14、配置系统日志
环境:
1、RHEL6.4Server
2、RHEL6.4client
1、配置基于TLS的日志加密
1)查看日志服务状态
1
2[root@lz ~]# service rsyslog status rsyslogd (pid 2684) is running...
2)查看/etc/rsyslog.conf配置文件
2、关于日志
系统日志由syslogd提供
日志文件示例
/var/log/dmesg---内核引导信息和硬件信息
/var/log/messages---标准系统出错信息
/var/log/maillog---邮件系统信息
/var/log/secure---安全、认证和xinetd信息
应用程序日志文件和目录也保存在/var/log/messages
3、解析rsyslog.conf配置文件
1
2
3
4
5
6[root@lz ~]# sed -e '/^#/d' /etc/rsyslog.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages
1
2
3
4
5
6
7---以上第一个*代表日志的分门别类,将系统级别最低的写入日志、邮件相关除外、安全相关除外、计划任务相关除外 authpriv.* /var/log/secure ---安全相关内容的所有等级记录到secure日志中 mail.* -/var/log/maillog ---邮件相关内容的所有等级都记录到maillog日志中 cron.* /var/log/cron ---计划任务相关内容的所有等级都记录到cron日志中
4、日志等级
信息等级符号
"." 表示后面还要高的等级(包括该等级)都记录
".="所需要的等级就是等号后面的等级,其他不要
".!"除了该等级,其他等级都记录下来
信息记录的文件名或配置或主机
/var/log
/var/lp0
@abc.com
"*"(当前在线的所有人)
*.*@@remote-host:514两个@@代表tcp,一个@代表udp
5、安装rsyslog加密包(SERVER和CLIENT都需要安装)
1
2[root@lz ~]# yum install rsyslog-gnutls [root@lznode1 ~]# yum install rsyslog-gnutls
6、查询包是否加载模块
1
2[root@lz ~]# rpm -ql rsyslog-gnutls /lib64/rsyslog/lmnsd_gtls.so
7、查询加密方式的端口号
1
2
3[root@lz ~]# semanage port -l | grep syslog syslogd_port_t tcp 6514 syslogd_port_t udp 514, 6514
8、添加加密方式的端口号
1[root@lz ~]# semanage port -a -t syslogd_port_t -p tcp 6514
9、安装CA签名证书包
1[root@lz ~]# yum -y install gnutls-utils
10、配置日志加密服务
1
2cd /usr/share/doc/rsyslog/ firefoxrsyslog_tls.html&
1)配置CA目录
1
2[root@lz ~]# mkdir -p /etc/sys-key [root@lz ~]# cd /etc/sys-key
2)创建CA私钥
1
2[root@lz sys-key]# certtool?--generate-privkey?--outfile?ca-key.pem Generating?a?2048?bit?RSA?private?key...
3)配置自签发证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46[root@lz sys-key]# certtool?--generate-self-signed?--load-privkey?ca-key.pem?--outfile?ca.pem Generating?a?self?signed?certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. Country name (2 chars): CN Organization name: RT Organizational unit name: ES Locality name: BJ State or province name: HD Common name: UID: This field should not be used in new certificates. E-mail: Enter the certificate's serial number in decimal (default: 1453816763): Activation/Expiration?time. The certificate will expire in (days): 365 Extensions. Does the certificate belong to an authority? (y/N): Y Path length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (y/N): Is this also a TLS web server certificate? (y/N): Enter the e-mail of the subject of the certificate: Will the certificate be used to sign other certificates? (y/N): Will the certificate be used to sign CRLs? (y/N): Will the certificate be used to sign code? (y/N): Will the certificate be used to sign OCSP requests? (y/N): Will the certificate be used for time stamping? (y/N): Enter the URI of the CRL distribution point: X.509 Certificate Information: Version: 3 Serial Number (hex): 56a77bbb Validity: Not?Before:?Tue?Jan?26?13:59:24?UTC?2016 Not?After:?Wed?Jan?25?13:59:34?UTC?2017 Subject:?C=CN,O=RT,OU=ES,L=BJ,ST=HD Subject?Public?Key?Algorithm:?RSA Modulus?(bits?2048): e9:be:2a:bd:dd:4c:79:ef:4d:97:2d:b3:1e:e7:fb:96 a4:ee:19:61:e2:62:68:5b:b0:53:03:4c:48:7a:ee:fe 。。。。。。。 。。。。。。。 。。。。。。。 。。。。。 。。。。。。 Is?the?above?information?ok??(Y/N):?y
4)创建SERVER端私钥---申请证书文件
1
2[root@lz sys-key]# certtool?--generate-privkey?--outfile?teacherskey.pem Generating a 2048 bit RSA private key...
5)创建待签名CA证书---公钥
1
2
3
4
5[root@lz sys-key]# certtool --generate-request --load-privkey teacherskey.pem --outfile teachers-csr.pem Generating?a?PKCS?#10?certificate?request... ..... .... ...
6)删除没用的证书申请文件
1[root@lz sys-key]# rm -rf request-csr.pem
7)创建服务器的配置文件
1
2
3
4
5
6
7
8
9
10
11
12[root@lz sys-key]# vim /etc/rsyslog.d/server.conf #?make?gtls?driver?the?default $DefaultNetstreamDriver?gtls # certificate files $DefaultNetstreamDriverCAFile /etc/syskey/ca.pem $DefaultNetstreamDriverCertFile /etc/sys-key/teachers-crt.pem $DefaultNetstreamDriverKeyFile /etc/sys-key/teacherskey.pem $ModLoad?imtcp?#?load?TCP?listener $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated $InputTCPServerRun 6514 # start up listener at port 10514
8)重启SERVER端服务
1
2
3[root@lz sys-key]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
9)查看配置是否有监听
1[root@lz sys-key]# netstat?-tupl|grep?rsyslog
11、配置CLIENT端
1)配置客户端CA
1
2
3
4
5
6
7
8[root@lznode1 ~]# vim /etc/rsyslog.d/client.conf # certificate files - just CA for a client $DefaultNetstreamDriverCAFile /etc/sys-key/ca.pem # set up the action $DefaultNetstreamDriver gtls # use gtls netstream driver $ActionSendStreamDriverMode 1 # require TLS for the connection $ActionSendStreamDriverAuthMode anon # server is NOT authenticated *.* @@(o)teachers.example.com:6514 # send (all) messages
2)创建CA公钥的目录和文件
1
2
3
4
5[root@lznode1 ~]# mkdir -p /etc/sys-key [root@lznode1 ~]#scp -p root@192.168.100.131:/etc/sys-key/ca.pem /etc/sys-key/ root@192.168.100.131 's password: [root@lznode1 ~]#ls /etc/sys-key/
3)重启客户端日志服务
1[root@lznode1 ~]#service rsyslog restart
4)发送日志到远程服务器 --测试
1
2[root@lznode1 ~]#logger test tls log [root@lz ~]# tail -f /var/log/messages
5)如果将客户端上的日志丢弃配置/etc/rsyslog.conf
关闭防火墙!!
配置不加密的日志服务器
客户端:vim /etc/rsyslog.conf
添加如下:
*.* @@192.168.200.128:514
重启服务:service rsyslog restart
服务器端:vim /etc/rsyslog.conf
启用TCP
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
添加:
:fromhost,isequal,"192.168.200.129" /var/log/node1
:fromhost,isequal,"192.168.200.129" ~ 此举使得来自远端的日志信息仅记录的指定文件,并不记录在本地原装目录
重启服务:service rsyslog restart
转载于:https://blog.51cto.com/lz001/1825972
最后
以上就是怡然黑夜最近收集整理的关于RH413日志服务器篇的全部内容,更多相关RH413日志服务器篇内容请搜索靠谱客的其他文章。
发表评论 取消回复