Centos 7 rsyslog 不记录远程消息
Centos 7 rsyslog not logging remote messages
我已经设置了一个远程 rsyslog 服务器用于测试,但我似乎无法让它从远程系统登录。我的桌面上有一个名为 "Syslog Test Message Utility 1.0" 的应用程序 (windows),它在 UDP 514 上发送测试系统日志消息。我看到该消息出现在我的 Centos 盒子上的端口 514 上(使用 Wireshark 接口)但没有对应的行如我所料出现在 /var/log/messages 中。
我已验证日志记录确实有效(例如记录器测试),但不是来自远程系统。这是我的 etc/rsyslog.conf 文件..
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
#$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
# ### end of the forwarding rule ###
并且我已验证主机正在按预期侦听端口 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 15273/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 15273/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 15273/rsyslogd
udp6 0 0 :::514 :::* 15273/rsyslogd
我什至不确定接下来要查找什么。我似乎无法弄清楚为什么来自 Syslog 应用程序的消息没有在我的消息文件中创建日志条目。
事实证明,CentOS 7(我假设是 RHEL 7)除了 iptables 之外还有一个名为 firewalld 的防火墙。在我的开发环境中禁用此防火墙后,我能够成功地将系统日志记录到 514。
systemctl 禁用防火墙
systemctl 停止防火墙
systemctl 状态 firewalld
禁用防火墙确实有点矫枉过正,因为我确定您可以为 514 创建规则,但由于我的服务器在实验室中...在我的情况下这是可以接受的。
我已经设置了一个远程 rsyslog 服务器用于测试,但我似乎无法让它从远程系统登录。我的桌面上有一个名为 "Syslog Test Message Utility 1.0" 的应用程序 (windows),它在 UDP 514 上发送测试系统日志消息。我看到该消息出现在我的 Centos 盒子上的端口 514 上(使用 Wireshark 接口)但没有对应的行如我所料出现在 /var/log/messages 中。
我已验证日志记录确实有效(例如记录器测试),但不是来自远程系统。这是我的 etc/rsyslog.conf 文件..
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # reads kernel messages (the same are read from journald)
$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
#$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
# ### end of the forwarding rule ###
并且我已验证主机正在按预期侦听端口 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 15273/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 15273/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 15273/rsyslogd
udp6 0 0 :::514 :::* 15273/rsyslogd
我什至不确定接下来要查找什么。我似乎无法弄清楚为什么来自 Syslog 应用程序的消息没有在我的消息文件中创建日志条目。
事实证明,CentOS 7(我假设是 RHEL 7)除了 iptables 之外还有一个名为 firewalld 的防火墙。在我的开发环境中禁用此防火墙后,我能够成功地将系统日志记录到 514。
systemctl 禁用防火墙 systemctl 停止防火墙 systemctl 状态 firewalld
禁用防火墙确实有点矫枉过正,因为我确定您可以为 514 创建规则,但由于我的服务器在实验室中...在我的情况下这是可以接受的。