03-Log 日志常见配置

03-Log 日志常见配置

自定义日志输出位置

如何重新配置sshd的配置文件？

1、 在A(192.168.200.137)中修改/etc/ssh/sshd_config文件

[root@husa ssh]# pwd
/etc/ssh
[root@husa ssh]# vim sshd_config
#SyslogFacility AUTHPRIV
SyslogFacility local5

这里的local*是rsyslog没有定义的facility，因此可以作为自由配置的一个方法

2、 A(192.168.200.137)的/etc/rsyslog.conf文件中添加一个RULES

[root@husa etc]# pwd
/etc
[root@husa etc]# vim rsyslog.conf
# Save sshd logs in /root/sshdlog
local5.*                                                /root/sshdlog

3、 重载sshd和rsyslog服务

[root@husa ssh]# systemctl reload sshd
[root@husa ssh]# systemctl restart rsyslog.service

4、 B(192.168.200.143)ssh远程连接A主机

[root@husa ~]# ssh root@192.168.200.137
root@192.168.200.137's password:
Last login: Mon Jan 18 19:06:32 2016 from 192.168.200.1
[root@husa ~]# ifconfig
eno33554984: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 192.168.200.137  netmask 255.255.255.0  broadcast 192.168.200.255
inet6 fe80::20c:29ff:fe4d:a05a  prefixlen 64  scopeid 0x20<link>
ether 00:0c:29:4d:a0:5a  txqueuelen 1000  (Ethernet)
RX packets 186607  bytes 71005052 (67.7 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 159813  bytes 140751238 (134.2 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

5、 查看A的/root/sshdlog内容

[root@husa ~]# ls
99.sh            grub.bak              php-5.4.40.tar.bz2                  service.sh  wordpress-4.4.1.tar.gz
anaconda-ks.cfg  latest.tar.gz         phpMyAdmin-4.0.5-all-languages      show.sh
a.sh             linux-3.10.67.tar.xz  phpMyAdmin-4.0.5-all-languages.zip  sshdlog
[root@husa ~]# less sshdlog
Jan 19 09:07:51 husa sshd[125986]: Accepted password for root from 192.168.200.143 port 45141 ssh2

配置rsyslog网络服务器

1、 在A(192.168.200.137)修改配置文件/etc/rsyslog.conf

表示把原有的messages转发到B(192.168.200.143)

*.info;mail.none;authpriv.none;cron.none                @192.168.200.143

2、 在B(192.168.200.143)修改配置文件/etc/rsyslog.conf

表示打开UDP接收服务

[root@husa etc]# vim rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

3、 A、B都重启rsyslog服务

B

[root@husa etc]# systemctl restart rsyslog.service

A

[root@husa etc]# systemctl restart rsyslog.service

4、 A主机使用yum命令安装一个程序zsh

[root@husa etc]# yum remove zsh
--> 正在检查事务
---> 软件包 zsh.x86_64.0.5.0.2-7.el7 将被 删除
--> 解决依赖关系完成
依赖关系解决
========================================================================================================================
Package                架构                      版本                              源                             大小
========================================================================================================================
正在删除:
zsh                    x86_64                    5.0.2-7.el7                       @classRoom                    5.6 M

事务概要
========================================================================================================================

删除:
zsh.x86_64 0:5.0.2-7.el7

5、 B主机查看/var/log/messages文件

[root@husa etc]# tail /var/log/messages
Jan 19 09:20:01 husa systemd: Started Session 254 of user root.
Jan 19 09:20:49 husa systemd: Stopping System Logging Service...
Jan 19 09:20:49 husa systemd: Starting System Logging Service...
Jan 19 09:20:50 husa systemd: Started System Logging Service.
Jan 19 09:21:00 husa rsyslogd: [origin software="
abc3
rsyslogd" swVersion="7.4.7" x-pid="126178" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan 19 09:21:00 husa rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="126186" x-info="http://www.rsyslog.com"] start
Jan 19 09:21:00 husa systemd: Stopping System Logging Service...
Jan 19 09:21:00 husa systemd: Starting System Logging Service...
Jan 19 09:21:00 husa systemd: Started System Logging Service.
Jan 19 09:22:16 husa yum[126192]: Erased: zsh-5.0.2-7.el7.x86_64

可以发现B主机出现了一条删除zsh包的记录