Go to Qiita Advent Calendar 2024 Top
LoginSignup
0
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

@engishoma

syslogを受け取るコンテナの構築

Last updated at Posted at 2023-07-05

目的

syslogのやりとりを行う必要が出てきた。コンテナでサクッと構築出来るようにしたい

環境

ubuntu22.04

構築

送信側

rsyslog.conf

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#$PrivDropToUser syslog
#$PrivDropToGroup syslog

$PrivDropToUser root
$PrivDropToGroup root


#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


*.* @@172.24.20.17:514

rsyslog起動

systemctl start rsyslog
systemctl status rsyslog

送信側では、rsyslog.confの最後の行だけ書けば良い。

受信側

docker-compose.yml
version: '3'
services:
  rsyslog-rx:
    build: .
    container_name: rsyslog-rx
    ports:
      - 514:514
    volumes:
      - ./syslog/log/:/var/log/
    privileged: true

FROM shomaigu/ubuntu-base:latest
RUN apt -y install rsyslog
ADD ./rsyslog.conf /etc/rsyslog.conf

RUN touch /var/log/syslog
RUN chmod 777 /var/log/syslog

ENTRYPOINT ["/usr/sbin/rsyslogd", "-n", "-iNONE"]

rsyslog.conf

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#$PrivDropToUser syslog
#$PrivDropToGroup syslog

$PrivDropToUser root
$PrivDropToGroup root



#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

上記の様に、tcpで待ち受けする場合は下記の様な設定を行う

module(load="imtcp")
input(type="imtcp" port="514")

収集結果

$ cat /var/log/syslog

Jul  5 05:56:31 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. AAAA IN
Jul  5 05:56:46 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. AAAA IN
Jul  5 05:56:46 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. A IN
Jul  5 05:57:01 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. AAAA IN
Jul  5 05:57:01 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. A IN
Jul  5 05:57:03 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 derp7b.tailscale.com. A IN
Jul  5 05:57:03 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 derp7b.tailscale.com. AAAA IN
Jul  5 05:57:16 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. A IN
Jul  5 05:57:16 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. AAAA IN
Jul  5 05:57:31 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. AAAA IN
Jul  5 05:57:31 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. A IN
Jul  5 05:57:46 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. AAAA IN
Jul  5 05:57:46 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. A IN
Jul  5 05:58:01 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. AAAA IN
Jul  5 05:58:01 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. A IN
Jul  5 05:58:16 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. A IN
Jul  5 05:58:16 ubuntu-16 unbound: [370068:0] info: 127.0.0.1 node-expoter. AAAA IN
0
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?