็†ฑ้–€ๅˆ†้กž
 ่ผ‰ๅ…ฅไธญ…
็›ฎ้Œ„

๐Ÿงฑ Linux Rsyslog ้›†ไธญๆ—ฅ่ชŒ็ฎก็†่ˆ‡ๅˆ†ๆžๆ•™ๅญธ

wwfandy ่จˆ็ฎ—ไธญ…

    ๐Ÿงฑ Linux Rsyslog ้›†ไธญๆ—ฅ่ชŒ็ฎก็†่ˆ‡ๅˆ†ๆžๆ•™ๅญธ

    ๅœจไผๆฅญ็’ฐๅขƒไธญ,้›†ไธญๅผๆ—ฅ่ชŒ็ฎก็†(Centralized Logging)่ƒฝๅ”ๅŠฉ็ณป็ตฑ็ฎก็†ๅ“กๅณๆ™‚็›ฃๆŽงๅคšๅฐไผบๆœๅ™จ็‹€ๆ…‹。Rsyslog ๆ˜ฏ Linux ไธŠๆœ€ๅธธ็”จ็š„ๆ—ฅ่ชŒ็ณป็ตฑไน‹ไธ€,ๅ…ทๅ‚™้ซ˜้€Ÿ、ๆจก็ต„ๅŒ–่ˆ‡ๅฎ‰ๅ…จๅ‚ณ่ผธ็‰นๆ€ง,ๆœฌๆ–‡ๅฐ‡่ชชๆ˜Žๅฆ‚ไฝ•ๆžถ่จญ่ˆ‡ๆ•ดๅˆ Rsyslog ไผบๆœๅ™จ。

    ๐Ÿ“˜ ไธ€、Rsyslog ่ง’่‰ฒ่ˆ‡้‹ไฝœๅŽŸ็†

    Rsyslog ๆ˜ฏ syslog ็š„้€ฒ้šŽ็‰ˆๆœฌ,ๆ”ฏๆด TCP、UDP ๅ‚ณ่ผธ่ˆ‡ TLS ๅŠ ๅฏ†。ๅธธ่ฆ‹ๆžถๆง‹ๅฆ‚ไธ‹:

    • Client(Sender):ๅฐ‡ๆœฌๅœฐ็ณป็ตฑๆ—ฅ่ชŒ้€้Ž็ถฒ่ทฏๅ‚ณ้€่‡ณ้›†ไธญไผบๆœๅ™จ。
    • Server(Receiver):ๆŽฅๆ”ถไธฆๅˆ†้กžๅ„ฒๅญ˜ๅคšๅฐไธปๆฉŸ็š„ๆ—ฅ่ชŒ。

    ๆ—ฅ่ชŒ่จŠๆฏ็š„ๅŸบๆœฌ็ตๆง‹:

    <PRI>Timestamp Hostname Process[PID]: Message
    ---

    ⚙️ ไบŒ、ๅฎ‰่ฃ่ˆ‡ๅ•Ÿ็”จ Rsyslog

    # Rocky / CentOS / RHEL
sudo dnf install rsyslog -y
sudo systemctl enable --now rsyslog

# Ubuntu / Debian
sudo apt install rsyslog -y
sudo systemctl enable --now rsyslog

    ็ขบ่ชๆœๅ‹™็‹€ๆ…‹:

    sudo systemctl status rsyslog
    ---

    ๐Ÿ— ไธ‰、่จญๅฎš Rsyslog ็‚บ้›†ไธญๆŽฅๆ”ถ็ซฏ(Server)

    ็ทจ่ผฏไธป่จญๅฎšๆช”:

    sudo nano /etc/rsyslog.conf

    ๅ–ๆถˆ่จป่งฃไธฆ้–‹ๅ•Ÿ UDP / TCP ๆŽฅๆ”ถๅŠŸ่ƒฝ:

    # ๆŽฅๆ”ถ UDP ๆ—ฅ่ชŒ
module(load="imudp")
input(type="imudp" port="514")

# ๆŽฅๆ”ถ TCP ๆ—ฅ่ชŒ
module(load="imtcp")
input(type="imtcp" port="514")

# ่จญๅฎšๅ„ฒๅญ˜่ทฏๅพ‘
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& ~

    ๅ„ฒๅญ˜ๅพŒ้‡ๅ•Ÿๆœๅ‹™:

    sudo systemctl restart rsyslog

    ้˜ฒ็ซ็‰†้–‹ๆ”พๅŸ ๅฃ:

    sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --permanent --add-port=514/udp
sudo firewall-cmd --reload
    ---

    ๐Ÿ’ป ๅ››、่จญๅฎš็”จๆˆถ็ซฏ(Client)ๅ‚ณ้€ๆ—ฅ่ชŒ

    ๅœจ้ ็ซฏไธปๆฉŸไธญ็ทจ่ผฏ /etc/rsyslog.conf

    *.* @@192.168.1.10:514   # TCP
# ๆˆ–
*.* @192.168.1.10:514    # UDP

    ้‡ๆ–ฐๅ•Ÿๅ‹•ๆœๅ‹™:

    sudo systemctl restart rsyslog

    ๆญคๆ™‚,ไผบๆœๅ™จ็ซฏๆ‡‰่ƒฝๅœจ /var/log/remote/ ไธ‹็œ‹ๅˆฐๅฐๆ‡‰ไธปๆฉŸ่ณ‡ๆ–™ๅคพ。

    ---

    ๐Ÿ”’ ไบ”、ๅฎ‰ๅ…จๅผทๅŒ–่ˆ‡ TLS ๅŠ ๅฏ†

    ่‹ฅ่ฆๅœจ่ทจ็ถฒๆฎต็’ฐๅขƒไธญๅ‚ณ้€ๆ•ๆ„Ÿ่ณ‡ๆ–™,ๅปบ่ญฐๅ•Ÿ็”จ TLS:

    module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.AuthMode="anon")
input(type="imtcp" port="6514" StreamDriver="gtls")

    ไธฆๅœจ /etc/rsyslog.d/ssl.conf ไธญๆŒ‡ๅฎšๆ†‘่ญ‰ไฝ็ฝฎ:

    $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/server.crt
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/server.key
    ---

    ๐Ÿ“Š ๅ…ญ、ๆ•ดๅˆ GoAccess / Fail2Ban ๅˆ†ๆž

    • ไฝฟ็”จ GoAccess ๅณๆ™‚่ฆ–่ฆบๅŒ–ๅˆ†ๆž nginx / squid ็š„ๅญ˜ๅ–ๆ—ฅ่ชŒ。
    • ้…ๅˆ Fail2Ban ๅฏไพๆ“š Rsyslog ๅŒฏๅ…ฅ็š„ SSH / Proxy ๆ”ปๆ“Š็ด€้Œ„่‡ชๅ‹•ๅฐ้Ž–ไพ†ๆบ。
    • ๅฏๆญ้… systemd journal-gatewayd,ๆ•ดๅˆ็‚บ Web Log ๆชข่ฆ–ไป‹้ข。
    ---

    ๐Ÿ“ˆ ไธƒ、ๅธธ่ฆ‹็–‘้›ฃๆŽ’่งฃ

    • ็ขบ่ช SELinux ๆ˜ฏๅฆๅ…่จฑ rsyslog ๆŽฅๆ”ถๅค–้ƒจ้€ฃ็ทš:
      • sudo setsebool -P nis_enabled on
    • ไฝฟ็”จ logger ๆธฌ่ฉฆๅ‚ณ้€:
      • logger "Test message from $(hostname)"
    • ๆชขๆŸฅ Rsyslog log:/var/log/messages ๆˆ– /var/log/syslog
    ---

    ๐Ÿ“˜ ็ต่ชž

    Rsyslog ็‚บ Linux ไธ–็•Œไธญไธๅฏๆˆ–็ผบ็š„ๆ—ฅ่ชŒ้ชจๅนน。้€้Ž้›†ไธญๅผๆžถๆง‹,ๆˆ‘ๅ€‘่ƒฝๅœจๅคšๅฐไผบๆœๅ™จ้–“็ตฑไธ€็›ฃๆŽง่ˆ‡ๅˆ†ๆžไบ‹ไปถ,้€ฒ่€Œๅฟซ้€Ÿ็™ผ็พ็•ฐๅธธ、่ฟฝ่นคๆ”ปๆ“Šไพ†ๆบ,ไธฆ่ˆ‡่‡ชๅ‹•ๅŒ–้˜ฒ่ญท็ณป็ตฑ(ๅฆ‚ Fail2Ban)ๅ”ๅŒ้‹ไฝœ,้”ๆˆ้ซ˜ๆ•ˆ็Ž‡็š„ๅฎ‰ๅ…จ็ถญ้‹。

    ๐Ÿ”— ๅปถไผธ้–ฑ่ฎ€

    — WWFandy・็ณป็ตฑ็ถญ้‹็ญ†่จ˜

    ๆจ™็ฑค:
    ๐Ÿ”— ๅˆ†ไบซ้€™็ฏ‡ LINE Facebook X

    ๆฒ’ๆœ‰็•™่จ€:

    ๅผต่ฒผ็•™่จ€

    ๅญ—็ดš