERE
drwxr-xr-x. 2 root root 191 Feb 28 20:54 anaconda
drwx------. 2 root root 23 Jul 31 21:39 audit
-rw-------. 1 root utmp 0 Aug 1 03:14 btmp
drwxr-xr-x. 2 chrony chrony 6 Apr 12 2018 chrony
-rw-------. 1 root root 188 Jul 31 21:39 cron
-rw-r--r--. 1 root root 26911 Aug 1 12:02 dmesg
-rw-r--r--. 1 root root 26742 Jul 31 21:39 dmesg.old
-rw-r--r--. 1 root root 374 Jul 31 21:47 firewalld
-rw-r--r--. 1 root root 292292 Aug 1 12:12 lastlog
-rw-------. 1 root root 198 Jul 31 21:39 maillog
.......
.......
And inside of it there is a vagrant.log file where I can see the log message for the Client:在它里面有一个vagrant.log文件,我可以在其中看到客户端的日志消息:
2019-08-01T13:00:06+00:00 192.168.11.22 vagrant: Some message...
Question: Any Idea why I can't see the Client local logs?问题:知道为什么我看不到客户端本地日志吗?
For this discussion:对于本次讨论:
Rsyslog Configuration Rsyslog 配置
Server IP: 192.168.11.11 .服务器 IP: 192.168.11.11 。
Client IP: 192.168.11.22 .客户端 IP: 192.168.11.22 。
Both machines have rsyslog installed & enabled and have the following common setup in the /etc/rsyslog.conf file:两台机器都安装并启用了 rsyslog,并且在/etc/rsyslog.conf文件中具有以下通用设置:
#### MODULES ####
$ModLoad imuxsock
$ModLoad imjournal
#Open port 514 For UDP
$ModLoad imudp
$UDPServerRun 514
#### GLOBAL DIRECTIVES ####
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
#### RULES ####
kern.* /dev/console
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
local7.* /var/log/boot.log
Additions for each machine on the /etc/rsyslog.conf file. /etc/rsyslog.conf文件中每台机器的添加。
On the Server machine:在服务器机器上:
## Rules for processing remote logs
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& ~
On the Client machine I Setup UDP Forwarding to the Server's IP:在客户端机器上,我设置 UDP 转发到服务器的 IP:
# ### begin forwarding rule ###
#UDP Forwarding
*. * @192.168.11.11:514
# ### end of the forwarding rule ###
Firewall Configuration防火墙配置
On the Server machine - Opening port 514 on firewall:在服务器机器上 - 在防火墙上打开端口 514:
sudo firewall-cmd --permanent --add-port=514/udp
sudo firewall-cmd --reload
And Verifying:并验证:
[root@server /]# sudo ss -tulnp | grep "rsyslog"
udp UNCONN 0 0 *:514 *:* users:(("rsyslogd",pid=2711,fd=3))
udp UNCONN 0 0 :::514 :::* users:(("rsyslogd",pid=2711,fd=4))
2 个解决方案
解决方案1
1 已采纳 2019-08-01 16:18:43
Try to remove one blank after *.尝试删除*.后的一个空格*. on the client's host:在客户端的主机上:
*. * @192.168.11.11:514
Default format for sending logs having any level on remote host looks like:在远程主机上发送具有任何级别的日志的默认格式如下所示:
*.* @remote-host:514
Then restart rsyslog service on client and server with systemctl restart rsyslog and check again.然后使用systemctl restart rsyslog客户端和服务器上的 rsyslog 服务并再次检查。
EDIT:编辑:
Pasted From the comments - 2 more steps that where done on the syslog server that solved the issue:从评论粘贴 - 在解决问题的 syslog 服务器上完成的另外 2 个步骤:
Commenting the
#### Rules ####section on server.评论服务器上的#### Rules ####部分。The Removal of
& ~from the## Rules for processing remote logssection.从## Rules for processing remote logs的## Rules for processing remote logs删除& ~部分。
解决方案2
0 2019-08-03 14:38:04
Credit to @Alexey that helped me in two critical points.感谢@Alexey,它在两个关键点上帮助了我。
I'll also add a few more useful points that might be helpful for others:我还将添加一些可能对其他人有帮助的有用点:
1: First of all, check the connectivity of the two machines. 1:首先检查两台机器的连通性。 For example, if using vagrant networking, place the two machines in a network mode that they can see (ping) each other.例如,如果使用 vagrant 网络,请将两台机器置于它们可以相互看到(ping)的网络模式。 For example Host-only mode is OK, but internal mode where each machine is on its isolated network - will not work.例如,仅主机模式是可以的,但每台机器都在其隔离网络上的内部模式将无法工作。
2: Uncommenting the following code is required only in the syslog server: 2:只有在syslog服务器中才需要取消注释以下代码:
$ModLoad imudp
$UDPServerRun 514
3: On the client machine - you can comment the all #### Rules #### section and place the forwarding rule at the end of file OR you can specify the forwarding inline (with the client IP or hostname, if configured in /etc/hosts ): 3:在客户端机器上-您可以评论所有#### Rules ####部分并将转发规则放在文件末尾,或者您可以指定转发内联(使用客户端IP或主机名,如果在/etc/hosts ):
#### RULES ####
kern.* /dev/console
*.info;mail.none;authpriv.none;cron.none @192.168.11.11:514 # <--- Like this
auth,authpriv.* /var/log/secure
local7.* /var/log/boot.log
4: A quick check to see if the UDP connection succeed: 4:快速检查UDP连接是否成功:
Forward auth logs to server (like this auth,authpriv.* @192.168.11.11:514 ).将身份验证日志转发到服务器(例如auth,authpriv.* @192.168.11.11:514 )。
ssh into the client machine, switch between users and view the following files under /var/log/ directory on server: ssh 进入客户端机器,在用户之间切换并查看服务器上 /var/log/ 目录下的以下文件:
sshd.log su.log sudo.log systemd-logind.log
5: Be careful with the rsyslog syntax - For example, If you're using sed as part of a provision script in order to replace and edit lines in the config file - check the output: 5:注意 rsyslog 语法 - 例如,如果您使用sed作为配置脚本的一部分以替换和编辑配置文件中的行 - 检查输出:
Specifying the $template section in one line:在一行中指定 $template 部分:
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?RemoteLogs
Will lead to an error:会导致错误:
Aug 03 13:50:04 server rsyslogd[5539]: error: extra characters in config line ignored: ' .
This is the correct syntax - break rule into a new line (if generated with sed - just add /n ):这是正确的语法 - 将规则分成一个新行(如果使用sed生成 - 只需添加/n ):
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
6: Don't forget the systemctl restart rsyslog after each change in /etc/rsyslog.conf . 6:不要忘记在/etc/rsyslog.conf每次更改后systemctl restart rsyslog 。 Because of cases like #5 always check the rsyslog status: systemctl status rsyslog .由于 #5 等情况,请始终检查 rsyslog 状态: systemctl status rsyslog 。
7: Newer versions of rsyslog (I think 5+) support a much cleaner syntax - it comes now as default on newer versions of Ubuntu for example, but for some reason not on Centos7. 7:较新版本的 rsyslog(我认为 5+)支持更简洁的语法 - 例如,它现在在较新版本的 Ubuntu 上作为默认设置出现,但由于某种原因不在 Centos7 上。
8: On the syslog-server - Make sure your firewall is enabled and configured to accept UDP on relevant port (see configuration script in Question): 8:在系统日志服务器上 - 确保您的防火墙已启用并配置为在相关端口上接受 UDP(请参阅问题中的配置脚本):
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT udp -- anywhere anywhere udp dpt:syslog ctstate NEW
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.