作者 主題: syslog on Centos 5.6 xen  (閱讀 3057 次)

0 會員 與 1 訪客 正在閱讀本文。

viphone

  • 可愛的小學生
  • *
  • 文章數: 7
    • 檢視個人資料
syslog on Centos 5.6 xen
« 於: 2011-11-04 13:14 »
最近架了syslog要接收遠端網路交換器的log
但是怎麼試都不行
而這個遠端是在Internet上
我有把他加入/etc/hosts.allow 並給他起了個名字
不管是ping IP或名字都有回應

在/etc/sysconfig/syslog 加入了 -r 的參數
/etc/syslog.conf  加入了 *.*    /var/log/switchlogs
但是就是收不到它


Nov  3 10:11:34 centos syslogd 1.4.1: restart (remote reception).
Nov  3 10:11:34 centos kernel: klogd 1.4.1, log source = /proc/kmsg started.
Nov  3 10:13:52 centos crontab[11110]: (root) BEGIN EDIT (root)
Nov  3 10:15:16 centos crontab[11110]: (root) REPLACE (root)
Nov  3 10:15:16 centos crontab[11110]: (root) END EDIT (root)
Nov  3 10:16:01 centos crond[3199]: (root) RELOAD (cron/root)
Nov  3 10:20:32 centos kernel: Kernel logging (proc) stopped.
Nov  3 10:20:32 centos kernel: Kernel log daemon terminating.
Nov  3 10:20:33 centos exiting on signal 15
Nov  3 10:20:33 centos syslogd 1.4.1: restart (remote reception).
Nov  3 10:20:33 centos kernel: klogd 1.4.1, log source = /proc/kmsg started.
Nov  3 10:23:02 centos kernel: device eth0 entered promiscuous mode
Nov  3 10:24:44 centos kernel: device eth0 left promiscuous mode
Nov  3 10:59:01 centos crond[11237]: (root) CMD (/usr/sbin/hourly/logswitch.sh sgi-2404logs)
Nov  3 10:59:01 centos sendmail[11238]: My unqualified host name (centos) unknown; sleeping for retry
Nov  3 10:59:02 centos dhclient: DHCPREQUEST on eth0 to 192.168.1.1 port 67 (xid=0x40f8a0ca)
Nov  3 10:59:02 centos dhclient: DHCPACK from 192.168.1.1 (xid=0x40f8a0ca)
Nov  3 10:59:02 centos dhclient: bound to 192.168.1.100 -- renewal in 33149 seconds.
Nov  3 11:00:01 centos sendmail[11238]: unable to qualify my own domain name (centos) -- using short name
Nov  3 11:00:01 centos sendmail[11238]: pA3301jA011238: from=root, size=380, class=0, nrcpts=1, msgid=<201111030300.pA3301jA011238@centos>, relay=root@localhost
Nov  3 11:00:01 centos sendmail[11272]: pA3301WA011272: from=<root@centos>, size=597, class=0, nrcpts=1, msgid=<201111030300.pA3301jA011238@centos>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov  3 11:00:01 centos sendmail[11238]: pA3301jA011238: to=root, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30380, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (pA3301WA011272 Message accepted for delivery)
Nov  3 11:00:01 centos sendmail[11273]: pA3301WA011272: to=<root@centos>, ctladdr=<root@centos> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30781, dsn=2.0.0, stat=Sent
Nov  3 11:01:01 centos crond[11278]: (root) CMD (run-parts /etc/cron.hourly)
Nov  3 11:07:25 centos kernel: Kernel logging (proc) stopped.
Nov  3 11:07:25 centos kernel: Kernel log daemon terminating.
Nov  3 11:07:26 centos exiting on signal 15
Nov  3 11:07:26 centos syslogd 1.4.1: restart (remote reception).
Nov  3 11:07:26 centos kernel: klogd 1.4.1, log source = /proc/kmsg started.
Nov  3 11:11:03 centos crontab[11352]: (root) BEGIN EDIT (root)
Nov  3 11:11:11 centos crontab[11352]: (root) REPLACE (root)
Nov  3 11:11:11 centos crontab[11352]: (root) END EDIT (root)
Nov  3 11:12:01 centos crond[3199]: (root) RELOAD (cron/root)
Nov  3 11:12:32 centos crontab[11356]: (root) BEGIN EDIT (root)
Nov  3 11:12:36 centos crontab[11356]: (root) END EDIT (root)
Nov  3 12:01:01 centos crond[11453]: (root) CMD (run-parts /etc/cron.hourly)
Nov  3 12:02:10 centos sshd[10926]: pam_unix(sshd:session): session closed for user root
Nov  3 13:01:01 centos crond[11580]: (root) CMD (run-parts /etc/cron.hourly)
Nov  3 13:06:11 centos sshd[11602]: Accepted password for root from 192.168.1.109 port 4024 ssh2
Nov  3 13:06:11 centos sshd[11602]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov  3 13:06:52 centos sshd[11602]: pam_unix(sshd:session): session closed for user root
Nov  3 14:01:01 centos crond[11740]: (root) CMD (run-parts /etc/cron.hourly)
Nov  3 15:01:01 centos crond[11868]: (root) CMD (run-parts /etc/cron.hourly)
Nov  3 16:01:01 centos crond[11993]: (root) CMD (run-parts /etc/cron.hourly)
Nov  3 17:01:01 centos crond[12118]: (root) CMD (run-parts /etc/cron.hourly)
Nov  3 17:06:58 centos sshd[12141]: Accepted password for root from 192.168.1.109 port 4367 ssh2
Nov  3 17:06:59 centos sshd[12141]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov  3 17:08:11 centos shutdown[12178]: shutting down for system reboot


網路上我看了好幾個前輩的文章才做設定的
請問還有什麼遺漏嗎?
或者是本來就不能收Internet上設備傳來的log?

rainday

  • 鑽研的研究生
  • *****
  • 文章數: 738
  • 性別: 男
  • enhancing and optimizing
    • 檢視個人資料
Re: syslog on Centos 5.6 xen
« 回覆 #1 於: 2011-11-04 14:37 »
1.確認你的syslog有開啟接收的socket
netstat -tnlpu看一下port有沒有開
2. tcpdump看封包有無進來
<0  =_=  Don't learn to hack , hack to learn.

viphone

  • 可愛的小學生
  • *
  • 文章數: 7
    • 檢視個人資料
Re: syslog on Centos 5.6 xen
« 回覆 #2 於: 2011-11-04 15:53 »
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2988/sshd
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      3004/cupsd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      3170/sendmail: acce
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      3246/httpd
tcp        0      0 0.0.0.0:700                 0.0.0.0:*                   LISTEN      2638/rpc.statd
tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      2952/python
udp        0      0 0.0.0.0:514                 0.0.0.0:*                               5684/syslogd
這樣算有開吧?  但是不在LISTEN的狀態

我是ssh連到主機的 所以只有我跟主機的互動  沒第三者插話

15:51:52.085111 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6473488:6473636(148) ack 30369 win 12864
15:51:52.085190 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6473636:6473784(148) ack 30369 win 12864
15:51:52.085268 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6473784:6473932(148) ack 30369 win 12864
15:51:52.085347 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6473932:6474080(148) ack 30369 win 12864
15:51:52.085425 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6474080:6474228(148) ack 30369 win 12864
15:51:52.085503 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6474228:6474376(148) ack 30369 win 12864
15:51:52.085581 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6474376:6474524(148) ack 30369 win 12864
15:51:52.085659 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6474524:6474672(148) ack 30369 win 12864
15:51:52.085737 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6474672:6474820(148) ack 30369 win 12864
15:51:52.085815 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6474820:6474968(148) ack 30369 win 12864
15:51:52.085893 IP 192.168.1.100.ssh > 192.168.1.109.4305: P 6474968:6475116(148) ack 30369 win 12864

rainday

  • 鑽研的研究生
  • *****
  • 文章數: 738
  • 性別: 男
  • enhancing and optimizing
    • 檢視個人資料
Re: syslog on Centos 5.6 xen
« 回覆 #3 於: 2011-11-07 03:20 »
你可以tcpdump -n port 514
or
tcpdump -n host 遠端網路交換器ip
才不會被其他port的封包混亂到看不出來,沒有封包進來,跟syslog server設定無關
1.先確認你的遠端網路交換器的log丟過來是走哪一port
2.確認你的遠端到這台syslog server的port是暢通的
3.想驗證syslog服務是否可正常接收,找台內部server設一下syslog丟log測一下即可
<0  =_=  Don't learn to hack , hack to learn.

viphone

  • 可愛的小學生
  • *
  • 文章數: 7
    • 檢視個人資料
Re: syslog on Centos 5.6 xen
« 回覆 #4 於: 2011-11-07 14:29 »
[root@centos log]# tcpdump -n port 514
tcpdump: WARNING: peth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on peth0, link-type EN10MB (Ethernet), capture size 96 bytes

peth0這個介面是什麼?  我第一次看到

rainday

  • 鑽研的研究生
  • *****
  • 文章數: 738
  • 性別: 男
  • enhancing and optimizing
    • 檢視個人資料
Re: syslog on Centos 5.6 xen
« 回覆 #5 於: 2011-11-09 18:58 »
peth0應該xen的網卡
請用-i ethx 指定你的網卡
<0  =_=  Don't learn to hack , hack to learn.