安装 Debian 12 和 rsyslog 8.2302(用于 TLS 远程系统日志)后,我注意到 apparmor 日志(或任何审核日志)没有被远程发送。
检查本地系统后,journald 确实包含所有审核和 apparmor 日志,但 rsyslog 没有获取其中任何日志。 rsyslog可以看到其他所有正常日志。
我已经ForwardToSyslog=yes
取消注释了/etc/systemd/journald.conf
,但这似乎没有什么区别。
/etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
# TLS Certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/logserver.crt # Server Certificate or CA
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/selfsigned.crt # Client Certificate
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/selfsigned.key # Client Key
# TLS Sending Configuration
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name # server is NOT authenticated
#
# TLS Remote Logging Rule
#
*.* @@192.168.3.2:6514
在 Debian 11 上,apparmor 日志由 rsyslog 转发没有问题。我还尝试将远程线路更改为rsyslog.conf
,*.* /var/log/syslog
并在重新启动后,文件中没有出现审核或 Apparmor 日志(尽管所有其他系统日志都出现了...)
我意识到在这个新版本中从默认安装中删除了 rsyslog,那么如何重新启用 rsyslog 以查看和发送审核(apparmor)日志呢?