Create a log server and FTP server on a Linux server

Reference Address:

　　　　　　http://www.111cn.net/sys/CentOS/81133.htm

　　　　　　https://www.cnblogs.com/laoxiajiadeyun/p/9943742.html

　　　　　　https://blog.51cto.com/liqingbiao/2119953

　　　　　　https://www.cnblogs.com/hasayaki/archive/2013/01/24/2874889.html

Configure a syslog server on Linux

syslog server log monitoring center can be used as a network, all the facilities to be able to send log through the network (includes Linux or Windows servers, routers, switches and other hosts) can send logs to it. By setting a syslog server, you can log different facilities / sent by the host, filter and merge into a separate location, which makes it easier to view and access important log messages.

rsyslog syslog daemon as a standard, pre-installed in most of the Linux distributions. In a client / server architecture configurations, rsyslog while playing two roles: one as a syslog server, rsyslog can collect log information from other facilities; 2 as a client syslog, rsyslog can be internal log. information is transmitted to a remote syslog server.

Here, we demonstrate how to configure a centralized syslog server by rsyslog on linux. Before entering explain, to brush up syslog standard.

syslog standard base

When collecting logs via syslog mechanism, there are three must take into account the important things:

　　Facilities levels: what type of process monitor

　　Severity (priority) level: the level of the collected log messages which

　　Objective: to send log messages or where

Now we are more in-depth look at how the configuration is defined.

Facilities hierarchy defines a method used to classify the internal system processes, linux some common facilities include:

　　auth: Authentication related messages (login)

　　cron: process or application scheduling related news

　　daemon: daemon related messages (internal server)

　　kernel: kernel-related news

　　mail: internal mail server-related messages

　　syslog: syslog daemon itself related news

　　lpr: print services related news

　　local0 - local7: user-defined messages (local7 commonly used by Cisco and Windows Server)

Severity (priority) level and a fixed standard abbreviations refer to values, wherein the number 7 has the highest level, these levels include:

　　emerg: Emergency (urgent) - 0

　　alert: Alerts (alarm) -. 1
　　Crit: Critical (Key) - 2
　　ERR: the Errors (errors) --3

　　warn: Warnings （警告）- 4

　　notice: Notification (notification) - 5

　　info: Information (message) - 6

　　debug: Debugging (Debugging) - 7

Finally, the goal would make a statement syslog client to perform one of the following three tasks:

Save log messages to a local file;

Through TCP / UDP routing messages to a remote syslog server;

Sends its output to a standard, such as the console.

Where in rsyslog, syslog configuration is structured based on the following model.

[facility-level].[severity-level] [destination]

 

After we understand syslog, now a Linux server can be configured as a central syslog server through the rsyslog

Step 1: Initialize System Requirements

　　To linux host to a central log server, we need to create a separate / var partition, and allocate sufficient disk space or to create a special LVM volume group. This will make syslog server can assume the potential growth in the cumulative log collection brings.

Step 2: Let the rsyslog daemon take effect

. 1 $ # ModLoad imuxsock the Provides Support for local System the logging (EG Via Logger Command)
 2  $ # ModLoad imjournal Access to the Provides TECHNOLOGY The systemd
 . 3  
. 4  ##### udp open reception log
 . 5  $ ModLoad imudp
 . 6 $ UDPServerRun 514 
. 7 $ Template the remoteHost, " /data/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"    ## remotehost user-defined name template, followed logpath 
8 *. * ? RemoteHost　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　  ## enable custom templates can be * * may be different log category plus level. 
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　## for example, * .info; mail.none; authpriv.none; cron.none RemoteHost?
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　## using a special template to allow different types of your own custom　　
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　between ## %% is the independent variable parameters

Content format is as follows: 
: attribute, comparison operator, "value" save location

Properties include the following 
fromhost sent, to which the host name 
fromhost-ip ip sent, which 
msg log information is determined from the contents of the 
hostname is determined from the log host name 
comparison operators include the following 
contains comprising 
isequal equal 
startswith to ... beginning

9 & ## ~ redirection rules are used to tell the rsyslog daemon stops further processing of log messages, and do not write locally. If you do not use the redirection rule, 
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　## then all the remote messages are simultaneously written to the log file in addition to the above description is written to a local log file, which means that the log message was actually written twice. 
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　Another result is a proprietary file syslog server log message itself will be named the host name of the machine to use the rule of ## in 
#### to open a log tcp agreement to accept
 11  $ ModLoad imtcp
 12 $ InputTCPServerRun 514 
13  
14 $ WorkDirectory / var / lib / rsyslog
 15  $ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 16  
17 ####### enabled /etc/rsyslog.d / * all ending in .conf configuration file .conf directory
 18 $ IncludeConfig /etc/rsyslog.d/*.conf ## where you can define your own needs go mainly to monitor the machine's IP system log, do not always have all the downloaded example /etc/rsyslog.d/192.168.0.31.conf , 
　　　　　　　　　　　　　　　　　　　　　　　　　 　## so that this process will always be loaded configuration file, if not configured from this command to execute the corresponding configuration is performed
 19

Here isequal equal, this may be a non-log unit, the use! Isequal, "127.0.0.1", thus eliminating the present computing the log

20 $OmitLocalLogging on 21 $IMJournalStateFile imjournal.state 22 *.info;mail.none;authpriv.none;cron.none /var/log/messages 23 authpriv.* /var/log/secure 24 mail.* -/var/log/maillog 25 cron.* /var/log/cron 26 *.emerg :omusrmsg:* 27 uucp,news.crit /var/log/spooler 28 local7.* /var/log/boot.log 29 local0.* /etc/keepalived/keepalived.log

 

　　rsyslog daemon from the current pre-release version of linux module, but the default does not start. In order to be able to make rsyslog daemon can accept external messages, you need to edit its configuration file /etc/rsyslog.conf

Open the file for editing, find the location where the following two lines to uncomment the line by deleting the # character first.

　　$ModLoad imudp

　　$UDPServerRun 514

This makes rsysolog daemon can receive log messages on the UDP port 514 --- UDP is a speed faster than TCP, but does not have the same reliability of the TCP data stream. So if you need to use a reliable delivery mechanism, you can comment the line by eliminating.

　　$ModLoad imtcp

　　$InputTCPServerRun 514

　　Note: TCP and UDP can be simultaneously effective TCP / UDP connection to listen

Step 3: Create a journal receiver template

This is the next step, the process is rsyslogd received external client log information, according to what kind of log format recorded on the disk, providing a custom interface for the users here use

Open /etc/rsyslog.conf, and then append the following template before GLOBAL DIRECTIVE block.

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *

*.* ?RemoteLogs

& ~

In this brief explanation of the template, $ template RemoteLogs (here "RemoteLogs" string can be any other descriptive name) command the rsyslog daemon log messages written to a separate local log file in / var / log name, wherein the log file is based on a remote log transmitting device and generating a host name of the application name defining log. The second line which suggests that we will RemoteLogs template applied to all received logs.

The symbol "& ~" indicates a redirection rule, be used to inform rsyslog daemon stops further processing of log messages, and do not write locally. If you do not use the redirection rules, all remote messages are simultaneously written to the log file is written out as described above to a local log file, which means that the log message was actually written twice .

Using this rule is itself syslog server log information is written in addition to the above will also write a configuration file to a local log file, and is in accordance with the machine name as the header, this is tantamount to a waste of disk space and unfamiliar people configuration confusion;

If you want, you can also use the following modes using the new template for a particular device or severity level to log messages directly.

[facility-level].[severity-level] ?RemoteLogs

E.g:

All internal users of all priority levels assigned to RemoteLogs verification message template:

authpriv.* ?RemoteLogs

The message-level log of all system processes in addition to the process to open mail, user authentication and cron messages generated RemoteLogs designated as a template:

*.info,mail.none,authpriv.none,cron.none ?RemoteLogs

If we want to write all messages from a remote client receives into a single file with a name of their IP addresses, you can use the following template. Here we give the "IpTemplate" name for the template.

$template IpTemplate,"/var/log/%FROMHOST-IP%.log"

*.* ?IpTemplate

& ~

After we enable rsyslog daemon, and editing the configuration file, you need to restart the daemon.

 

Windows sends logs to a remote server rsyslog

To a Windows client log messages forwarded to our rsyslog server, you need to install a Windows syslog agent. Of course, there are many syslog proxy can run on windows, in which we can use a free software program Datagram SyslogAgent.

After download and install the syslog proxy needs to be configured to run as a service. Specify what protocol to send data, and the IP address and port of the remote server using rsyslog, the last specified event log types to be transmitted, as shown below.

After we complete all these configurations, we can use the command to start the service and in the central rsyslog server line tool tail -f to view the log files.

to sum up

By creating a local and remote hosts can collect rsyslog central server, we can better understand what happened inside these systems with and can more easily debug their problems, whether between which there is any delay or collapse .

Configuring rsyslog client logging on to a remote CentOS

rsyslog is an open source tool, Linux systems are widely used to forward or received by TCP / UDP protocol log message. rsyslog daemon may be configured to two environments, one is configured to log collection server, rsyslog process can collect the log data from other hosts on the network, these hosts will be configured to send logs to another remote server. rsyslog Another usage is for the client may be configured to filter and send log messages to the internal local folder (e.g., / var / log), or can be routed to a remote server rsyslog.

Assuming you already have a network already configured and started rsyslog server, this guide will show you how to set its internal CentOS system log messages routed to rsyslog on a remote server. This will greatly improve your system to use disk space, especially if you do not have one for the / var partition separate large directory.

Step one: Install Rsyslog daemon

On CentOS 6 and 7, rsyslog daemon is already pre-installed. To verify that rsyslog has been installed on your CentOS system, use the following command:

# Rpm -qa | grip rsyslog

# rsyslogd -v

如果处于某种原因，rsyslog守护进程没有出现在你的系统中，请使用以下命令来安装：

# yum install rsyslog

步骤二： 配置Rsyslog守护进程为客户端

接下来的步骤，是要将你的CentOS机器转变成rsyslog客户端，将其所有内部日志消息发送到远程中央日志服务器上。

要实现该功能，请使用你喜爱的文本编辑器打开位于/etc路径下的rsyslog主配置文件：

# nano /etc/rsyslog.conf

开启文件用于编辑后，你需要添加以下声明到文件底部。将IP地址替换为你的远程rsyslog服务器的IP地址。

*.* @192.168.1.25:514

上面的声明告诉rsyslog守护进程，将系统上各个设备的各种日志消息路由到远程rsyslog服务器（192.168.1.25）的UDP端口514。

如果出于某种原因，你需要更为可靠的协议，如TCP，而rsyslog服务器也被配置为监听TCP连接，你必须在远程主机的IP地址前添加一个额外的@字符，像下面这样：

*.* @@192.168.1.25:514

注意，你也可以将rsyslog服务器的IP地址替换成它的主机名（FQDN）。

如果你只想要转发服务器上的指定设备的日志消息，比如说内核设备，那么你可以在rsyslog配置文件中使用以下声明。

kern.* @192.168.1.25:514

修改配置文件后，你需要重启进程以激活修改：

CentOS 7：

# systemctl restart rsyslog.service

CentOS 6：

# service rsyslog restart

非 syslog 日志的转发

在另外一种环境中，让我们假定你已经在机器上安装了一个名为“foobar”的应用程序，它会在/var/log下生成foobar.log日志文件。现在，你想要将它的日志定向到rsyslog服务器，这可以通过像下面这样在rsyslog配置文件中加载imfile模块来实现

首先，加载imfile模块，这只需做一次。

module(load="imfile" PollingInterval="5")

Then, the path for the log file to imfile module can be detected:

input(type="imfile"

File="/var/log/foobar.log"

Tag="foobar"

Severity="error"

Facility="local7")

Finally, rsyslog directed local7 device to a remote server:

local7.* @192.168.1.25:514

Do not forget to restart rsyslog process Oh!

Step three: let Rsyslog started automatically

Let rsyslog client automatically starts after each system restart, run the following command:

CentOS 7:

# systemctl enable rsyslog.service

CentOS 6:

# chkconfig rsyslog on

summary

In this tutorial, I demonstrated how to transform CentOS system to force it to rsyslog clients to send log messages to a remote server rsyslog. Here I assume rsyslog connection between the client and the server is secure (such as in the corporate network firewall protected). Whether in any case, do not configure rsyslog client log messages forwarded over an insecure network, or, especially through the Internet forward as syslog protocol is an express agreement. For secure transmissions, consider using TLS / SSL encrypted transmission to the log message.