用于加密日志记录的 rsyslog 规则集

用于加密日志记录的 rsyslog 规则集

我已经成功设置了 rsyslog 以接受来自客户端服务器的 TLS 流量。当我最初配置证书和端口时,一切正常。问题是它将日志转储到与其他日志相同的日志文件 /var/log/messages 中。使用规则集我正在尝试将我的客户日志分离到他们自己的文件中。

# cat /etc/rsyslog.d/remote_client.conf

#### MODULES ####
$ModLoad imtcp

#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$DefaultNetstreamDriver gtls


ruleset(name="alltcp"){
$AllowedSender TCP, 128.x.x.x, client-hosted.client-server.com

$DefaultNetstreamDriverCAFile /etc/pki/tls/private/client-ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/client.crt.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/client.key.pem

$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer 128.x.x.x
$ActionSendStreamDriverPermittedPeer *.client-server.com
$ActionSendStreamDriverMode 1 # run driver in TLS-only modei
    *.* /var/log/all_client_logs.log # permissions are 755 on this file.
}
input(type="imtcp" port="6514" ruleset="alltcp")

我的 /etc/rsyslog.conf 文件是现成的:

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket;
              # local messages are retrieved through imjournal now.
module(load="imjournal"         # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### sample forwarding rule ###
#action(type="omfwd"
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1"       # unique name prefix for spool files
#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on"       # save messages to disk on shutdown
#queue.type="LinkedList"         # run asynchronously
#action.resumeRetryCount="-1"    # infinite retries if host is down
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")

这里的问题是,没有将任何内容写入文件。如果我删除规则集并将 TCP/TLS 规则放在 rsyslong.conf 中(并为端口 6514 设置 TCP 绑定),它将打印到 /var/log/messages。我在这个配置中缺少什么?

答案1

type如果不建立服务器来测试您的特定配置,最明显的区别就是您的操作中没有设置。

使用 RHEL 8.6,我有一个非常小的测试配置,可以完成您所要求的操作。8.6 上的 rsyslog 版本是8.2102。较新版本的 rsyslog 处理 TLS 的方式有所变化8.2106+,因此如果您正在运行其中一个版本,我可以查看较新版本的 rsyslog:

[root@syslog opt]# cat /etc/rsyslog.conf
global(
  DefaultNetstreamDriverCAFile="/etc/ipa/ca.crt"
  DefaultNetstreamDriverCertFile="/etc/pki/tls/certs/syslog-server.crt"
  DefaultNetstreamDriverKeyFile="/etc/pki/tls/private/syslog-server.key"
)

module(
  load="imtcp"
  PermittedPeer=["*.nix.turnerfarms.net"]
  StreamDriver.AuthMode="x509/name"
  StreamDriver.Mode="1"
  StreamDriver.Name="gtls"
)
input(
  type="imtcp"
  port="6514"
  ruleset="remote"
)
template(
  name="rhel-hosts"
  type="string"
  string="/opt/%hostname%/syslog"
)
ruleset(name="remote") {
  action(
    type="omfile"
    dynaFile="rhel-hosts"
  )
}

相关内容