需求背景:客户需要配置Tls加密模式上传log,老虎动手来搞搞,
推荐看下面的技术文档,官方的没有下面这个好用
https://rsyslog.readthedocs.io/en/latest/tutorials/tls_cert_summary.html
我们可以在github上下载官方文档编译后查看手册
git clone https://github.com/rsyslog/rsyslog-doc.git
cd rsyslog-doc
git tag #查看我们想要的版本
git checkout v8.1901.0
pip3 install sphinx
sphinx-build -b html source build
配置下nginx
server {
listen 8090;
listen [::]:8090;
server_name example2.com;
root /home/tiger/rsyslog-doc/build;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
sudo systemctl restart nginx #重启服务后即可访问
我们的Rsyslog配置在Docker服务里面的,在宿主机上面也有个Rsyslog,所以配置的地方有四个,宿主机,docker,server端,服务端
宿主机rsyslog.conf,服务端和客户端都用这一套即可
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
#
# Ported from debian's sysklogd.conf
$ModLoad immark # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # kernel logging (formerly provided by rklogd)
$ModLoad imfile # other log file
$ModLoad omkafka # other log file
#
# Set the default permissions
#
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
# :msg, contains, "event_remote" ~
# Template for ISO8601/rfc3339 timestamp format with millisec resolution
$template rfc3339msecFmt,"%timegenerated:1:23:date-rfc3339%%timegenerated:27:33:date-rfc3339% %syslogtag:1:32%%msg%\n"
auth,authpriv.* /var/log/auth.log;rfc3339msecFmt
# disabled ptpd log
:syslogtag, contains, "ptpd2" stop
:syslogtag, contains, "ptploop" stop
# *.*;auth,authpriv.none;local2.none;local6.none -/var/log/messages;rfc3339msecFmt
# *.*;auth,authpriv.none;local2.none @remote-host1:514;rfc3339msecFmt
# *.*;auth,authpriv.none;local2.none @remote-host2:514;rfc3339msecFmt
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# Save OpenSwitch Event logs to event.log
#:msg, contains, "ops-evt|" /var/log/event.log
if ($msg contains "ops-evt|")then{
/var/log/event.log
stop
}
# Send OpenSwitch Interface Statistics to Remote hosts
$InputFileName /var/log/intf-stats.log
$InputFileTag Interface_Statistics
$InputFileSeverity notice
$InputFileFacility local2
$InputFileStateFile /tmp/stat-intf-stats
$InputFilePollInterval 30
$InputFilePersistStateInterval 30
$InputRunFileMonitor
#local2.* @@remote-host:514
# webui.log
local6.* -/var/log/webui.log
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/spool/rsyslog # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
$ActionQueueMaxDiskSpace 10m # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# Include Remote Logging ( Syslog ) Configuration
$IncludeConfig /etc/kafka.conf
$IncludeConfig /etc/rsyslog.remote.conf
# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
#$ModLoad imtcp.so # load module
#$InputTCPServerRun 514 # start up TCP listener at port 514
# UDP Syslog Server:
#$ModLoad imudp.so # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514
Docker rssylog配置
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
服务端配置
/etc/rsyslog.d/tls_server.conf
tls_server.conf
$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener
# make gtls driver the default
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/tls/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/tls/server-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/tls/server-key.pem
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.example.net
$InputTCPServerStreamDriverMode anon # run driver in TLS-only mode
$InputTCPServerRun 594 # start up listener at port 10514
客户端配置:
/etc/rsyslog.d/tls_client.conf
tls_client.conf
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/tls/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/tls/server-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/tls/server-key.pem
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer central.example.net
$ActionSendStreamDriverMode anon # run driver in TLS-only mode
*.* @@192.168.3.20:594 # forward everything to remote server
#$ActionSendStreamDriverAuthMode anon
#$template myFormat,"unique %syslogpriority% %timestamp% %hostname% %syslogtag% %msg%"
#*.* @@192.168.3.20:594;myFormat
具体证书的生成可以参照我另外一篇文章也可以通过官网生成