我正在尝试将自定义日志从客户端发送到系统日志服务器。
问题是:
Rsyslog 不断在我的日志文件中写入相同的信息。
如何防止 rsyslog 写入我的自定义日志文件?
版本:rsyslogd 5.8.11
客户端:
$template ban-ip-template,"%rawmsg%\n"
local6.* @server-centreon
#################
#### MODULES ####
#################
$ModLoad imfile
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
#$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
local6.none /var/log/messages
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
local6.* /var/log/ip_banned.log;ban-ip-template
& ~
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
我的个人配置:
/etc/rsyslog.d/ba-ip.conf
$InputFileName /var/log/ip_banned.log
$InputFileTag banned-ip
$InputFileStateFile ban-ip-ssh
$InputFileSeverity warn
$InputFileFacility local6
$InputFilePollInterval 5
$InputRunFileMonitor
我的自定义日志:/var/log/ip_banned.log 以前我的日志文件中只有这两行:
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
Rsyslog继续添加:
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
172.16.100.78 banned using ssh
172.16.200.110 banned using ssh
ETC…………………..
我如何防止 rsyslog 写入我的自定义日志?
我还有另一个问题,例如,当我在日志文件中删除 rsyslog 添加的所有内容时,它就会停止工作,即使我重新启动 rsyslog。
为了使其恢复工作,我必须删除配置文件并重新配置它。
有解决办法吗?
答案1
如果您不希望 rsyslogd 写入,ip_banned.log请不要将其配置为的目标local6.*。不确定您的是否ba-ip.conf存在于客户端或服务器上,但看起来您构建了一个读取和写入同一文件的循环。