我已经成功设置了 rsyslog 以接受来自客户端服务器的 TLS 流量。当我最初配置证书和端口时,一切正常。问题是它将日志转储到与其他日志相同的日志文件 /var/log/messages 中。使用规则集我正在尝试将我的客户日志分离到他们自己的文件中。
# cat /etc/rsyslog.d/remote_client.conf
#### MODULES ####
$ModLoad imtcp
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$DefaultNetstreamDriver gtls
ruleset(name="alltcp"){
$AllowedSender TCP, 128.x.x.x, client-hosted.client-server.com
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/client-ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/client.crt.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/client.key.pem
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer 128.x.x.x
$ActionSendStreamDriverPermittedPeer *.client-server.com
$ActionSendStreamDriverMode 1 # run driver in TLS-only modei
*.* /var/log/all_client_logs.log # permissions are 755 on this file.
}
input(type="imtcp" port="6514" ruleset="alltcp")
我的 /etc/rsyslog.conf 文件是现成的:
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### sample forwarding rule ###
#action(type="omfwd"
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1" # unique name prefix for spool files
#queue.maxdiskspace="1g" # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on" # save messages to disk on shutdown
#queue.type="LinkedList" # run asynchronously
#action.resumeRetryCount="-1" # infinite retries if host is down
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")
这里的问题是,没有将任何内容写入文件。如果我删除规则集并将 TCP/TLS 规则放在 rsyslong.conf 中(并为端口 6514 设置 TCP 绑定),它将打印到 /var/log/messages。我在这个配置中缺少什么?
答案1
type
如果不建立服务器来测试您的特定配置,最明显的区别就是您的操作中没有设置。
使用 RHEL 8.6,我有一个非常小的测试配置,可以完成您所要求的操作。8.6 上的 rsyslog 版本是8.2102
。较新版本的 rsyslog 处理 TLS 的方式有所变化8.2106+
,因此如果您正在运行其中一个版本,我可以查看较新版本的 rsyslog:
[root@syslog opt]# cat /etc/rsyslog.conf
global(
DefaultNetstreamDriverCAFile="/etc/ipa/ca.crt"
DefaultNetstreamDriverCertFile="/etc/pki/tls/certs/syslog-server.crt"
DefaultNetstreamDriverKeyFile="/etc/pki/tls/private/syslog-server.key"
)
module(
load="imtcp"
PermittedPeer=["*.nix.turnerfarms.net"]
StreamDriver.AuthMode="x509/name"
StreamDriver.Mode="1"
StreamDriver.Name="gtls"
)
input(
type="imtcp"
port="6514"
ruleset="remote"
)
template(
name="rhel-hosts"
type="string"
string="/opt/%hostname%/syslog"
)
ruleset(name="remote") {
action(
type="omfile"
dynaFile="rhel-hosts"
)
}