我在 CentOS 8(CentOS Linux 版本 8.1.1911)上使用 rsyslog(8.37.0-13),并且我的配置出现类型错误。
我的 rsyslog.conf 是:
module(load="imuxsock")
module(load="imjournal")
module(load="imtcp")
module(load="imudp")
global(workDirectory="/var/lib/rsyslog")
include(file="/etc/rsyslog.d/*.conf")
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
我的子配置是:
template(name="template1" type="string" string="/data/%HOSTNAME%-%FROMHOST-IP%.log")
ruleset(name="ruleset1"){
action(type="omfile" dynaFile="template1")
action(type="omfwd" protocol="tcp" target="10.10.10.1" port="2020")
}
input(type="imudp" port="2020" ruleset="ruleset1")
rsyslog 检查:
# rsyslogd -N1
rsyslogd: version 8.37.0-13.el8, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
我收到有关 UDP 2020 的日志:
02:56:22.363426 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 751
02:56:22.363434 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 878
02:56:22.363438 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 705
02:56:22.363443 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 695
02:56:22.363448 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 713
02:56:22.363454 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 627
02:56:22.363459 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 713
02:56:22.363466 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626
02:56:22.363472 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626
02:56:22.363509 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 861
02:56:22.363518 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 710
02:56:22.363523 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 622
02:56:22.363527 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626
但是我没有在 /data 文件夹中写入任何日志,也没有转发到 10.10.10.1_TCP2020 :
# pwd
/data/
# ls -Ral
.:
total 0
drw-r--r--. 2 root adm 6 5 mai 10:03 .
drw-r--r--. 5 root adm 50 5 mai 10:03 ..
]# tcpdump -i any tcp -nn port 2020
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
> Nothing
如果有疑问,我已经禁用 SELinux,但问题依然存在。
有人有什么想法可以解决这个问题吗?
谢谢
编辑 :
全部禁用 SELinux、重新启动并重新启动服务后就可以了。
现在,我搜索以允许 Selinux。我这样做:
# chcon -R --reference /var/log /data/
# chcon -R --reference /etc/rsyslog.conf /etc/rsyslog.d/
# systemctl restart rsyslog
没有变化...我重新启动,但没有变化
编辑2:
我检查了审计日志:
# sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log
编辑3:
这种行为是随机的。重启后,我想到是 SELinux 的问题。但是,再次停用 SELinux 并重新启动后,它不再起作用。这很有趣,我不明白是什么原因造成的......
编辑4:
这是防火墙的问题...
# firewall-offline-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# nft list table filter
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
# nft list table security
table ip security {
chain INPUT {
type filter hook input priority 150; policy accept;
}
chain FORWARD {
type filter hook forward priority 150; policy accept;
}
chain OUTPUT {
type filter hook output priority 150; policy accept;
}
}
# nft list table raw
table ip raw {
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
}
chain OUTPUT {
type filter hook output priority -300; policy accept;
}
}
# nft list table mangle
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
chain INPUT {
type filter hook input priority -150; policy accept;
}
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
chain OUTPUT {
type route hook output priority -150; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
}
}
# nft list table nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
}
# nft list table bridge nat
table bridge nat {
chain PREROUTING {
type filter hook prerouting priority -300; policy accept;
}
chain OUTPUT {
type filter hook output priority 100; policy accept;
}
chain POSTROUTING {
type filter hook postrouting priority 300; policy accept;
}
}
我很惊讶。对我来说,firewalld 是 nftables 或 iptables 的覆盖。但是,如前面的命令所示,它们每个上都没有配置任何内容。
编辑5:
在允许firewalld(但由于nft和iptables为空所以无法理解)并允许SELinux之后,我遇到了另一个问题:
rsyslog 创建的新文件具有 system_u:object_r:default_t:s0,而不是 system_u:object_r:var_log_t:s0。如何使创建的每个文件都具有此上下文?
你有什么想法?
答案1
您需要加载“omfwd”模块。也许整个规则集因为无法执行的操作而被丢弃?