環境
管理対象
Rsyslogサーバ(CentOS8)の構築
Rsyslogのインストール
[root@rsyslog ~]# dnf install -y rsyslog
設定ファイルの編集
[root@rsyslog ~]# vi /etc/rsyslog.conf
↓のコメントアウト(#)を外す
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
[root@rsyslog ~]# cat /etc/rsyslog.conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")
# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### sample forwarding rule ###
#action(type="omfwd"
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1" # unique name prefix for spool files
#queue.maxdiskspace="1g" # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on" # save messages to disk on shutdown
#queue.type="LinkedList" # run asynchronously
#action.resumeRetryCount="-1" # infinite retries if host is down
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")
ファイアウォールの設定
[root@rsyslog ~]# firewall-cmd --add-port=514/tcp --permanent
success
[root@rsyslog ~]# firewall-cmd --reload
success
サービス再起動
[root@rsyslog ~]# systemctl restart rsyslog
[root@rsyslog ~]# systemctl enable rsyslog
管理対象サーバの構築 (CentOS7)
Rsyslogのインストール
[root@rsyslog ~]# dnf install -y rsyslog
設定ファイルの編集
[root@rsyslog ~]# vi /etc/rsyslog.conf
↓を追加
action(type="omfwd" Target="192.168.1.104" Port="514" Protocol="tcp")
サービス再起動
[root@rsyslog ~]# systemctl restart rsyslog
[root@rsyslog ~]# systemctl enable rsyslog
ログ転送テスト
Rsyslogサーバでログを確認する
/var/log/messagesを継続的に確認する
[root@rsyslog ~]# tail -f /var/log/messages
管理対象サーバでログを生成
[root@postgress ~]# logger hogehoge
Rsyslogサーバでログが確認できることを確認
・・・
Apr 25 22:02:52 postgress root: hogehoge
iDRACでのRsyslogテスト
iDRACはRsyslogをUDPで送信するため、Rsyslogサーバの設定を変更する。
設定ファイルの編集
[root@rsyslog ~]# vi /etc/rsyslog.conf
↓のコメントアウト(#)を外す
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
ファイアウォールの設定
[root@rsyslog ~]# firewall-cmd --add-port=514/udp --permanent
success
[root@rsyslog ~]# firewall-cmd --reload
Success
iDRACで送信テスト
iDRAC GUI > Configuration > System Settings > Alert Configuration > Test Event
"MEM0001"
Rsyslogサーバでログが確認できることを確認
[root@rsyslog ~]# tail /var/log/messages
...
Apr 25 22:29:52 idrac-XXXXXX Severity: Critical, Category: System Health, MessageID: MEM0001, Message: Multi-bit memory errors are detected on the memory device at location(s) DIMM1. Immediately replace the DIMM.
Apr 25 22:29:52 idrac-BH6GPS3 Severity: Informational, Category: Audit, MessageID: LOG006, Message: Test event generated for message ID MEM0001.
