やりたいこと
- rsyslogサーバを設定し、外部のサーバからのログを受け付けるようにする
前提条件
- 検証のため、Vagrantで起動したUbuntu Server 22.04 LTSを使用する
- 初期状態でsystemd経由でrsyslogサーバが起動していたので、構築自体は行わない
プロセスを確認
$ ps aux | grep syslog
message+ 606 0.0 0.4 8868 4724 ? Ss 04:27 0:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
syslog 617 0.0 0.4 222400 4936 ? Ssl 04:27 0:00 /usr/sbin/rsyslogd -n -iNONE
vagrant 2568 0.0 0.2 6608 2268 pts/0 R+ 06:01 0:00 grep --color=auto syslog
$ systemctl status syslog
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-12-07 04:27:33 UTC; 1h 33min ago
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Main PID: 617 (rsyslogd)
Tasks: 4 (limit: 1029)
Memory: 2.9M
CPU: 158ms
CGroup: /system.slice/rsyslog.service
└─617 /usr/sbin/rsyslogd -n -iNONE
Dec 07 04:27:33 vagrant systemd[1]: Starting System Logging Service...
Dec 07 04:27:33 vagrant systemd[1]: Started System Logging Service.
Dec 07 04:27:33 vagrant rsyslogd[617]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2112.0]
Dec 07 04:27:33 vagrant rsyslogd[617]: rsyslogd's groupid changed to 113
Dec 07 04:27:33 vagrant rsyslogd[617]: rsyslogd's userid changed to 107
Dec 07 04:27:33 vagrant rsyslogd[617]: [origin software="rsyslogd" swVersion="8.2112.0" x-pid="617" x-info="https://www.rsyslog.com"] start
設定を確認
$ cat /lib/systemd/system/rsyslog.service
[Unit]
Description=System Logging Service
Requires=syslog.socket
Documentation=man:rsyslogd(8)
Documentation=man:rsyslog.conf(5)
Documentation=https://www.rsyslog.com/doc/
[Service]
Type=notify
ExecStart=/usr/sbin/rsyslogd -n -iNONE
StandardOutput=null
Restart=on-failure
# Increase the default a bit in order to allow many simultaneous
# files to be monitored, we might need a lot of fds.
LimitNOFILE=16384
[Install]
WantedBy=multi-user.target
Alias=syslog.service
$ cat /etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
$ cd /etc/rsyslog.d/
$ ls
20-ufw.conf 21-cloudinit.conf 50-default.conf
その他設定
$ cat 20-ufw.conf
# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log
# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& stop
$ cat 21-cloudinit.conf
# Log cloudinit generated log messages to file
:syslogtag, isequal, "[CLOUDINIT]" /var/log/cloud-init.log
# comment out the following line to allow CLOUDINIT messages through.
# Doing so means you'll also get CLOUDINIT messages in /var/log/syslog
& stop
$ cat 50-default.conf
# Default rules for rsyslog.
#
# For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
ログを確認
$ head /var/log/syslog
Dec 11 08:07:57 vagrant systemd[1]: Stopping Session 1 of User vagrant...
Dec 11 08:07:57 vagrant systemd[1]: Removed slice Slice /system/modprobe.
Dec 11 08:07:57 vagrant systemd[1]: Stopped target Cloud-init target.
Dec 11 08:07:57 vagrant systemd[1]: Stopped target Graphical Interface.
Dec 11 08:07:57 vagrant systemd[1]: Stopped target Host and Network Name Lookups.
Dec 11 08:07:57 vagrant systemd[1]: Stopped target Timer Units.
Dec 11 08:07:57 vagrant systemd[1]: dpkg-db-backup.timer: Deactivated successfully.
Dec 11 08:07:57 vagrant systemd[1]: Stopped Daily dpkg database backup timer.
Dec 11 08:07:57 vagrant systemd[1]: e2scrub_all.timer: Deactivated successfully.
Dec 11 08:07:57 vagrant systemd[1]: Stopped Periodic ext4 Online Metadata Check for All Filesystems.
ネットワークを確認
- UDPポート514番でリッスンしていないので外部からのログは受け取らない設定になっている
$ ss -nulp | grep 514
- ファイアウォール(UFW)も無効になっている
$ sudo ufw status
Status: inactive
設定する
- UDPポート514番でリッスンして外部からのログを受け付ける設定
- 外部からのアクセスの場合は
/var/log/remoteにログを保存する設定
$ cd /etc/rsyslog.d/
$ sudo vim 99-remote.conf
module(load="imudp")
input(type="imudp" port="514")
if $fromhost-ip != '127.0.0.1' and $fromhost-ip != 'localhost' then {
action(type="omfile" file="/var/log/remote")
stop
}
- UFWを有効化する設定
- UDPポート514番への外部からのアクセスを許可する設定
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
$ sudo ufw allow 514/udp
Rules updated
Rules updated (v6)
動作確認
- rsyslogサーバを再起動して設定を反映
$ sudo systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-12-07 20:11:45 UTC; 7s ago
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Main PID: 2929 (rsyslogd)
Tasks: 5 (limit: 1029)
Memory: 1.2M
CPU: 23ms
CGroup: /system.slice/rsyslog.service
└─2929 /usr/sbin/rsyslogd -n -iNONE
Dec 07 20:11:45 vagrant systemd[1]: Starting System Logging Service...
Dec 07 20:11:45 vagrant rsyslogd[2929]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2112.0]
- UDPポート514番でrsyslogサーバがリッスンしていることを確認
$ ss -nulp | grep 514
UNCONN 0 0 0.0.0.0:514 0.0.0.0:*
UNCONN 0 0 [::]:514 [::]:*
- UFWにUDPポート514番への外部からのアクセスが許可する設定がなされていることを確認
$ sudo ufw status
Status: active
To Action From
-- ------ ----
514/udp ALLOW Anywhere
514/udp (v6) ALLOW Anywhere (v6)
- 別のマシンから擬似的にログを送信してみる
$ logger -p local0.notice -t test -n 192.168.56.10 "Test log message"
- 先程指定したログファイルにログが書き込まれていることが確認できる
$ head /var/log/remote
Dec 7 22:43:34 vagrant test Test log message