Linux_部署日志服务器

一、部署日志服务

1、查看自己的系统是否安装（一般默认安装）

[root@localhost ~]# rpm -qa | grep rsyslog
rsyslog-8.37.0-13.el8.x86_64

　　如果没安装，使用yum安装：

[root@localhost ~]# yum list rsyslog
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
appstream                                                                                                                                  3.1 MB/s | 3.2 kB     00:00    
baseos                                                                                                                                     2.7 MB/s | 2.8 kB     00:00    
Installed Packages
rsyslog.x86_64     
[root@localhost ~]# yum install -y rsyslog
...........

2、编辑/etc/rsyslog.conf配置文件：

• 编辑配置文件(/etc/rsyslog.conf) ， 将下列内容前面的注释去掉，然后重启rsyslog服务即可：
  
  • #module(load="imudp")
  • #input(type="imudp" port="514")
  • #module(load="imtcp")
  • #input(type="imtcp" port="514")

[root@localhost ~]# vim /etc/rsyslog.conf 
...........
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
............

3、重启rsyslog服务

[root@localhost ~]# systemctl restart rsyslog
[root@localhost ~]# netstat -tunlp | grep rsyslog
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      1814/rsyslogd       
tcp6       0      0 :::514                  :::*                    LISTEN      1814/rsyslogd       
udp        0      0 0.0.0.0:514             0.0.0.0:*                           1814/rsyslogd       
udp6       0      0 :::514                  :::*                                1814/rsyslogd     

 //查看rsyslog状态
[root@localhost ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-08-23 00:57:37 CST; 31s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 1814 (rsyslogd)
    Tasks: 9 (limit: 11340)
   Memory: 3.7M
   CGroup: /system.slice/rsyslog.service
           └─1814 /usr/sbin/rsyslogd -n

Aug 23 00:57:37 localhost.localdomain systemd[1]: Stopped System Logging Service.
Aug 23 00:57:37 localhost.localdomain systemd[1]: Starting System Logging Service...
Aug 23 00:57:37 localhost.localdomain rsyslogd[1814]: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime  [v8.37.0-13.el8 try http://www.rsyslo>
Aug 23 00:57:37 localhost.localdomain rsyslogd[1814]:  [origin software="rsyslogd" swVersion="8.37.0-13.el8" x-pid="1814" x-info="http://www.rsyslog.com"] start
Aug 23 00:57:37 localhost.localdomain systemd[1]: Started System Logging Service.

4、测试

• 首先进入/var/log/secure下监控日志状态　

[root@localhost ~]# tail -f /var/log/secure 
[root@localhost ~]# tail -f /var/log/secure 
Aug 22 21:36:16 localhost sshd[1051]: Server listening on :: port 22.
Aug 22 21:36:16 localhost polkitd[1019]: Loading rules from directory /etc/polkit-1/rules.d
Aug 22 21:36:16 localhost polkitd[1019]: Loading rules from directory /usr/share/polkit-1/rules.d
Aug 22 21:36:16 localhost polkitd[1019]: Finished loading, compiling and executing 2 rules
Aug 22 21:36:16 localhost polkitd[1019]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Aug 22 21:36:37 localhost sshd[1519]: Accepted password for root from 192.168.121.1 port 2335 ssh2
Aug 22 21:36:37 localhost systemd[1522]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Aug 22 21:36:38 localhost sshd[1519]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 23 01:01:41 localhost sshd[1843]: Accepted password for root from 192.168.121.1 port 11157 ssh2
Aug 23 01:01:41 localhost sshd[1843]: pam_unix(sshd:session): session opened for user root by (uid=0)

 //持续监控

• 使用远程登陆，故意输入错误的密码，看该文件是否接受到错误的日志消息

 

•  查看/var/log/secre文件是否收到错误的日志信息

[root@localhost ~]# tail -f /var/log/secure 
Aug 22 21:36:16 localhost polkitd[1019]: Loading rules from directory /usr/share/polkit-1/rules.d
Aug 22 21:36:16 localhost polkitd[1019]: Finished loading, compiling and executing 2 rules
Aug 22 21:36:16 localhost polkitd[1019]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Aug 22 21:36:37 localhost sshd[1519]: Accepted password for root from 192.168.121.1 port 2335 ssh2
Aug 22 21:36:37 localhost systemd[1522]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Aug 22 21:36:38 localhost sshd[1519]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 23 01:01:41 localhost sshd[1843]: Accepted password for root from 192.168.121.1 port 11157 ssh2
Aug 23 01:01:41 localhost sshd[1843]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 23 01:05:56 localhost sshd[1877]: error: Received disconnect from 192.168.121.1 port 11264:0:  [preauth]
Aug 23 01:05:56 localhost sshd[1877]: Disconnected from 192.168.121.1 port 11264 [preauth]
 
Aug 23 01:10:17 localhost sshd[1883]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.121.1  user=root
Aug 23 01:10:18 localhost sshd[1883]: Failed password for root from 192.168.121.1 port 11388 ssh2
Aug 23 01:10:21 localhost sshd[1883]: error: Received disconnect from 192.168.121.1 port 11388:0:  [preauth]
Aug 23 01:10:21 localhost sshd[1883]: Disconnected from authenticating user root 192.168.121.1 port 11388 [preauth]
 //后面四行是刚刚收到的错误日志信息