Rsyslog / CentOS 8 / 没有写日志|没有捕获?

Rsyslog / CentOS 8 / 没有写日志|没有捕获?

我在 CentOS 8(CentOS Linux 版本 8.1.1911)上使用 rsyslog(8.37.0-13),并且我的配置出现类型错误。

我的 rsyslog.conf 是:

module(load="imuxsock")
module(load="imjournal")
module(load="imtcp")
module(load="imudp")
global(workDirectory="/var/lib/rsyslog")
include(file="/etc/rsyslog.d/*.conf")
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

我的子配置是:

template(name="template1" type="string" string="/data/%HOSTNAME%-%FROMHOST-IP%.log")
ruleset(name="ruleset1"){
                action(type="omfile" dynaFile="template1")
                action(type="omfwd" protocol="tcp" target="10.10.10.1" port="2020")
}
input(type="imudp" port="2020" ruleset="ruleset1")

rsyslog 检查:

# rsyslogd -N1
rsyslogd: version 8.37.0-13.el8, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

我收到有关 UDP 2020 的日志:

02:56:22.363426 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 751
02:56:22.363434 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 878
02:56:22.363438 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 705
02:56:22.363443 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 695
02:56:22.363448 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 713
02:56:22.363454 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 627
02:56:22.363459 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 713
02:56:22.363466 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626
02:56:22.363472 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626
02:56:22.363509 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 861
02:56:22.363518 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 710
02:56:22.363523 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 622
02:56:22.363527 IP 10.10.10.15.40291 > 10.10.10.200.2020: UDP, length 626

但是我没有在 /data 文件夹中写入任何日志,也没有转发到 10.10.10.1_TCP2020 :

# pwd
/data/
# ls -Ral
.:
total 0
drw-r--r--. 2 root adm  6  5 mai   10:03 .
drw-r--r--. 5 root adm 50  5 mai   10:03 ..

]# tcpdump -i any tcp -nn port 2020
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
> Nothing

如果有疑问,我已经禁用 SELinux,但问题依然存在。

有人有什么想法可以解决这个问题吗?

谢谢

编辑 :

全部禁用 SELinux、重新启动并重新启动服务后就可以了。

现在,我搜索以允许 Selinux。我这样做:

# chcon -R --reference /var/log /data/
# chcon -R --reference /etc/rsyslog.conf /etc/rsyslog.d/
# systemctl restart rsyslog

没有变化...我重新启动,但没有变化

编辑2:

我检查了审计日志:

# sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log

编辑3:

这种行为是随机的。重启后,我想到是 SELinux 的问题。但是,再次停用 SELinux 并重新启动后,它不再起作用。这很有趣,我不明白是什么原因造成的......

编辑4:

这是防火墙的问题...

# firewall-offline-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# nft list table filter
table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 0; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 0; policy accept;
        }
}
# nft list table security
table ip security {
        chain INPUT {
                type filter hook input priority 150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority 150; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 150; policy accept;
        }
}
# nft list table raw
table ip raw {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority -300; policy accept;
        }
}
# nft list table mangle
table ip mangle {
        chain PREROUTING {
                type filter hook prerouting priority -150; policy accept;
        }

        chain INPUT {
                type filter hook input priority -150; policy accept;
        }

        chain FORWARD {
                type filter hook forward priority -150; policy accept;
        }

        chain OUTPUT {
                type route hook output priority -150; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority -150; policy accept;
        }
}
# nft list table nat
table ip nat {
        chain PREROUTING {
                type nat hook prerouting priority -100; policy accept;
        }

        chain INPUT {
                type nat hook input priority 100; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority 100; policy accept;
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
        }
}
# nft list table bridge nat
table bridge nat {
        chain PREROUTING {
                type filter hook prerouting priority -300; policy accept;
        }

        chain OUTPUT {
                type filter hook output priority 100; policy accept;
        }

        chain POSTROUTING {
                type filter hook postrouting priority 300; policy accept;
        }
}

我很惊讶。对我来说,firewalld 是 nftables 或 iptables 的覆盖。但是,如前面的命令所示,它们每个上都没有配置任何内容。

编辑5:

在允许firewalld(但由于nft和iptables为空所以无法理解)并允许SELinux之后,我遇到了另一个问题:

rsyslog 创建的新文件具有 system_u:object_r:default_t:s0,而不是 system_u:object_r:var_log_t:s0。如何使创建的每个文件都具有此上下文?

你有什么想法?

答案1

您需要加载“omfwd”模块。也许整个规则集因为无法执行的操作而被丢弃?

相关内容