我已经使用 monit 一段时间了。我所做的检查之一是确保我的邮件服务器没有被滥用。我使用 milter-limit 来限制发送速率 - 它会记录到 syslog 中。在使用 bookworm 之前,我可以让它扫描 syslog 文件以查找特定内容。我还没有看到任何允许我使用 systemd 日志执行此操作的东西 - 有办法吗?
经过调查,似乎可以使用 logcheck 或journalcheck来创建一个脚本供 monit 运行并检查输出,但也许我错过了一个更简单的选项?
我有一个鱿鱼代理将访问日志记录到文件中,syslog-ng 读取这些日志,并根据鱿鱼的操作设置严重性(信息或通知)并将其作为系统日志消息转发到 NetXMS 服务器。问题是 NetXMS 服务器收到如下消息:
1 2024-04-17T11:13:11+02:00 vvsrv-proxy1 1713345191.357 - - [meta sequenceId="5336"] 69 10.30.108.14 TCP_TUNNEL/200 3530 CONNECT api.github.com:443 - HIER_DIRECT/140.82.121.5 -
(空行不是格式错误。)我想将文件中的行按原样转发到 NetXMS,如下所示:
1713345191.357 69 10.30.108.14 TCP_TUNNEL/200 3530 CONNECT api.github.com:443 - HIER_DIRECT/140.82.121.5 -
当前 syslog-ng 配置(不包括默认部分):
source s_squid {
file ("/var/log/squid/access.log");
};
filter f_squid_denied {
message ("TCP_DENIED");
};
destination d_squid {
syslog ("10.0.0.254" transport("udp") port(514) template("${MSG}"));
};
log {
source (s_squid);
filter (f_squid_denied);
rewrite { set_severity("notice"); };
destination (d_squid);
};
log {
source (s_squid);
rewrite { set_severity("info"); };
destination (d_squid);
};
版本信息:
syslog-ng 4 (4.1.1)
Config version: 4.0
当我尝试自己解决这个问题时,我发现源中不正确的 syslog 标头可能会导致中继 syslog-ng 服务器添加它自己的标头,但在我的情况下,源是本地文件。我还尝试切换到旧的网络驱动程序 - 而不是系统日志 - 但它仍然是一样的。
当我使用 rsyslog 将系统日志转发到 NetXMS 时,它没有任何额外的数据,因此 NetXMS 会按其应有的方式解析和处理系统日志消息。
更新#1
在深入研究 NetXMS 源代码后,我从日期解析方法中发现它只能解析RFC 3164系统日志消息。在阅读有关使用旧协议的syslog-ng 文档后,我尝试了以下操作:
destination d_squid {
network ("10.0.0.254" transport(udp) port(514));
};
但它仍然使用新的RFC 5424格式。
更新#2
我正在使用service syslog-ng reload这还不够,重新启动服务后它开始使用 BSD syslog 格式。经过一些调整后,我的目的地现在看起来像这样:
destination d_squid {
network ("10.0.0.254" transport(udp) port(514) flags(no-multi-line) template(": ${MSG}"));
};
我没有更改配置的任何其他部分,但现在所有日志条目都具有“通知”严重性,而不是包含TCP_DENIED子字符串的条目。
我正在使用 Graylog 服务器来集中来自网络设备和服务器的日志,我想知道交换机、Windows 机器和其他设备上的 Syslog 服务是否仍会在本地保存日志,或者只是远程发送它们并停止本地日志记录过程?
在系统日志(Raspbian rsyslog swVersion="8.1901.0")中,
我正在尝试将包含特定字符串的系统消息匹配/过滤到/var/log/syslog(默认)和自定义单独的日志文件,即:/var/log/nut.log.
我已经能够通过将以下过滤器行放入来实现/etc/rsyslog.conf:
# NUT logging: Include USB msgs since montoring UPS via only USB
:msg,contains,"USB" /var/log/nut.log
& stop
:msg,contains,"nut-" /var/log/nut.log
& stop
& stop一旦进行匹配,就需要停止过滤器。我相信首选方法是将其放在专用文件中,即:/etc/rsyslog.d/0-nut.conf
但是,当我这样做时,过滤器会停止记录到/var/log/syslog,并专门记录到/var/log/nut.log... ?
有不同的方法可以做到这一点吗?
谢谢!
我的/etc/logrotate.d/rsyslog文件有以下配置。在其中,我明确声明它将轮换的天数为 4,轮换存档文件的大小为 100k,用于/var/log/syslog.
我想知道的是当档案达到 100k 时,它应该自行旋转。如果需要,它是否在一天内总共旋转 4 次?如果它需要旋转 4 次,因为它连续达到 100k,它会这样做并且只保存 4 个文件?也许我无法完全解释我的问题,但我正在寻找的目标是一旦旋转的存档文件达到 100k,它应该自行旋转,并且旋转的总数不应该通过 4 个文件所以,如果它需要 8一个小时内的轮换,应该只有最后 4 个轮换的档案。I do see a daily configuration, not sure if that is complemented with the rotate configuration?
如果我需要设置存档文件的最大数量,而日轮换配置没有这样做,我需要做什么?
/var/log/syslog
{
rotate 4
size 100k
daily
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate >/dev/null
endscript
}
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/rsyslog.log
/var/log/debug
/var/log/messages
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate >/dev/null
endscript
}
我也有这个syslog configuration将系统日志文件大小限制为 1MB。因此,当 syslog 达到 1MB 时,它应该自行旋转(尚未测试)
auth,authpriv.* -/var/log/auth.log
$outchannel mysyslog,/var/log/syslog,1048576
*.*;auth,authpriv.none :omfile:$mysyslog
我在 systemd 服务中有以下配置:
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=udocit
而这个 rsyslog conf 文件:
if $programname == 'udocit' and $syslogseverity > 5 then {
action(
type="omfile"
FileCreateMode="0640"
File="/var/log/udocit.log"
)
& stop
}
if $programname == 'udocit' and $syslogseverity <= 5 then {
action(
type="omfile"
FileCreateMode="0640"
File="/var/log/udocit.err"
)
& stop
}
该服务启动一个 nodejs 应用程序。
我希望来自该console.error()函数的消息(输出到 stderr)将使用此配置进入 udocit.err 文件,但所有消息都会写入 udocit.log 文件。
我在这里做错了什么?
背景:
我有一个运行最新的 Raspbian 操作系统的 lil Raspberry Pi 服务器,运行许多网络设备来帮助管理客户端的复杂 IOT LAN。
我一直在使用 rsyslog 将日志从网络硬件和服务器写入外部驱动器,安装到 /media/syslog。这工作正常。不,我不能将它们写入 /var/log,因为我每天要生成数百兆字节的日志文件,并且我需要将它们未压缩存档。同样,这是完美无缺的。
问题:
写入 /media/syslog 中日志的每个事件也会写入 /var/log/syslog。
我真的不能夸大这是多么令人讨厌,特别是因为来自客户端设备的日志量如此之大,以至于即使是极其慷慨的 logrotate 设置也意味着我在服务器上最多有大约 24 小时的 syslog 历史记录。当发现问题并报告给我时(通常在一两天内),日志已经完全轮换出来了。
如何防止这些远程客户端的日志出现在 /var/log/syslog 中?
我看到一堆帖子说我需要做点什么,*.*;auth,authpriv.none -/var/log/syslog但我不知道如何弄乱 syslog 设施,或者在这种特殊情况下它会是什么样子,所以如果你要告诉我对于类似的事情,我需要你详细解释到底要在哪里剪切和粘贴。
附件是我对 rsyslog.conf 的设置...
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="4565")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="4565")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
...和 rsyslog.d/00-remotes.conf
$template NetworkLog1, "/media/syslog/%FROMHOST-IP%.log"
:fromhost-ip, isequal, "192.168.2.1" -?NetworkLog1
:fromhost-ip, isequal, "192.168.2.124" -?NetworkLog1
:fromhost-ip, isequal, "192.168.2.160" -?NetworkLog1
& stop
在下面的日志记录中,我将我的 eth MAC 地址替换ETH_MAC_ADDRESS为我的服务器的 IP,MY_SERVER_IP并将其他 IP 替换为STRANGE_IP加号以区分。
Jan 29 15:11:48 cld kernel: [140229.731612] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_1 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=53 ID=46005 PROTO=ICMP TYPE=3 CODE=3 [SRC=MY_SERVER_IP DST=STRANGE_IP_1 LEN=79 TOS=0x00 PREC=0x00 TTL=233 ID=55136 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.790143] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47474 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=43802 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.803157] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47475 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=36766 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.816160] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47476 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=26493 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.831386] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47477 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=3269 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.844130] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47478 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=20707 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.856986] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_4 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=29529 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_4 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=33191 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.844130] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_2 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0xC0 TTL=57 ID=47478 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_3 LEN=79 TOS=0x00 PREC=0x00 TTL=247 ID=20707 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
Jan 29 15:11:48 cld kernel: [140229.856986] [UFW BLOCK] IN=eth0 OUT= MAC=ETH_MAC_ADDRESS SRC=STRANGE_IP_4 DST=MY_SERVER_IP LEN=107 TOS=0x00 PREC=0x00 TTL=52 ID=29529 PROTO=ICMP TYPE=3 CODE=1 [SRC=MY_SERVER_IP DST=STRANGE_IP_4 LEN=79 TOS=0x00 PREC=0x00 TTL=242 ID=33191 PROTO=UDP SPT=30910 DPT=389 LEN=59 ]
如您所见,目标 IP 在记录的第一部分始终是我的服务器 IP,而源 IP 是第二部分。所有其他IP都不相同。
这持续了大约4个小时。在那段时间里,服务器的 CPU 负载非常低,甚至 SSH 连接都断开了。
ping 被 ufw 防火墙的前规则阻止。
这是DDos攻击吗?值得一提的是,几天前我们遇到了 DDos 攻击,而前一天我们尝试了 DDos 攻击,我们在 Cloudflare 仪表板中添加了防火墙规则来阻止该攻击。
有人可以解释如何识别日志中每条记录的括号 [] 中的第二部分吗?
猫 /etc/ufw/before.rules
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local
# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
UFW的规则。
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
20/tcp ALLOW IN Anywhere
21/tcp ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
25/tcp ALLOW IN Anywhere
53/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
110/tcp ALLOW IN Anywhere
143/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
587/tcp ALLOW IN Anywhere
993/tcp ALLOW IN Anywhere
995/tcp ALLOW IN Anywhere
3306/tcp ALLOW IN Anywhere
8080/tcp ALLOW IN Anywhere
8081/tcp ALLOW IN Anywhere
10000/tcp ALLOW IN Anywhere
53/udp ALLOW IN Anywhere
3306/udp ALLOW IN Anywhere
2408/tcp ALLOW IN 173.245.48.0/20
2408/tcp ALLOW IN 103.21.244.0/22
2408/tcp ALLOW IN 103.22.200.0/22
2408/tcp ALLOW IN 103.31.4.0/22
2408/tcp ALLOW IN 141.101.64.0/18
2408/tcp ALLOW IN 108.162.192.0/18
2408/tcp ALLOW IN 190.93.240.0/20
2408/tcp ALLOW IN 188.114.96.0/20
2408/tcp ALLOW IN 197.234.240.0/22
2408/tcp ALLOW IN 198.41.128.0/17
2408/tcp ALLOW IN 162.158.0.0/15
2408/tcp ALLOW IN 104.16.0.0/12
2408/tcp ALLOW IN 172.64.0.0/13
2408/tcp ALLOW IN 131.0.72.0/22
22/tcp (OpenSSH) ALLOW IN Anywhere
143/tcp (Dovecot IMAP) ALLOW IN Anywhere
993/tcp (Dovecot Secure IMAP) ALLOW IN Anywhere
25/tcp (Postfix) ALLOW IN Anywhere
465/tcp (Postfix SMTPS) ALLOW IN Anywhere
587/tcp (Postfix Submission) ALLOW IN Anywhere
20/tcp (v6) ALLOW IN Anywhere (v6)
21/tcp (v6) ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)
25/tcp (v6) ALLOW IN Anywhere (v6)
53/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
110/tcp (v6) ALLOW IN Anywhere (v6)
143/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
587/tcp (v6) ALLOW IN Anywhere (v6)
993/tcp (v6) ALLOW IN Anywhere (v6)
995/tcp (v6) ALLOW IN Anywhere (v6)
3306/tcp (v6) ALLOW IN Anywhere (v6)
8080/tcp (v6) ALLOW IN Anywhere (v6)
8081/tcp (v6) ALLOW IN Anywhere (v6)
10000/tcp (v6) ALLOW IN Anywhere (v6)
53/udp (v6) ALLOW IN Anywhere (v6)
3306/udp (v6) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
143/tcp (Dovecot IMAP (v6)) ALLOW IN Anywhere (v6)
993/tcp (Dovecot Secure IMAP (v6)) ALLOW IN Anywhere (v6)
25/tcp (Postfix (v6)) ALLOW IN Anywhere (v6)
465/tcp (Postfix SMTPS (v6)) ALLOW IN Anywhere (v6)
587/tcp (Postfix Submission (v6)) ALLOW IN Anywhere (v6)
2408/tcp ALLOW IN 2400:cb00::/32
2408/tcp ALLOW IN 2606:4700::/32
2408/tcp ALLOW IN 2803:f800::/32
2408/tcp ALLOW IN 2405:b500::/32
2408/tcp ALLOW IN 2405:8100::/32
2408/tcp ALLOW IN 2a06:98c0::/29
2408/tcp ALLOW IN 2c0f:f248::/32
更新:
还有一些奇怪的 SSH(?) 连接:
网络统计-nt | grep:22
tcp 0 69 MYSERVERIP:22 STRANGEIP_1:44930 FIN_WAIT1
tcp 0 68 MYSERVERIP:22 STRANGEIP_2:37007 ESTABLISHED
tcp 0 1 MYSERVERIP:22 STRANGEIP_3:40132 LAST_ACK
tcp 0 68 MYSERVERIP:22 STRANGEIP_4:50132 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_5:38939 ESTABLISHED
tcp 0 0 MYSERVERIP:22 MYIP:52118 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_6:43152 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_7:39321 ESTABLISHED
tcp 0 64 MYSERVERIP:22 MYIP:52001 ESTABLISHED
tcp 0 68 MYSERVERIP:22 STRANGEIP_8:39732 ESTABLISHED
网络统计-nputw | grep 'sshd'
tcp 0 68 MYSERVERIP:22 STRANGEIP_2:37007 ESTABLISHED 2525/sshd: unknown
tcp 0 68 MYSERVERIP:22 STRANGEIP_5:38939 ESTABLISHED 2558/sshd: unknown
tcp 0 0 MYSERVERIP:22 MYIP:52118 ESTABLISHED 15911/sshd: root@no
tcp 0 68 MYSERVERIP:22 STRANGEIP_7:39321 ESTABLISHED 2466/sshd: root [pr
tcp 0 64 MYSERVERIP:22 MYIP:52001 ESTABLISHED 15554/sshd: root@pt
tcp 0 68 MYSERVERIP:22 STRANGEIP_8:39732 ESTABLISHED 2596/sshd: unknown
以上是现在,但服务器似乎没有问题,并且 UFW 没有记录初始请求。
签入 /var/log/auth.log 后,上面的内容只是authentication failure. 我不知道他们出现在 netstat 中。
此致
EDIT1: syslog-ng 启动命令:
/usr/sbin/syslog-ng -u syslog -g syslog -R /tmp/syslog-ng.persist -F
使用的命令:
syslog-ng-ctl verbose --set=on和syslog-ng-ctl verbose
我正在尝试以syslog-ng详细模式运行,但出现错误:
连接控制socket时出错,socket='/var/lib/syslog-ng/syslog-ng.ctl',error='没有那个文件或目录'
root@CHB:~# syslog-ng-ctl verbose
Error connecting control socket, socket='/var/lib/syslog-ng/syslog-ng.ctl', error='No such file or directory'
因此创建了 ctl 文件并根据需要更改了权限,但随后又出现错误:
连接控制套接字时出错,socket='/var/lib/syslog-ng/syslog-ng.ctl',error='连接被拒绝'
root@CHB:~# touch /var/lib/syslog-ng/syslog-ng.ctl
root@CHB:~# ls -l /var/lib/syslog-ng/syslog-ng.ctl
-rw-r--r-- 1 root root 0 Oct 21 19:11 /var/lib/syslog-ng/syslog-ng.ctl
root@CHB:~# chown syslog /var/lib/syslog-ng/syslog-ng.ctl
root@CHB:~# ls -l /var/lib/syslog-ng/syslog-ng.ctl
-rw-r--r-- 1 syslog root 0 Oct 21 19:11 /var/lib/syslog-ng/syslog-ng.ctl
root@CHB:~# chgrp syslog /var/lib/syslog-ng/syslog-ng.ctl
root@CHB:~# ls -l /var/lib/syslog-ng/syslog-ng.ctl
-rw-r--r-- 1 syslog syslog 0 Oct 21 19:11 /var/lib/syslog-ng/syslog-ng.ctl
root@CHB:~# chmod +x /var/lib/syslog-ng/syslog-ng.ctl
root@CHB:~# ls -l /var/lib/syslog-ng/syslog-ng.ctl
-rwxr-xr-x 1 syslog syslog 0 Oct 21 19:11 /var/lib/syslog-ng/syslog-ng.ctl
root@CHB:~# syslog-ng-ctl verbose
Error connecting control socket, socket='/var/lib/syslog-ng/syslog-ng.ctl', error='Connection refused'
root@CHB:~# syslog-ng-ctl verbose --set=on
Error connecting control socket, socket='/var/lib/syslog-ng/syslog-ng.ctl', error='Connection refused'
如果有帮助,我的系统信息
root@CHB:~# cat /etc/issue
Poky (Yocto Project Reference Distro) 2.0 \n \l
root@CHB:~# uname -a
Linux CHB 3.2.48 #1 SMP Tue Mar 14 15:52:38 CET 2017 i686 GNU/Linux
如果需要任何其他信息,请告诉我。
感谢解决问题的任何帮助。
编辑2:
配置文件
#syslog settings
CS_SYSLOG_DAEMON="/usr/sbin/syslog-ng"
CS_SYSLOG_NAME="syslog-ng"
# user/group
CS_SYSLOG_USER="syslog"
CS_SYSLOG_GROUP="syslog"
# syslog port/interface to be used in syslog-ng.conf in case of remote logging
CS_SYSLOG_PORT="2020"
CS_SYSLOG_INTERFACE="eth1"
# syslog specific parameters: user, group, persist file in /tmp, in the foreground (start-stop-daemon will take care of the spawn)
CS_SYSLOG_ARGS="-u $CS_SYSLOG_USER -g $CS_SYSLOG_GROUP -R /tmp/syslog-ng.persist -F"
CS_SYSLOG_EXTRA_ARGS=
在 init.d 脚本启动命令中,以上变量均来源于之前
startdaemon $CS_SYSLOG_DAEMON $CS_SYSLOG_NAME $CS_SYSLOG_ARGS $CS_SYSLOG_EXTRA_ARGS
;;
当我有默认设置时,我的日志是这样的:
2020-12-01T18:34:06+02:00 10.132.90.194 {"wfd_successful_hits_sec": "0", "sql_hits_sec_max": "0", "timestamp": "2020/12/01 18:34:01", "connection_sec_max": "1922", "http_hits_sec_max": "1106", "http_hits_sec": "106", "wfd_successful_hits_sec_max": "0", "sql_hits_sec": "0", "sql_audit_phase2_events_sec_max": "0", "hdfs_hits_sec": "0", "connection_sec": "26"}
但是一旦我尝试让它只写味精,它就会失败。
并给我剪掉开头的味精。
"0", "timestamp": "2020/12/01 18:34:01", "connection_sec_max": "1922", "http_hits_sec_max": "1106", "http_hits_sec": "106", "wfd_successful_hits_sec_max": "0", "sql_hits_sec": "0", "sql_audit_phase2_events_sec_max": "0", "hdfs_hits_sec": "0", "connection_sec": "26"}
我的 Rsyslog 配置:
$template OnlyMsg,"%msg:2:2048%\n"
$template CustomLog,"/logs/host-%fromhost%-%$year%-%$month%.log"
local5.* ?CustomLog;OnlyMsg