CiscoCatalystのsyslogをAlibabaCloud上のECS(CentOS)に構築したSyslogサーバへ送る設定です。
#1.環境
サーバー:AlibabaCloud広州リージョンECSecs.s6-c1m1.small(CentOS8.3 64bit)
Syslogミドルウェア:rsyslogd 8.1911.0-7.el8_4.2 (aka 2019.11)
Cisco機器:Catalyst2960
rsyslogdはCentOS8にはデフォルトで入っていましたのでそのまま利用します。
#2.Catalystの設定
Syslogログサーバー関連設定抜粋
(config)# /configモードへ移行
service timestamps log datetime msec localtime show-timezone /syslogにタイプスタンプを追加
service sequence-numbers /syslogに番号を追加
clock timezone JST 9 /時刻設定
ntp server x.x.x.x /NTPサーバの設定
logging host x.x.x.x /syslogサーバの設定
logging buffered 512000 /バッファサイズを4096byte→512000byteへ変更
logging trap informational /Level0-7のうち、emergencies(0)~informational(6)までを対象とする。※7はdebug
logging facility local5 /Facility指定 (local0~local7のどの値を使用するかは各環境のルールに基づいて決めてください)
(config-if)#interface range xx -xx /Interfaceモードへ移行
logging event link-status /Interfaceのログをsyslogへ出力する
(config-line)#line vty 0 4 /Lineモードへ移行
logging synchronous /ログ出力があっても自動改行してくれる設定
#3.Syslogサーバの設定
Syslogログサーバー関連設定抜粋
rsyslogのバージョン確認
[root@~]# rsyslogd -v
rsyslogd 8.1911.0-7.el8_4.2 (aka 2019.11) compiled with:
PLATFORM: x86_64-redhat-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: Yes
Config file: /etc/rsyslog.conf
PID file: /var/run/rsyslogd.pid
Number of Bits in RainerScript integers: 64
rsyslogの起動状況確認
[root@ ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-07-19 18:11:46 CST; 2 days ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 52188 (rsyslogd)
Tasks: 9 (limit: 4647)
Memory: 2.9M
CGroup: /system.slice/rsyslog.service
mq52188 /usr/sbin/rsyslogd -n
/etc/rsyslog.confの編集
[root@ ~]# more /etc/rsyslog.conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once /コメントアウトを削除
input(type="imudp" port="514") /コメントアウトを削除、UDP514を有効
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once /コメントアウトを削除
input(type="imtcp" port="514") /コメントアウトを削除、TCP514を有効
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;local5.none /var/log/messages
/SWのsyslog設定で指定しているファシリティlocal5は/var/log/messagesに出力しないよう「local5.none」を追記
local5.* /var/log/hosts/test.log
/SWのsyslog設定で指定しているファシリティlocal5のsyslogは/var/log/hosts/test.logへ保存されるように設定
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# AllowedSender
#AllowedSender TCP,
#AllowedSender UDP,
# ### sample forwarding rule ###
configをチェックし、エラーが出ないことを確認
[root@ ~]# rsyslogd -N 1
rsyslogd: version 8.1911.0-7.el8_4.2, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
configを読み込ませるためrsyslogを再起動
[root@ ~]# systemctl restart rsyslog
[root@ ~]#
SWから受信したsyslogが指定したディレクトリのテキストに保存されていることを確認
[root@ ~]# cat /var/log/hosts/test.log
Jul 19 22:30:54 xxx.xxx.xxx.xxx 4213: 004209: Jul 19 22:30:53.861 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down
Jul 19 22:30:55 xxx.xxx.xxx.xxx 4214: 004210: Jul 19 22:30:54.859 CST: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to down
Jul 19 22:30:59 xxx.xxx.xxx.xxx 4215: 004211: Jul 19 22:30:58.181 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to down
Jul 19 22:31:00 xxx.xxx.xxx.xxx 4216: 004212: Jul 19 22:30:59.330 CST: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to up
Jul 19 22:31:01 xxx.xxx.xxx.xxx 4217: 004213: Jul 19 22:31:00.186 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5, changed state to up
Jul 19 22:31:01 xxx.xxx.xxx.xxx 4218: 004214: Jul 19 22:31:00.337 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up
Jul 19 22:35:39 xxx.xxx.xxx.xxx 4219: 004215: Jul 19 22:35:38.263 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down
Jul 19 22:35:40 xxx.xxx.xxx.xxx 4220: 004216: Jul 19 22:35:39.261 CST: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to down
取り急ぎSWのsyslogをサーバーへ送るところまでの手順ですが、SWが複数台あるので次はホストごとにlogファイルを分ける設定を試してみたいと思います。