rsyslog - qual host está enviando esses arquivos?

2

Estou trabalhando em uma instalação pré-existente do rsyslog. Não tenho certeza de quais hosts remotos estão enviando arquivos de log para o servidor. Algumas das pastas têm nomes inúteis como 'last', 'Server', 'syslogd' e 'exiting'. Como faço para rastrear de onde eles vêm (por exemplo, arquivos de log úteis, etc.)?

/etc/rsyslog.conf:

#  Default rules for rsyslog.
#
#           For more information see rsyslog.conf(5) and /etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*         /var/log/auth.log
*.*;auth,authpriv.none      -/var/log/syslog
#cron.*             /var/log/cron.log
#daemon.*           -/var/log/daemon.log
kern.*              -/var/log/kern.log
#lpr.*              -/var/log/lpr.log
mail.*              -/var/log/mail.log
#user.*             -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info          -/var/log/mail.info
#mail.warn          -/var/log/mail.warn
mail.err            /var/log/mail.err

#
# Logging for INN news system.
#
news.crit           /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice         -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
#*.=debug;\
#   auth,authpriv.none;\
#   news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
#   auth,authpriv.none;\
#   cron,daemon.none;\
#   mail,news.none      -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                                :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#   news.=crit;news.=err;news.=notice;\
#   *.=debug;*.=info;\
#   *.=notice;*.=warn   /dev/tty8

# The named pipe /dev/xconsole is for the 'xconsole' utility.  To use it,
# you must invoke 'xconsole' with the '-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
#daemon.*;mail.*;\
#   news.err;\
#   *.=debug;*.=info;\
#   *.=notice;*.=warn   |/dev/xconsole
ubuntu@rsyslog:/mnt/data/rsyslog/hosts/last/2013/12/31$ cat /etc/rsyslog.conf 
#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#           For more information see
#           /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

/etc/rsyslog.d/60-remote.conf:

$WorkDirectory /mnt/data/rsyslog/queue # default location for work (spool) files
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ssl/XXXXX.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/ssl/XXXXXX.crt
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/ssl/XXXXXX.key
$ModLoad imudp
$ModLoad imtcp
$template syslog,"/var/rsyslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog
$template apacheError,"/var/rsyslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/apache-error.log
$template apacheAccess,"/var/rsyslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/apache-access.log
$template auth,"/var/rsyslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/auth.log
$template kern,"/var/rsyslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/kern.log
$template mail,"/var/rsyslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/mail.log
$template daemon,"/var/rsyslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/daemon.log
$RuleSet remote
$ActionQueueType LinkedList   # use asynchronous processing
$ActionQueueFileName logstash # set file name, also enables disk mode
$ActionResumeRetryCount -1    # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
$ActionQueueMaxFileSize 100m
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueDequeueSlowdown 0
$ActionQueueWorkerThreads 4
*.* @@logstash.anotherdomain.com
local7.* ?apacheError
& ~
local6.notice ?apacheAccess
& ~
auth,authpriv.* ?auth
& ~
kern.* ?kern
& ~
mail.* ?mail
& ~
daemon.* ?daemon
& ~
*.* ?syslog
$InputTCPServerStreamDriverMode 1
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerBindRuleset remote
$InputTCPServerRun 1514
$InputUDPServerBindRuleset remote
$UDPServerRun 514
    
por David Welch 02.05.2016 / 17:16

2 respostas

0

Todo o encaminhamento em rsyslog.conf , o material que se parece com isso:

auth,authpriv.*         /var/log/auth.log

vai registrar arquivos sem um nome de host. O material em 60-remote.conf , que se parece com isso:

'auth,authpriv.* ?auth

está indo para os arquivos de log definidos pelos modelos como este:

$template auth,"/var/rsyslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/auth.log

Portanto, parece que existem dois sistemas diferentes, com muita sobreposição. O material em rsyslog.conf é o padrão, e o material em 60-remote.conf é outro sistema quase completo.

Pelo que entendi, os hosts enviam eventos, não arquivos. Cada evento de log nos arquivos pode ou não ter um nome de host logo após o registro de data e hora (na maioria das configurações padrão). Os eventos são colocados nos arquivos pelo daemon syslog local.

    
por 26.04.2017 / 21:08
0

Como o pacote syslog contém apenas o endereço IP, você pode usar host :

for h in  last Server syslogd exiting ; do
    host $h
done
    
por 03.05.2016 / 04:53

Tags