Remote Log Management:
s:192.168.10.115
c:192.168.10.43
1.s,c End Mount Rsyslog
Yum-y Install Rsyslog
2. Modify the S-side configuration to monitor 514 ports and provide remote log storage.
vi/etc/rsyslog.conf # #去掉13, 14,17,18 's Notes
# provides UDP syslog reception
$ModLoad IMUDP
$UDPServerRun 514
15
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
: Wq
[Email protected] ~]# vi/etc/rsyslog.d/remote.conf # #新建
: Fromhost,isequal, "192.168.10.43"/var/log/remote_10.43.log # #指定客户端日志存放位置
: Fromhost,isequal, "192.168.10.43" # #指定客户端ip
: Wq
/etc/init.d/rsyslog restart
Netstat-uptln |grep 514
Tail-f/var/log/remote_10.43.log # #跟踪变化
/etc/init.d/iptables Stop # #关闭iptables
3. Modify the C-Terminal log storage location
Vi/etc/rsyslog.conf
*. * @@192.168.10.115:514 # #在最后一行添加, store all logs on this machine to the S-end
: 34,63 s/^/#/g # #在末行模式中给34-63 lines Add comment, cancel the original log storage rules
: Wq
/etc/init.d/rsyslog restart
4. Verification
C-Terminal:
Logger "Test log remote"
S-end observe/var/log/remote_10.43.log changes, whether recorded
5. Extensions:
LASTB Viewing login failure logs
Last View Login Success log
/var/log/secure # #登录日志
A unified log can use Awstats analysis.
Audit log does not return to Rsyslog management, the above configuration can not implement audit log Remote Storage, Audit audit log, package SELinux, permissions modification and so on.
This article is from the "Lp-linux" blog, make sure to keep this source http://linuxlp.blog.51cto.com/11463376/1773690
Linux Security---Remote log management