我尝试用 Google 搜索了很多次,但没找到太多答案,所以我想我会在这里问。这是我目前的问题:
我运行的是 Ubuntu 18.04 服务器,基本是原版。该服务器的目的是运行视觉应用程序。我遇到的问题是,当我检查视觉应用程序服务的 journalctl 时,PAM(可插入身份验证模块)和其他一些操作系统相关服务正在向视觉应用程序记录过多的信息,我宁愿它们不要这样做。以下是一个例子:
journalctl -u visionapp.service | less
输出:
(some stuff omitted)
Jan 08 10:43:12 visionapp sudo[2483]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -F
Jan 08 10:43:12 visionapp sudo[2483]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 08 10:43:12 visionapp sudo[2483]: pam_unix(sudo:session): session closed for user root
Jan 08 10:43:12 visionapp sudo[2490]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/sysctl net.ipv4.conf.xxx999.forwarding=1
Jan 08 10:43:12 visionapp sudo[2490]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 08 10:43:12 visionapp VisionApp[2471]: net.ipv4.conf.xxx999.forwarding = 1
Jan 08 10:43:12 visionapp sudo[2490]: pam_unix(sudo:session): session closed for user root
Jan 08 10:43:12 visionapp sudo[2493]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/sysctl net.ipv4.conf.yyy888.forwarding=1
Jan 08 10:43:12 visionapp sudo[2493]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 08 10:43:13 visionapp VisionApp[2471]: net.ipv4.conf.yyy888.forwarding = 1
Jan 08 10:43:13 visionapp sudo[2493]: pam_unix(sudo:session): session closed for user root
Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 77777 -j DNAT --to-destination 99.99.99.35:77777
Jan 08 10:43:13 visionapp sudo[2496]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 77777 -j DNAT --to-destination 99.99.99.35:77777
Jan 08 10:43:13 visionapp sudo[2496]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 08 10:43:13 visionapp sudo[2496]: pam_unix(sudo:session): session closed for user root
Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 5555 -j DNAT --to-destination 99.99.99.11:80
Jan 08 10:43:13 visionapp sudo[2499]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 5555 -j DNAT --to-destination 99.99.99.11:80
Jan 08 10:43:13 visionapp sudo[2499]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 08 10:43:13 visionapp sudo[2499]: pam_unix(sudo:session): session closed for user root
Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 6666 -j DNAT --to-destination 99.99.99.30:80
Jan 08 10:43:13 visionapp sudo[2502]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 6666 -j DNAT --to-destination 99.99.99.30:80
Jan 08 10:43:13 visionapp sudo[2502]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 08 10:43:13 visionapp sudo[2502]: pam_unix(sudo:session): session closed for user root
Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p udp -d 88.88.88.63 --dport 23456 -j DNAT --to-destination 99.99.99.30:23456
Jan 08 10:43:13 visionapp sudo[2505]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p udp -d 88.88.88.63 --dport 23456 -j DNAT --to-destination 99.99.99.30:23456
Jan 08 10:43:13 visionapp sudo[2505]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 08 10:43:13 visionapp sudo[2505]: pam_unix(sudo:session): session closed for user root
Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 28208 -j DNAT --to-destination 99.99.99.30:28208
Jan 08 10:43:13 visionapp sudo[2508]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 28208 -j DNAT --to-destination 99.99.99.30:28208
Jan 08 10:43:13 visionapp sudo[2508]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 08 10:43:13 visionapp sudo[2508]: pam_unix(sudo:session): session closed for user root
Jan 08 10:43:13 visionapp VisionApp[2471]: route: sudo iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 2112 -j DNAT --to-destination 99.99.99.36:2112
Jan 08 10:43:13 visionapp sudo[2511]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A PREROUTING -p tcp -d 88.88.88.63 --dport 2112 -j DNAT --to-destination 99.99.99.36:2112
Jan 08 10:43:13 visionapp sudo[2511]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 08 10:43:13 visionapp sudo[2511]: pam_unix(sudo:session): session closed for user root
Jan 08 10:43:13 visionapp VisionApp[2471]: Make Routable: sudo iptables -t nat -A POSTROUTING -j MASQUERADE
Jan 08 10:43:13 visionapp sudo[2514]: root : TTY=unknown ; PWD=/opt ; USER=root ; COMMAND=/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
Jan 08 10:43:13 visionapp sudo[2514]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 08 10:43:13 visionapp sudo[2514]: pam_unix(sudo:session): session closed for user root
(some stuff omitted)
我更改了一些名称和号码以保护公司匿名性,但除此之外,这是实际输出。我希望能够以某种方式抑制这一点。
在查阅了这篇文章后https://unix.stackexchange.com/questions/327301/how-to-stop-sudo-pam-messages-in-auth-log-for-a-specific-user-on-ubuntu-16-04我宁愿远离 PAM 配置文件,原因有 3:
1) 我尝试了帖子中建议的方法,但没有效果,并导致视觉应用程序崩溃。
2)错误编辑 PAM 日志可能会导致 root 访问权限被锁定
3) 上述某些消息似乎不是由 PAM 生成的
上述帖子中的最后一个答案提到了在 syslog 级别进行过滤。我尝试阅读此内容,但到目前为止还没有找到太多答案。我至少能够确定关键文件似乎是,/etc/rsyslog.conf
而 中的文件
/etc/rsyslog.d/
。
这是我的/etc/rsyslog.conf/
:
$ cat /etc/rsyslog.conf
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
共有 3 个文件rsyslog.d
:
$ cd /etc/rsyslog.d
$ ls -l
-rw-r--r-- 1 root root 314 Aug 15 2017 20-ufw.conf
-rw-r--r-- 1 root root 255 Apr 27 2018 21-cloudinit.conf
-rw-r--r-- 1 root root 1124 Jan 30 2018 50-default.conf
我的印象是20-ufw.conf
和21-cloudinit.conf
用于其他一些特定目的。以下是50-default.conf
:
$ cat 50-default.conf
# Default rules for rsyslog.
#
# For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
据我所知,这些文件是 Ubuntu 18.04 服务器安装的库存。
我现在的问题是:
1)我是否应该编辑上述文件之一,或者创建另一个文件/etc/rsyslog.d
,例如20-visionapp.conf
或类似的?
2) 有没有办法将上述文件更改为有条件地不包含日志消息visionapp.service
?即,如果日志行包含pam_unix(sudo:session)
或root : TTY=unknown
不包含它?如果有人可以建议这样一行,请说明它是适用于所有systemd
服务还是仅适用于visionapp.service
特定服务,以及它适用于所有用户还是特定用户?如果有可用的选项可以选择这两个选项,那就更好了。
- 更新 -
经过更多 Google 搜索后,我做了以下事情:
cd /etc/rsyslog.d
sudo nano 20-visionapp.conf
nano
我输入的是:
:msg,contains,"pam_unix" /var/log/PAM.log
& stop
然后我再次从命令行执行:
service rsyslog restart
然后再次启动并停止视觉应用程序。我希望任何包含的消息pam_unix
现在都会转到文件/var/log/PAM.log
,但当我运行时,journalctl -u visionapp.service | less
消息pam_unix
仍然在那里。
我觉得我至少已经接近目标了。我做错了什么?有什么建议吗?
-- 更新2 --
根据此文档https://www.rsyslog.com/discarding-unwanted-messages/对于/etc/rsyslog.d/20-visionapp.conf
,我也尝试过:
:msg,contains,"pam_unix" ~
和
:msg, contains, "pam_unix" ~
这些都不起作用,即journalctl -u visionapp.service | less
仍然显示pam_unix
消息。
我还应该提到这篇文章https://unix.stackexchange.com/questions/133898/why-does-rsyslogd-not-honor-the-following-lines-in-rsyslog-d描述了一个非常相似的问题,但目前还没有公认的答案。
-- 更新3 --
如果我这样做:
sudo nano /etc/rsyslog.d/19-visionapp.conf
然后输入:
:msg, contains, "pam_unix" /var/log/visionapp-other.log
& stop
然后所有带有日志的消息都会pam_unix
被记录到/var/log/visionapp-other.log
和到journalctl -u visionapp.service | less
。从这篇文章看来https://unix.stackexchange.com/questions/8737/rsyslog-is-not-discarding-message-as-it-should这是一个已知的错误。有人有解决方法或有关此问题的更多信息吗?
-- 更新4 --
经过更多 Google 搜索后,我确信我在上次更新中提到的步骤是正确的,并且 Ubuntu 18.04 服务器中存在错误rsyslog
或集成rsyslog
。我目前确定的解决方法是在主目录中创建一个包含以下内容的脚本:
journalctl -u visionapp.service | grep -v "pam_unix" | grep -v "TTY=unknown" | less
这会屏蔽掉我不想看到的带有 和 的消息pam_unix
。这显然不是一个很好的解决方案,我对 rsyslog 和 Ubuntu 感到失望,因为它们没有提供更好的方法来修改 systemd 日志输出。TTY=unknown
答案1
您可以通过编辑来实现/etc/syslog.conf
像这样:
*.=info;*.=notice;*.=warning;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
您可以根据所需的日志记录级别更改=warning
为等=notice
=info