本文档192.168.2.110为rsyslog服务器,192.168.2.100和120为rsyslog客户端
1、查看audit状态
root@uatdb ~]# service auditd status
Redirecting to /bin/systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-02-17 06:21:05 CST; 1min 3s ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 7648 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 7454 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 7500 (auditd)
CGroup: /system.slice/auditd.service
└─7500 /sbin/auditd
Feb 17 06:21:05 uatdb augenrules[7648]: lost 0
Feb 17 06:21:05 uatdb augenrules[7648]: backlog 1
Feb 17 06:21:05 uatdb augenrules[7648]: enabled 1
Feb 17 06:21:05 uatdb augenrules[7648]: failure 1
Feb 17 06:21:05 uatdb augenrules[7648]: pid 7500
Feb 17 06:21:05 uatdb augenrules[7648]: rate_limit 0
Feb 17 06:21:05 uatdb augenrules[7648]: backlog_limit 8192
Feb 17 06:21:05 uatdb augenrules[7648]: lost 0
Feb 17 06:21:05 uatdb augenrules[7648]: backlog 1
Feb 17 06:21:05 uatdb systemd[1]: Started Security Auditing Service.
2、编辑审计ruler文件,注意该rules文件根据需要编写,本文提供只能作为参考
root@uatdb ~]# cd /etc/audit/rules.d/
[root@uatdb rules.d]# ll
total 4
-rw-------. 1 root root 163 Aug 17 2021 audit.rules
[root@uatdb rules.d]# vi audit.rules
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog
-f 1
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog
-f 1
-c
# log messages rate limit,100 messages per second at most.
-r 100
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable
# This prevents chrony from overwhelming the logs
-a never,exit -F arch=x86_64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
## If you are on a 64 bit platform, everything _should_ be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi
## This rule suppresses the time-change event when chrony does time updates
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -Fuid=chrony -F subj_type=chronyd_t
# This rule supresses events that originate on the below file systems.
# Typically you would use this in conjunction with rules to monitor
# kernel modules. The filesystem listed are known to cause hundreds of
# path records during kernel module load. As an aside, if you do see the
# tracefs or debugfs module load and this is a production system, you really
# should look into why its getting loaded and prevent it if possible.
-a never,filesystem -F fstype=tracefs
-a never,filesystem -F fstype=debugfs
## Things that could affect time
-w /etc/localtime -p wa -k time-change
## Things that could affect system locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/hostname -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
## This is covered by patches to login, gdm, and openssh
## Might also want to watch these files if needing extra information
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/btmp -p wa -k logins
-w /var/run/utmp -p wa -k logins
## unsuccessful creation
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation
## unsuccessful open
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open
## unsuccessful close
-a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close
## unsuccessful modifications
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -F key=mods
-a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -F key=mods
## unsuccessful deletion
-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete
-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete
## Unsuccessful ownership change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
## Audit 1, 1(d) Changes in user authenticators.
## Covered by patches to libpam, passwd, and shadow-utils
## Might also want to watch these files for changes
-w /etc/group -p wa -k auth
-w /etc/passwd -p wa -k auth
-w /etc/gshadow -p wa -k auth
-w /etc/shadow -p wa -k auth
-w /etc/security/opasswd -p wa -k auth
## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/mtr -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/lsof -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/tcpdump -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
## Things that could affect MAC policy
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy
## Cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/ -p wa -k cron
## Look for pam_tty_audit and add it to your login entry point's pam configs.
## If that is not found, use sudo which should be patched to record its
## commands to the audit system. Do not allow unrestricted root shells or
## sudo cannot record the action.
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
## The purpose of this rule is to detect when an admin may be abusing power
## by looking in user's home dir.
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=unset -C auid!=obj_uid -F key=power-abuse
## These rules watch for code injection by the ptrace facility.
## This could indicate someone trying to do something bad or
## just debugging
-a always,exit -F arch=b64 -S ptrace -F key=tracing
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S delete_module -F key=module-unload
## SSH configuration
-w /etc/ssh/sshd_config -p wa -k sshd
## root ssh key tampering
-w /root/.ssh -p wa -k rootkey
# Systemd
-w /bin/systemctl -p x -k systemd
-w /etc/systemd/ -p wa -k systemd
## Shell/profile configurations
-w /etc/profile.d/ -p wa -k shell_profiles
-w /etc/profile -p wa -k shell_profiles
-w /etc/shells -p wa -k shell_profiles
-w /etc/bashrc -p wa -k shell_profiles
-w /etc/csh.cshrc -p wa -k shell_profiles
-w /etc/csh.login -p wa -k shell_profiles
-w /etc/fish/ -p wa -k shell_profiles
-w /etc/zsh/ -p wa -k shell_profiles
## 监控rm命令
-w /bin/rm -p x -k removefile
## 排除一些干扰性过强的消息
-a always,exclude -F msgtype=USER_START
-a always,exclude -F msgtype=CRED_REFR
-a always,exclude -F msgtype=CRED_ACQ
-a always,exclude -F msgtype=USER_ACCT
-a always,exclude -F msgtype=USER_END
-a always,exclude -F msgtype=CRED_DISP
-a always,exclude -F msgtype=LOGIN
-a always,exclude -F msgtype=PROCTITLE
## Ignore current working directory records
-a always,exclude -F msgtype=CWD
## Cron jobs fill the logs with stuff we normally don't want (works with SELinux)
-a never,user -F subj_type=crond_t
-a never,exit -F subj_type=crond_t
## This is not very interesting and wastes a lot of space if the server is public facing
-a always,exclude -F msgtype=CRYPTO_KEY_USER
## FileBeat
#-a never,exit -F arch=b64 -F path=/opt/filebeat -k filebeat
## This is to check if the system is making or recieving connections
## externally
#-a always,exit -F arch=b64 -S accept,connect -F key=external-access
## Make the configuration immutable - reboot is required to change audit rules
#-e 2
## 在audit.log文件中保存的时间格式是自1970年以来的秒数,可以用下面方法转成容易理解的日期时间,audit(1364481363.243:24287)
## date --date=@1364481363.243
3、重启auditd服务
root@uatdb rules.d]# service auditd stop
Stopping logging: [ OK ]
[root@uatdb rules.d]# service auditd start
Redirecting to /bin/systemctl start auditd.service
4、显示audit规则
[root@uatdb rules.d]# auditctl -l
-a never,user -F subj_type=crond_t
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/hostname -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/NetworkManager/ -p wa -k system-locale
-w /var/log/tallylog -p wa -k logins
-w /var/run/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/btmp -p wa -k logins
-w /var/run/utmp -p wa -k logins
-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=creation
-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open
-a always,exit -F arch=b64 -S close -F exit=-EIO -F key=close
-a always,exit -F arch=b64 -S truncate,rename,chmod,setxattr,lsetxattr,removexattr,lremovexattr,renameat -F exit=-EACCES -F key=mods
-a always,exit -F arch=b64 -S truncate,rename,chmod,setxattr,lsetxattr,removexattr,lremovexattr,renameat -F exit=-EPERM -F key=mods
-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=delete
-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=delete
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=unsuccesful-perm-change
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=unsuccesful-perm-change
-w /etc/group -p wa -k auth
-w /etc/passwd -p wa -k auth
-w /etc/gshadow -p wa -k auth
-w /etc/shadow -p wa -k auth
-w /etc/security/opasswd -p wa -k auth
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0x3 -F path=/etc/group -F auid>=1000 -F auid!=-1 -F key=group-modify
-a always,exit -F arch=b64 -S open -F a1&0x3 -F path=/etc/group -F auid>=1000 -F auid!=-1 -F key=group-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0x3 -F path=/etc/gshadow -F auid>=1000 -F auid!=-1 -F key=group-modify
-a always,exit -F arch=b64 -S open -F a1&0x3 -F path=/etc/gshadow -F auid>=1000 -F auid!=-1 -F key=group-modify
-a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/sbin/mtr -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/sbin/lsof -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a always,exit -S all -F path=/usr/sbin/tcpdump -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-w /etc/selinux/ -p wa -k MAC-policy
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d -p wa -k cron
-w /etc/cron.daily -p wa -k cron
-w /etc/cron.hourly -p wa -k cron
-w /etc/cron.monthly -p wa -k cron
-w /etc/cron.weekly -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron -p wa -k cron
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d -p wa -k actions
-a always,exit -S all -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -F key=power-abuse
-a always,exit -F arch=b64 -S ptrace -F key=tracing
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S delete_module -F key=module-unload
-w /etc/ssh/sshd_config -p wa -k sshd
-w /root/.ssh -p wa -k rootkey
-w /bin/systemctl -p x -k systemd
-w /etc/systemd -p wa -k systemd
-w /etc/profile.d -p wa -k shell_profiles
-w /etc/profile -p wa -k shell_profiles
-w /etc/shells -p wa -k shell_profiles
-w /etc/bashrc -p wa -k shell_profiles
-w /etc/csh.cshrc -p wa -k shell_profiles
-w /etc/csh.login -p wa -k shell_profiles
-w /etc/fish -p wa -k shell_profiles
-w /etc/zsh -p wa -k shell_profiles
-w /bin/rm -p x -k removefile
-a never,exit -S all -F subj_type=crond_t
-a always,exclude -F msgtype=USER_START
-a always,exclude -F msgtype=CRED_REFR
-a always,exclude -F msgtype=CRED_ACQ
-a always,exclude -F msgtype=USER_ACCT
-a always,exclude -F msgtype=USER_END
-a always,exclude -F msgtype=CRED_DISP
-a always,exclude -F msgtype=LOGIN
-a always,exclude -F msgtype=PROCTITLE
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=CRYPTO_KEY_USER
5、配置rsyslog客户端配置文件
查看公共配置
[root@uatdb rsyslog.d]# cat /etc/rsyslog.conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
[root@uatdb rsyslog.d]#
配置上传audit日志配置
[root@uatdb rules.d]# cd /etc/rsyslog.d/
[root@uatdb rsyslog.d]# ll
total 4
-rw-r--r--. 1 root root 49 Oct 31 2018 listen.conf
[root@uatdb rsyslog.d]# vi audit.conf
#audit log
$ModLoad imfile
$InputFilePollInterval 5
$WorkDirectory /var/spool/rsyslog
$PrivDropToGroup root
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
*.* @192.168.2.110
6、重启rsyslog服务关闭selinux(否则报imfile warning: directory '/var/log/audit': Permission denied)
[root@uatdb rsyslog.d]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-02-17 06:21:06 CST; 11min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 8908 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─8908 /usr/sbin/rsyslogd -n
Feb 17 06:21:06 uatdb systemd[1]: Starting System Logging Service...
Feb 17 06:21:06 uatdb rsyslogd[8908]: [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="8908" x-info="http://www.rsyslog.com"] start
Feb 17 06:21:06 uatdb systemd[1]: Started System Logging Service.
[root@uatdb rsyslog.d]# systemctl restart rsyslog
[root@uatdb rsyslog.d]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-02-17 06:33:03 CST; 2s ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 10065 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─10065 /usr/sbin/rsyslogd -n
Feb 17 06:33:03 uatdb systemd[1]: Stopped System Logging Service.
Feb 17 06:33:03 uatdb systemd[1]: Starting System Logging Service...
Feb 17 06:33:03 uatdb rsyslogd[10065]: [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="10065" x-info="http://www.rsyslog.com"] start
Feb 17 06:33:03 uatdb systemd[1]: Started System Logging Service.
[root@uatdb rsyslog.d]#
7、rsyslog服务器配置
vi /etc/rsyslog.conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
8、配置每个客户端audit单独放置
[root@mysql rsyslog]# cd /etc/rsyslog.d/
[root@mysql rsyslog.d]# ll
total 8
-rw-r--r-- 1 root root 645 Jan 7 00:39 default.conf
-rw-r--r--. 1 root root 49 Oct 31 2018 listen.conf
[root@mysql rsyslog.d]# vi default.conf
[root@mysql rsyslog.d]# cat default.conf
#### GLOBAL DIRECTIVES ####
# Use default timestamp format # 使用自定义的格式
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template myFormat,"%timestamp% %fromhost-ip% %syslogtag% %msg%\n"
$ActionFileDefaultTemplate myFormat
# 根据客户端的IP单独存放主机日志在不同目录,rsyslog需要手动创建
$template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
# 排除本地主机IP日志记录,只记录远程主机日志
:fromhost-ip, !isequal, "127.0.0.1" ?RemoteLogs
# 忽略之前所有的日志,远程主机日志记录完之后不再继续往下记录
& ~
[root@mysql rsyslog.d]#
9、重启服务端rsyslog服务
systemctl restart rsyslog
10、查看客户端上传日志
root@mysql rsyslog]# cd /var/log/rsyslog/
[root@mysql rsyslog]# ll
total 0
drwx------ 2 root root 42 Feb 17 07:08 192.168.2.100
drwx------ 2 root root 42 Feb 17 06:57 192.168.2.120
[root@mysql rsyslog]#
11、可以从客户端进程rm操作,然后再rsyslog服务器查看日志
[root@mysql 192.168.2.100]# ll
total 4064
-rw------- 1 root root 4158166 Feb 17 07:10 192.168.2.100_2023-02-17.log
[root@mysql 192.168.2.100]# pwd
/var/log/rsyslog/192.168.2.100
[root@mysql 192.168.2.100]#
12、需要注意rsyslog服务器/var/log目录空间大小
