rsyslog server 配置
1.环境约定
系统版本 | 软件版本 | ip |
---|---|---|
ubuntu 16.04 TLS | 8.16.0-1ubuntu3 | 192.168.56.101 |
2.rsyslog_server配置接收log存放位置
/etc/rsyslog.d/50-default.conf
1
2
3
4
5
6
# add: define logfiles
template Remote,"/var/log/remote_log/%fromhost%_%fromhost-ip%/log_%app-name%_%$YEAR%-%$MONTH%-%$DAY%.log"
# Log all messages to the dynamically formed file.
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
& ~
3.rsyslog_server配置监听端口和协议,以及允许那些ip来传送log
/etc/rsyslog.conf
1
2
3
4
5
6
7
8
9
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
AllowedSender 127.0.0.1, 10.0.16.0/21 192.168.0.0/24
# Enable non-kernel facility klog messages
KLogPermitNonKernelFacility on
#rsyslog 客户端配置
配置logserver
1
2
vim /etc/rsyslog.d/log_server.conf #新建文件 @@为tcp @为udp
*.* @@192.168.56.101
审计
一、编辑/etc/profile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
USER_IP=`who -u am i 2>/dev/null|awk '{print $NF}'|sed -e 's/[()]//g'`
HISTDIR=/usr/share/.history
if [ -z $USER_IP ]
then
USER_IP=`hostname`
fi
if [ ! -d $HISTDIR ]
then
mkdir -p $HISTDIR
chmod 777 $HISTDIR
fi
export HISTSIZE=9999
DT=`date +%Y%m%d_%H%M%S`
export HISTFILE="$HISTDIR/${LOGNAME}.${USER_IP}.history.$DT"
original_user=${SUDO_USER:-$(pstree -Alsu "$$" | sed -n "s/.*(([^)]*)).*($USER)[^(]*$/1/p")}
export HISTTIMEFORMAT="|normal|%F %T|${original_user:-$USER}|$$|"
chmod 644 %HISTDIR/${LOGNAME}.*.histroy* 2>/dev/null
export PROMPT_COMMAND='builtin history 1 >> $HISTFILE'
二、编辑/etc/rsyslog.d/bash_log.conf
1
2
3
4
5
6
7
module(load="imfile" PollingInterval="1")
input(type="imfile" File="/var/log/.bash_history/*history*"
Tag="bash-log"
Facility="local7"
Severity="debug"
deleteStateOnFileDelete="on"
)