rsyslog与操作审计

Posted by ZhangShun Blog on December 24, 2018

rsyslog server 配置

1.环境约定

系统版本 软件版本 ip
ubuntu 16.04 TLS 8.16.0-1ubuntu3 192.168.56.101

2.rsyslog_server配置接收log存放位置

/etc/rsyslog.d/50-default.conf

1
2
3
4
5
6
# add: define logfiles
template Remote,"/var/log/remote_log/%fromhost%_%fromhost-ip%/log_%app-name%_%$YEAR%-%$MONTH%-%$DAY%.log"

# Log all messages to the dynamically formed file.
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
& ~

3.rsyslog_server配置监听端口和协议,以及允许那些ip来传送log

/etc/rsyslog.conf

1
2
3
4
5
6
7
8
9
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
AllowedSender  127.0.0.1, 10.0.16.0/21 192.168.0.0/24
# Enable non-kernel facility klog messages
KLogPermitNonKernelFacility on

#rsyslog 客户端配置

配置logserver

1
2
vim /etc/rsyslog.d/log_server.conf #新建文件 @@为tcp @为udp
*.* @@192.168.56.101

审计

一、编辑/etc/profile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
USER_IP=`who -u am i 2>/dev/null|awk '{print $NF}'|sed -e 's/[()]//g'`
HISTDIR=/usr/share/.history
if [ -z $USER_IP ]
        then
                        USER_IP=`hostname`
fi
if [ ! -d $HISTDIR ]
        then
                        mkdir -p $HISTDIR
                        chmod 777 $HISTDIR
fi
export HISTSIZE=9999
DT=`date +%Y%m%d_%H%M%S`
export HISTFILE="$HISTDIR/${LOGNAME}.${USER_IP}.history.$DT"
original_user=${SUDO_USER:-$(pstree -Alsu "$$" | sed -n "s/.*(([^)]*)).*($USER)[^(]*$/1/p")}
export HISTTIMEFORMAT="|normal|%F %T|${original_user:-$USER}|$$|"
chmod 644 %HISTDIR/${LOGNAME}.*.histroy* 2>/dev/null
export PROMPT_COMMAND='builtin history 1 >> $HISTFILE'

二、编辑/etc/rsyslog.d/bash_log.conf

1
2
3
4
5
6
7
module(load="imfile" PollingInterval="1")
input(type="imfile" File="/var/log/.bash_history/*history*"
                Tag="bash-log"
                Facility="local7"
                Severity="debug"
                deleteStateOnFileDelete="on"
                )