让记录器在 Alpine 中记录到 rsyslog

tag-icon tag-icon linux syslog busybox alpine-linux syslogd
让记录器在 Alpine 中记录到 rsyslog

我在基于 Alpine 的系统上安装了 rsyslog 来替换 busybox syslogd。在 openrc 中完全禁用 syslogd,在启动时启用 ryslog 并重新启动后,所有服务都正确地开始记录到 rsyslog。

但是,使用该logger实用程序(由 bu​​sybox 提供,但我还尝试通过安装软件包来替换它logger- 它没有改变任何东西)仍然会记录到/var/log/messages(无论我记录到哪个工具),这是 busybox 使用的默认文件syslogd

据我了解,logger不应直接记录到文件,而应使用 syslog 协议,因此rsyslogd应拾取消息并根据定义的规则对其进行处理。但是,尽管 rsyslog 中记录到的唯一规则/var/log/messages包含mail.none,但当我将其用作设施/严重性时,记录器仍会记录到该文件mail.info

发生了什么事?我该如何解决?

--

/etc/rsyslog.conf

# rsyslog configuration file
#
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### Global directives ####
 
# Sets the directory that rsyslog uses for work files.
$WorkDirectory /var/lib/rsyslog

# Sets default permissions for all log files.
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

# Check config syntax on startup and abort if unclean (default off).
#$AbortOnUncleanConfig on

# Reduce repeating messages (default off).
#$RepeatedMsgReduction on

#### Modules ####

# Provides --MARK-- message capability.
module(load="immark")

# Provides support for local system logging (e.g. via logger command).
module(load="imuxsock")

# Reads kernel messages.
module(load="imklog")

#### Rules ####
# Log all kernel messages to kern.log.
kern.*                                                  /var/log/kern.log

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# NOTE: The minus sign in front of filename disables buffer flush.
*.info;authpriv.none;cron.none;kern.none;mail.none      -/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/auth.log

# Log all the mail messages in one place.
mail.*                                                  -/var/log/mail.log

# Log cron stuff.
cron.*                                                  -/var/log/cron.log

# Everybody gets emergency messages.
*.emerg                                                 :omusrmsg:*

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

#### Config files ####

# Include all config files in /etc/rsyslog.d/.
include(file="/etc/rsyslog.d/*.conf" mode="optional")

rc-update show

   apache2 |      default
  bootmisc | boot
     crond |      default
     devfs |                                 sysinit
   dovecot |      default
  fail2ban |      default
  loadkmap | boot
      mdev |                                 sysinit
networking |      default
  opendkim |      default
  openntpd |      default
  php-fpm7 |      default
   postfix |      default
postgresql |      default
  postgrey |      default
    rspamd |      default
   rsyslog | boot default
      sshd |      default
       ufw |      default

rc-status

Runlevel: default
  rsyslog          [  started  ]
  ufw              [  started  ]
  networking       [  started  ]
  openntpd         [  started  ]
  postgresql       [  started  ]
  dovecot          [  started  ]
  opendkim         [  started  ]
  postgrey         [  started  ]
  sshd             [  started  ]
  rspamd           [  started  ]
  crond            [  started  ]
  postfix          [  started  ]
  apache2          [  started  ]
  fail2ban         [  started  ]
  php-fpm7         [  started  ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
  hostname         [  started  ]
  localmount       [  started  ]
  sysfs            [  started  ]
Dynamic Runlevel: manual

答案1

这对我来说如预期的那样。

禁用busybox syslog并安装rsyslog,配置 rsyslog 来记录到/var/log/syslog而不是以/var/log/messages避免混淆:

/ # rc-service syslog stop
 * WARNING: you are stopping a boot service
 * Caching service dependencies ...    [ ok ]
 * Stopping busybox crond ...          [ ok ]
 * Stopping busybox syslog ...         [ ok ]
/ # apk add rsyslog
(1/5) Installing libestr (0.1.11-r1)
(2/5) Installing libfastjson (0.99.9-r0)
(3/5) Installing libuuid (2.37-r0)
(4/5) Installing rsyslog (8.2012.0-r1)
(5/5) Installing rsyslog-openrc (8.2012.0-r1)
Executing busybox-1.33.1-r3.trigger
OK: 10 MiB in 25 packages
/ # grep /var/log/messages /etc/rsyslog.conf
*.info;authpriv.none;cron.none;kern.none;mail.none      -/var/log/messages
/ # sed -i '/\/var\/log\/messages/s/messages/syslog/' /etc/rsyslog.conf
/ # rc-service rsyslog start
 * Caching service dependencies ...    [ ok ]
 * Starting rsyslog ...                [ ok ]
/ # tail /var/log/syslog
2021-09-12T04:30:50.071691+00:00 CT555 : [origin software="rsyslogd" swVersion="8.2012.0" x-pid="709" x-info="https://www.rsyslog.com"] start

使用(默认)user.noticemail.info内置的 busybox进行记录logger

/ # logger foo bar
/ # logger -p mail.info logging at mail.info
/ # tail /var/log/syslog
2021-09-12T04:30:50.071691+00:00 CT555 : [origin software="rsyslogd" swVersion="8.2012.0" x-pid="709" x-info="https://www.rsyslog.com"] start
2021-09-12T04:31:26.066703+00:00 CT555 root: foo bar

消息mail.info未被记录到/var/log/syslog

确认它没有最终出现在/var/log/messages

/ # tail /var/log/messages
Sep 12 04:29:06 CT555 daemon.info init: starting pid 368, tty '/dev/tty1': '/sbin/getty 38400 tty1'
Sep 12 04:29:06 CT555 daemon.info init: starting pid 369, tty '/dev/tty2': '/sbin/getty 38400 tty2'
Sep 12 04:29:43 CT555 daemon.warn /etc/init.d/syslog[407]: WARNING: you are stopping a boot service
Sep 12 04:29:43 CT555 user.debug : Will stop /usr/sbin/crond
Sep 12 04:29:43 CT555 user.debug : Will stop PID 360
Sep 12 04:29:43 CT555 user.debug : Sending signal 15 to PID 360
Sep 12 04:29:43 CT555 user.debug : Will stop /sbin/syslogd
Sep 12 04:29:43 CT555 user.debug : Will stop PID 332
Sep 12 04:29:43 CT555 user.debug : Sending signal 15 to PID 332
Sep 12 04:29:43 CT555 syslog.info syslogd exiting

在 Alpine 3.14.2 上测试。

相关内容