使用syslog-ng和stunnel建立集中式安全日誌伺服器

cnbird發表於2009-09-22
UNIX 系統管理員非常熟悉 syslog 守護程式,但是除非有人報告問題,否則它收集的資訊通常處於未處理狀態。在具有多臺計算機的任何站點上,沒有人會花時間去每天甚至每個月記錄和檢查多個日誌檔案。編寫可以使這些計算機之間的資料相關的自動指令碼十分困難,因為它們必須分別訪問每臺計算機。為減輕自動和手動資料處理的負擔,許多站點實現了為網路中的所有計算機(最好執行 NTP 以使時間/日期相關變得更容易)收集資料的中心日誌伺服器,其中包括 UNIX 伺服器、Windows 和 Mac 桌上型電腦,甚至包括聯網裝置(如路由器和交換機)。對於大多數通常的 UNIX syslog 守護程式來說,集中式日誌記錄是十分瑣碎的,而 syslogd 與早期版本相比幾乎沒有更改,因而具有一些缺點。

標準 UNIX syslog 守護程式通過 UDP 以明文形式傳輸訊息,這意味著任何人都可以發現潛在的敏感資料。facility.level 模型也具有較大限制,大多數作業系統附帶的預設 /etc/syslog.conf 檔案疏於記錄管理員可能感興趣的許多訊息。解析日誌以便可以供人們閱讀或者用於自動資料探勘十分重要。例如,UNIX syslog 守護程式不會輕易允許按主機拆分日誌檔案或者按正規表示式匹配日誌訊息。因此,大多數集中式日誌伺服器(這些伺服器使用通常的 syslog 守護程式)最後都會產生巨大的日誌檔案,這些檔案僅在 syslogd 程式關閉它們之後才得到處理。

因此,集中日誌記錄的大多數站點也都是最後將通常的 syslog 守護程式替換為更安全更靈活的守護程式(如 Metalog、msyslog)或類似的守護程式。一個非常流行的 syslog 替代項是名為 syslog-ng 的開放源程式。組織可以在每個 UNIX 主機或者就在 syslog 伺服器上執行 syslog-ng。如果僅在日誌主機上執行 syslog-ng,則客戶機照常通過 UDP 埠 514 傳送資料,但可以在伺服器上更好地組織和處理日誌。

在每個 UNIX 主機上執行 syslog-ng 的優點是,能夠使用 IPSec 或實用程式 Stunnel 對日誌記錄通道進行加密,以便偶然出現的嗅探器 (sniffer) 無法讀取資料。與 Stunnel 組合在一起作為傳輸機制時,組織可以安全地將來自所有必需 UNIX 主機的日誌訊息集中在一起以供進一步處理。對於 syslog-ng,Stunnel 的工作方式如下:接受本地埠上的日誌連線,將它們包裝在 SSL 會話中,然後將其重定向到遠端日誌主機上的安全埠。然後遠端日誌主機上的 stunnel 程式對 SSL 會話進行解密,並將資訊再傳回到標準埠上的 syslog 伺服器。傳到日誌伺服器上之後,將利用 syslog-ng 的靈活性進行日誌檔案的組織和解析。

下面我將介紹在執行 Solaris 8 作業系統(SPARC 平臺版)的計算機上安裝及配置 syslog-ng 和 Stunnel 的過程,但是該過程通常還適用於 SPARC 和 x86 平臺上 Solaris 作業系統的早期版本和較新版本。下面討論的每臺參考計算機都安裝有 OpenSSL、tcp wrapper、Solaris 8 /dev/urandom 修補程式、GNU 開發環境(gcc 等)和若干其他免費軟體包。充當日誌伺服器的計算機也進行了全面強化,因為它將儲存來自網路中所有計算機的敏感資訊和與安全性相關的資訊。這些引用計算機都駐留在子網 192.168.1 上,日誌伺服器的 IP 地址為 192.168.1.10。

安裝 Stunnel

實現安全日誌伺服器的第一步是在伺服器和每個客戶機上安裝 Stunnel。Stunnel 還可以用於通常的 syslog 守護程式(而不是將 syslog 替換為 syslog-ng),但那樣就沒有了我們所尋求的靈活性。在下面的說明中,我將配置和生成 stunnel 以便隨其自身的使用者和組執行,並將 chroot 目錄設定到其自身的目錄下 。要執行此操作,應首先建立 stunnel 組和使用者(隨機選取的 UID 和 GID):

/usr/sbin/groupadd -g 122 stunnel
/usr/sbin/useradd -c stunnel -d /nonexistent -m -g 122 -u 122 stunnel

現在,請提取 Stunnel 原始碼,將其解壓縮並進行配置。在這些特定的主機上,OpenSSL 證書儲存在 /usr/local/etc/openssl/certs 中,我希望將 doc 目錄連同本地安裝的其他 doc 安裝一起儲存在 /usr/local 中。我還將 localstatedir 設定為 /var/run/stunnel,因為在重新引導後它無需繼續存在,我希望它位於 chroot 目錄中。

wget http://www.stunnel.org/download/stunnel/src/stunnel-4.05.tar.gz
tar zxf stunnel-4.05.tar.gz
cd stunnel-4.05

./configure –localstatedir=/var/run/stunnel /
–with-pem-dir=/usr/local/etc/openssl/certs –datadir=/usr/local

make
make install

通過 Stunnel 為 syslog-ng 建立證書檔案

在 Stunnel 安裝過程中會建立您可能會選擇使用的自簽名證書。由於我執行自己的專用證書頒發機構並僅對 syslog-ng 執行 Stunnel,因此我將生成並簽署自己的 syslog-ng 專用證書。有關設定自己的 CA 和簽名證書的詳細資訊,請檢視 SSL certificates HOWTO(SSL 證書指導)。

假定已設定為您自己的 CA,或者向公認的 CA 發出證書請求,請為伺服器建立 pem 檔案:

openssl req -new -days 3650 -nodes -config stunnel.cnf -out serverreq.pem /
-keyout syslog-ng-server.pem

此外,為每個客戶機建立相應的 pem 檔案:

openssl req -new -days 3650 -nodes -config stunnel.cnf -out clientreq.pem /
-keyout syslog-ng-client.pem

用本地 CA 簽名每個 pem 檔案,或者讓公共 CA 對它們進行簽名。我使用 apache mod_ssl 分發附帶的 sign.sh 指令碼:

sign.sh /tmp/serverreq.pem
sign.sh /tmp/client1req.pem
sign.sh /tmp/client2req.pem
sign.sh /tmp/client3req.pem

生成的 crt 檔案包括每個相應 pem 檔案的證書。伺服器需要伺服器 pem 檔案 syslog-ng-server.pem,其中包含伺服器的私鑰和證書(從 /tmp/serverreq.pem.crt 檔案複製):

—–BEGIN RSA PRIVATE KEY—–
MIICXAIBAAKBgQDSAJ0kULvKxIhFtz1ctXlDWY0CcTpIscEAXy90nAuwwvshji39
abZH5Z9PfTOoT/zO6ZyQ0lOJ2LzYcS/JQmR+4wLggf5yi8K3BrBIwaAHbfAya8C9
5g9oINTkjM5Y3zdkMhvPwmivMV+lBa07Qk0SZg8xYblUiafisQplGzjWvwIDAQAB
AoGAEqYzTlJNGwixAV/wdxc2maCOQTVE88e1WA8b68Mf1qa6HpS9yM9mfKQLrcd0
mvHfhZCBcur6uDcjLiV/FORsgB7/3wRF0a08ZJdwlMSn9844jeRlSDbEE1wqAcyj
pnHwcxnErzA0REDuD+EmH0xsh23/Rn/mv7gBpm5Am/UK86ECQQDs5RmiJzQOprsT
ArcTQq3VTmHLtfu7HAQ7+You7XDL+iOVOsbJZWgBKc0oTcNNBpJzkHPrvaOBbFpg
dQZKE3BLAkEA4vBLWsojb0tosXiZuFxzMBrcMhzanzzXerOt0v6BbeZKMTXMaJX+
/4wyVc6lanZc/793S4aHY0/VvCDMLp7y3QJBAKPnX3Tx6vK4KXddyY1p9RxAvylT
IHi1Sbif49DpAkIfL79wi1mM8AjeAzR/mUER6wJKT+orq5VAgsd6MH/QM0ECQHvw
YDclTlTqCjNiehGF7CLJiJiVyZBN2iDZIIWrGWS78KkPiKNVx/4owxS51v1dx0yl
dLF6t1Y1s7Ua9GhBxsECQD3+/khj/lzYUC9KaDIHItO7LHkO1IcxZUZJ0YNaukUB
v1Vh9B3IK5m2bSsOYtOYxbpjoHL8pZG1Bf1lLH32dqw=
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
MIICZDCCAc0CAQIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
DTA0MDcxOTEzNTExNVoXDTA1MDcxOTEzNTExNVowgYMxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjElMCMGA1UEAxMcbG9naG9zdC5v
ZmZpcdaub2NlYW53YXZlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
0gCdJFC7ysSIRbc9XLV5Q1mNAnE6SLHBAF8vdJwLsML7IY4t/Wm2R+WfT30zqE/8
zumckNJTidi82HEvyUJkfuMC4IH+covCtwawSMGgB23wMmvAveYPaCDU5IzOWN83
ZDIbz8JorzFfpQWtO0JNEmYPMWG5VImn4rEKZRs41r8CAwEAATANBgkqhkiG9w0B
AQQFAAOBgQAvaaoVvP267QbxBOeBDBeP3CCpOskT5YJUHWQE2QmH5wR/5iwQqvrU
Fo8V2JbaaauN9sa5CQutthUK1D3Ub+nHuHgGPFfdkL0Ll+5+LVf1swKXy8H1Q8CA
Aiq0dK0EJQ+taQTw+KD7MBOzIJk0OF76uwdNxgaATQEVjxi6M0MG5g==
—–END CERTIFICATE—–

它還需要客戶機 pem 檔案 syslog-ng-client.pem,其中僅包含來自簽名 CA 和每個客戶機(此示例假定有三個 syslog-ng 客戶機)的證書(來自 crt 檔案):

—–BEGIN CERTIFICATE—–
MIIDJzCCApCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEW
MBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMGA1UE
ChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2ZS5j
b20wHhcNMDIwNjIzMjIyODIxWhcNMTIwNjIwMjIyODIxWjBxMQswCQYDVQQGEwJV
UzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMG
A1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2
ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSqIDhWZDLO2ptG9ebx
FUycmXoMNPCLWmsFgRBQKG5vgOQruX8jpXqHOFCxjhO4ZsSUWwd8eO4J/4A9kTao
VFzi4P63A8xyN92Gbh4BfvmFecDhLaoZ+5zMNclNOlom2Rda75Fj8iYhtSIrbOcq
Mc8KkRriG3+Hl6ptW0XibqznAgMBAAGjgc4wgcswHQYDVR0OBBYEFDlBMdhKkmEm
pQkan14xNA3a646MMIGbBgNVHSMEgZMwgZCAFDlBMdhKkmEmpQkan14xNA3a646M
oXWkczBxMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4G
A1UEBxMHQmV2ZXJseTEVMBMGA1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcN
AQkBFhJyb290QG9jZWFud2F2ZS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQB8Xzn/UioFZV2Osyt0oz8/3Eu1GmQx4Cpaw4o7GBKg52IQA0Sv
qfvUmeuFZ6sSDYEI6bC/u6MkyvRwV7pOtqzUoGbvtGDhnFIxdiyiEOfZosdvadBx
ilXHU/tYDXffxFBcBoeoFHkYyX1vAY4uFsPBEywF3NBUGuoP5Ed5+AS+rQ==
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIICZTCCAc4CAQMwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
0510MDcxOTEzNTc0M1oXDTA1MDcxOTEzNTc0M1owgYQxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjEmMCQGA1UEAxMdcmVhbHNvb24u
b2ZmaWNlLm9jZWFud2F2ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AKKXR7OTQYKDWHvh0jCYSM2Y6gx+Lh2iE1hEVR4xE5UnGNv+/LzgGIYalmD86Vok
KkwdI+5cVp0JhF3gIUgL2+OoerE68AEQwv+tpzx4Px4Ze1pRjw9f6UW+17C3PICG
P4SpC6avMljj8lnv9Rmb300/Yz8ZzyAIzt8CjNu7lTCFAgMBAAEwDQYJKoZIhvcN
AQEEBQADgYEAleB5Xk0BnHu3g6ron5qcjBtDgnOnvzsX3v+KVaFGZiufdWtILCMn
58HrXCV2zoUlUcbnrqHgov47qvZBlh2HR7fT7MQYXFTKOFDXwCdSDfXHTUmmQHzq
cctX025yo45obGgI9LWDjip0/PW0k3r4IuVRtfOz+gHf1ZyEVjIuXkE=
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIICZDCCAc0CAQQwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
DTA0MDcxOTE0MTUwNloXDTA1MDcxOTE0MTUwNlowgYMxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjElMCMGA1UEAxMcbGl6YXJkby5v
ZmZpY2Uub2NlYW53YXZlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
ogtXoF+49I/CoSP+CUZ4jX+pLMsIXvta/MqqKlTuvEgauRSw385Aict7rGIR6B3u
BUEBFN4Q+WzuYVJfbBMsUq/A6bilMpq/vbBrPAB9s/BkC5FAx2tMuMpgWn6ZXs/W
iRiEWULAHa4k7rgmonXk47r0bBuSVrozdgKd4u2iB6sCAwEAATANBgkqhkiG9w0B
AQQFAAOBgQBCCMhUdlfRk5owxpUIgtNLQ6/wfPgyUtIm7M4Mg0tHLD2ILCiaJLie
x+Di5+09nciadYxn7fZhFdvnSpsthDX0/P6/H/iLTZnyK3k0PegzYx8Mwo4mnS/X
Bt1cOuciRrd1tPHZ+st2Zqz/UO1jhbtEx7RNjtpxypChFQ2SB63wuA==
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIICYzCCAcwCAQUwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
DTA0MDcxOTE0MTUyMFoXDTA1MDcxOTE0MTUyMFowgYIxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjEkMCIGA1UEAxMbc2Vrcml0Lm9m
ZmljZS5vY2VhbndhdmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG
+OMOU6o3rCSyXMRRzwPKO/Yi9SjcT/5uwJh4x4a/iPlVNhbcG15PLpwmIiEvaKQe
PTwJNEWAMnDBWyT6bmdN9xa0X1pzCDiLGMKJ2PFzoL6b9VwQSx9zp9fTPinh+mVw
484Hf8nQOSs+HKVAltCvJWcFq04aqbauE817Og369wIDAQABMA0GCSqGSIb3DQEB
BAUAA4GBAJ6feAOv8bvGdk01QyupdIJVvp8IBv5ZJD1VLofoj/C4JYLsHWTV0IZI
rhw37hI9y9wAiiZVrbEM88N0FgFfHN2hoymvRmvg0Y7l7OuMQWz2vSMJYIyeI2Wb
uMWGN+klM77OxRXWseUOWaPp0RqW3MGqMV7+SU8sN9gVdEZdLxnj
—–END CERTIFICATE—–

每個客戶機都需要 pem 檔案 syslog-ng-client.pem 中其自身的證書和私鑰:

—–BEGIN RSA PRIVATE KEY—–
MIICXAIBAAKBgQCil0ezk0GCg1h74dIwmEjNmOoMfi4dohNYRFUeMROVJxjb/vy8
4BiGGpZg/OlaJCpMHSPuXFadCYRd4CFIC9vjqHqxOvABEML/rac8eD8eGXtaUY8P
X+lFvtewtzyAhj+EqQumrzJY4/JZ7/UZm99NP2M/Gc8gCM7fAozbu5UwhQIDAQAB
AoGAGhMErqm44cNKl2NZn+1sD3ysXCCIKLxrOcaLl/Hq4AqLFAzKX0fY5viwkRE+
IvSVy+sIbhtk0H5MOfnNnI46TwCvgelMbb8FtRDpZrwA7AgH9+scnjfpuibVZdoW
9fR2HoOOevffDU9ZfFlthsOKJp+xb7PRFcsxlV3ihla9aKkCQQDNt3gcE9goGyBj
kWkgB1Ydmov155xC1ozGpeyEVm3fGtD+sfgIxYuaV1xFhQKZMR2QeEnX3v5mqP31
zf5dnj47AkEAylVB95ZGvG91H4uUXrSW53djD2a5GtVjXNoDWLs7Hp7sbUkbRexa
5cSZ7EFqbyXHYx1xKMgYwqgIhbV1CU2gPwJAZBnMtkzpt8pLXmfZcZ5gRxN223eS
T+u6oMcIafTsjc2suOK8wPfvUHEGE0X/169QpYYC2KpHvIiq2zsbdU6VFQJAYibZ
yXFs/xxShOsBHrAcREz2ERKT2SCLAw//b5vkIgaWSq2cPV9a+PtWb/WL3D9Hah1u
N4pZ+JPrDnHoRIsToQJBAJ4IG4AAgIPkmIVbROXXpt/2YBbP1WQI1suKzWy6r4V4
E0fiwYh1REik4+WRCRBabzjFA7GIDiD2QQGzTa8m0nQ=
—–END RSA PRIVATE KEY—–
—–BEGIN CERTIFICATE—–
MIICZTCCAc4CAQMwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
0510MDcxOTEzNTc0M1oXDTA1MDcxOTEzNTc0M1owgYQxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjEmMCQGA1UEAxMdcmVhbHNvb24u
b2ZmaWNlLm9jZWFud2F2ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AKKXR7OTQYKDWHvh0jCYSM2Y6gx+Lh2iE1hEVR4xE5UnGNv+/LzgGIYalmD86Vok
KkwdI+5cVp0JhF3gIUgL2+OoerE68AEQwv+tpzx4Px4Ze1pRjw9f6UW+17C3PICG
P4SpC6avMljj8lnv9Rmb300/Yz8ZzyAIzt8CjNu7lTCFAgMBAAEwDQYJKoZIhvcN
AQEEBQADgYEAleB5Xk0BnHu3g6ron5qcjBtDgnOnvzsX3v+KVaFGZiufdWtILCMn
58HrXCV2zoUlUcbnrqHgov47qvZBlh2HR7fT7MQYXFTKOFDXwCdSDfXHTUmmQHzq
cctX025yo45obGgI9LWDjip0/PW0k3r4IuVRtfOz+gHf1ZyEVjIuXkE=
—–END CERTIFICATE—–

每個客戶機還需要 pem 檔案 syslog-ng-server.pem,其中僅包含來自伺服器和簽名 CA 的證書:

—–BEGIN CERTIFICATE—–
MIIDJzCCApCgAwIBAgIBADANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEW
MBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMGA1UE
ChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2ZS5j
b20wHhcNMDIwNjIzMjIyODIxWhcNMTIwNjIwMjIyODIxWjBxMQswCQYDVQQGEwJV
UzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmV2ZXJseTEVMBMG
A1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcNAQkBFhJyb290QG9jZWFud2F2
ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSqIDhWZDLO2ptG9ebx
FUycmXoMNPCLWmsFgRBQKG5vgOQruX8jpXqHOFCxjhO4ZsSUWwd8eO4J/4A9kTao
VFzi4P63A8xyN92Gbh4BfvmFecDhLaoZ+5zMNclNOlom2Rda75Fj8iYhtSIrbOcq
Mc8KkRriG3+Hl6ptW0XibqznAgMBAAGjgc4wgcswHQYDVR0OBBYEFDlBMdhKkmEm
pQkan14xNA3a646MMIGbBgNVHSMEgZMwgZCAFDlBMdhKkmEmpQkan14xNA3a646M
oXWkczBxMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4G
A1UEBxMHQmV2ZXJseTEVMBMGA1UEChMMT2NlYW53YXZlIENBMSEwHwYJKoZIhvcN
AQkBFhJyb290QG9jZWFud2F2ZS5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQB8Xzn/UioFZV2Osyt0oz8/3Eu1GmQx4Cpaw4o7GBKg52IQA0Sv
qfvUmeuFZ6sSDYEI6bC/u6MkyvRwV7pOtqzUoGbvtGDhnFIxdiyiEOfZosdvadBx
ilXHU/tYDXffxFBcBoeoFHkYyX1vAY4uFsPBEywF3NBUGuoP5Ed5+AS+rQ==
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIICZDCCAc0CAQIwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCVVMxFjAUBgNV
BAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcTB0JldmVybHkxFTATBgNVBAoTDE9j
ZWFud2F2ZSBDQTEhMB8GCSqGSIb3DQEJARYScm9vdEBvY2VhbndhdmUuY29tMB4X
DTA0MDcxOTEzNTExNVoXDTA1MDcxOTEzNTExNVowgYMxCzAJBgNVBAYTAlVTMRYw
FAYDVQQIEw1NYXNzYWNodXNldHRzMRAwDgYDVQQHEwdCZXZlcmx5MSMwIQYDVQQK
ExpPY2VhbndhdmUgQ29uc3VsdGluZywgSW5jLjElMCMGA1UEAxMcbG9naG9zdC5v
ZmZpcdaub2NlYW53YXZlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
0gCdJFC7ysSIRbc9XLV5Q1mNAnE6SLHBAF8vdJwLsML7IY4t/Wm2R+WfT30zqE/8
zumckNJTidi82HEvyUJkfuMC4IH+covCtwawSMGgB23wMmvAveYPaCDU5IzOWN83
ZDIbz8JorzFfpQWtO0JNEmYPMWG5VImn4rEKZRs41r8CAwEAATANBgkqhkiG9w0B
AQQFAAOBgQAvaaoVvP267QbxBOeBDBeP3CCpOskT5YJUHWQE2QmH5wR/5iwQqvrU
Fo8V2JbaaauN9sa5CQutthUK1D3Ub+nHuHgGPFfdkL0Ll+5+LVf1swKXy8H1Q8CA
Aiq0dK0EJQ+taQTw+KD7MBOzIJk0OF76uwdNxgaATQEVjxi6M0MG5g==
—–END CERTIFICATE—–

在每臺計算機上,確保只有超級使用者可以讀取證書檔案(由於安全原因):

chmod 400 /usr/local/etc/openssl/certs/syslog-ng-*
chown root:other /usr/local/etc/openssl/certs/syslog-ng-*

配置 Stunnel 以用於 syslog-ng

在伺服器上,建立 syslog-ng 專用的 Stunnel 配置檔案 /usr/local/etc/stunnel/stunnel.conf,該檔案包含如下資訊。此示例檔案指定本地證書/金鑰和伺服器證書、stunnel 使用者和組以及 chroot 目錄。verify 的值為 3 可確保 stunnel 使用本地安裝的證書驗證對等方。預設情況下,Stunnel 使驗證處於關閉狀態,所以此時開啟驗證十分重要。配置檔案的最後一部分指定 SSL 包裝會話的埠號和在其中接受和重定向連線的 IP:port。埠 514 是標準的 syslog 埠,5140 是隨機選取的未用埠。有關其他資訊和配置選項,請務必閱讀 stunnel 手冊頁。

cert = /usr/local/etc/openssl/certs/syslog-ng-server.pem
CAfile = /usr/local/etc/openssl/certs/syslog-ng-client.pem
chroot = /var/run/stunnel
pid = /run/stunnel.pid
setuid = stunnel
setgid = stunnel
verify = 3
[5140]
accept = 192.168.1.10:5140
connect = 127.0.0.1:514

在每個客戶機上,syslog-ng 專用的 /usr/local/etc/stunnel/stunnel.conf 檔案包含與伺服器的 stunnel.conf 檔案相類似的指令。將交換 cert 和 CAfile 值以及 accept 和 connect 值,並新增 client 指令:

client = yes
cert = /usr/local/etc/openssl/certs/syslog-ng-client.pem
CAfile = /usr/local/etc/openssl/certs/syslog-ng-server.pem
chroot = /var/run/stunnel
pid = /run/stunnel.pid
setuid = stunnel
setgid = stunnel
verify = 3
[5140]
accept = 127.0.0.1:514
connect = 192.168.1.10:5140

現在已配置 Stunnel,可以安裝和配置 syslog-ng 了。如果希望在此時測試 Stunnel,請將它配置為使用其他 TCP 埠或服務(如 IMAP 或 telnet),如 stunnel 示例頁所述。
安裝 syslog-ng

syslog-ng 的穩定版本首先要求安裝(或至少生成)庫 libol。請下載、解壓縮並安裝該庫,如下所示:

wget http://www.balabit.com/downloads/libol/0.3/libol-0.3.14.tar.gz
tar zxf libol-0.3.14.tar.gz
cd libol-0.3.14

./configure
make
make install

現在,請檢索 syslog-ng 的原始碼,並對其進行解壓縮、配置和安裝。在配置時,我還新增了對 tcp wrapper 的支援,因為我已安裝並有效地將其用於其他守護程式:

wget http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.5.tar.gz
tar zxf syslog-ng-1.6.5.tar.gz
cd ../syslog-ng-1.6.5

./configure –enable-tcp-wrapper
make
make install

請務必開啟所有包過濾器和/或 tcp wrapper 中的相應埠。如果日誌主機也在接受未加密的 syslog 訊息,則伺服器需要接受來自 TCP 埠 5140 上和 UDP 埠 514 上客戶機的連線。要支援 tcp wrapper 的擴充套件語法,請將以下內容新增到伺服器上的 /etc/hosts.deny:

syslog-ng : LOCAL 127.0.0.1 192.168.1. : ALLOW

此外,在客戶機上將以下內容新增到 /etc/hosts.deny:

syslog-ng : LOCAL 127.0.0.1 : ALLOW

現在可以建立 stunnel/syslog-ng 啟動指令碼 /etc/init.d/syslog-ng,該指令碼將在引導時執行於每臺計算機上。以下指令碼基於 Solaris 8 作業系統的 syslog 啟動指令碼,此外它還執行 savecore,並啟動 stunnel 和 syslog-ng:

#!/sbin/sh
#

case “$1” in
`start`)
if [ -f /usr/local/etc/syslog-ng/syslog-ng.conf -a -x /
/usr/local/sbin/syslog-ng ]; then
#
# Before syslogd starts, save any messages from previous
# crash dumps so that messages appear in chronological order.
#
/usr/bin/savecore -m
if [ -r /etc/dumpadm.conf ]; then
. /etc/dumpadm.conf
[ “x$DUMPADM_DEVICE” != xswap ] && /
/usr/bin/savecore -m -f $DUMPADM_DEVICE
fi
#
# Start stunnel so logs are sent encrypted
#
if [ -f /usr/local/etc/stunnel/stunnel.conf /
-a -x /usr/local/sbin/stunnel ]; then
echo “Starting stunnel”
mkdir -p /var/run/stunnel/run
chown stunnel:stunnel /var/run/stunnel/run
/usr/local/sbin/stunnel
echo “Starting syslog-ng”
/usr/local/sbin/syslog-ng
fi
fi
;;

`stop`)
if [ -f /var/run/syslog-ng.pid ]; then
syspid=`/usr/bin/cat /var/run/syslog-ng.pid`
[ “$syspid” -gt 0 ] && kill -15 $syspid && /
echo “Killed syslog-ng”
fi
if [ -f /var/run/stunnel/run/stunnel.pid ]; then
syspid=`/usr/bin/cat /var/run/stunnel/run/stunnel.pid`
[ “$syspid” -gt 0 ] && kill -15 $syspid && /
echo “Killed stunnel”
fi

;;

*)
echo “Usage: $0 { start | stop }”
exit 1
;;
esac

刪除本機 Solaris syslog 啟動和關閉指令碼的連結,並將其替換為指向新 syslog-ng 指令碼的連結:

rm /etc/rc*.d/???syslog
ln -s /etc/init.d/syslog-ng /etc/rc0.d/K40syslog-ng
ln -s /etc/init.d/syslog-ng /etc/rc1.d/K40syslog-ng
ln -s /etc/init.d/syslog-ng /etc/rc2.d/S74syslog-ng
ln -s /etc/init.d/syslog-ng /etc/rcS.d/K40syslog-ng

配置 syslog-ng

syslog-ng 的靈活性取決於其配置檔案。配置指令 source、filter、destination 和 log 對於日誌處理十分重要。Source 指令表示本地日誌訊息和遠端日誌訊息的來源。Filter 指令允許基於裝置、級別/優先順序、程式名稱、主機名稱或正規表示式匹配來分離日誌訊息。destination 可以是檔案、管道、流和資料包、UDP 或 TCP 連線、ttys 或程式。log 指令是 source、filter 和 destination 指令的集合,這些指令定義如何處理匹配的日誌訊息。在 syslog-ng 參考手冊中可找到所有可用指令的討論,在 syslog-ng 常見問題解答中列出了各種示例。

以下示例顯示了在每個本地主機的 /var/log 以及在中心日誌伺服器的 /var/log/clients/$YEAR/$MONTH/$HOST 中儲存的日誌檔案。日誌主機上的以下 /usr/local/etc/syslog-ng/syslog-ng.conf 支援來自本地主機、stunnel 加密主機和標準 UDP 主機(如無法使用 stunnel 的路由器和交換機)的訊息。過濾器基於裝置和級別、程式名稱匹配以及這些項的某些組合。

# Options
options {
use_fqdn(yes);
sync(0);
keep_hostname(yes);
chain_hostnames(no);
create_dirs(yes);
};

# Sources of syslog messages (both local and remote messages on the server)
source s_local {
sun-streams(“/dev/log” door(“/etc/.syslog_door”));
internal();
};
source s_stunnel {
tcp(ip(“127.0.0.1”)
port(514)
max-connections(1));
};

source s_udp { udp(); };

# Level Filters
filter f_emerg { level (emerg); };
filter f_alert { level (alert .. emerg); };
filter f_crit { level (crit .. emerg); };
filter f_err { level (err .. emerg); };
filter f_warning { level (warning .. emerg); };
filter f_notice { level (notice .. emerg); };
filter f_info { level (info .. emerg); };
filter f_debug { level (debug .. emerg); };

# Facility Filters
filter f_kern { facility (kern); };
filter f_user { facility (user); };
filter f_mail { facility (mail); };
filter f_daemon { facility (daemon); };
filter f_auth { facility (auth); };
filter f_syslog { facility (syslog); };
filter f_lpr { facility (lpr); };
filter f_news { facility (news); };
filter f_uucp { facility (uucp); };
filter f_cron { facility (cron); };
filter f_local0 { facility (local0); };
filter f_local1 { facility (local1); };
filter f_local2 { facility (local2); };
filter f_local3 { facility (local3); };
filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); };

# Custom Filters
filter f_user_none { not facility (user); };
filter f_kern_debug { filter (f_kern) and filter (f_debug); };
filter f_daemon_notice { filter (f_daemon) and filter (f_notice); };
filter f_mail_crit { filter (f_mail) and filter (f_crit); };
filter f_mesg { filter (f_kern_debug) or
filter (f_daemon_notice) or
filter (f_mail_crit); };
filter f_authinfo { filter (f_auth) or program (sudo); };

# Destinations: local files, the console, and the client files
destination l_authlog { file (“/var/log/authlog”); };
destination l_messages { file (“/var/log/messages”); };
destination l_maillog { file (“/var/log/maillog”); };
destination l_ipflog { file (“/var/log/ipflog”); };
destination l_imaplog { file (“/var/log/imaplog”); };
destination l_syslog { file (“/var/log/syslog”); };

destination l_console { file (“/dev/console”); };

destination r_authlog { file
(“/var/log/clients/$YEAR/$MONTH/$HOST/authlog”); };
destination r_messages { file
(“/var/log/clients/$YEAR/$MONTH/$HOST/messages”); };
destination r_maillog { file
(“/var/log/clients/$YEAR/$MONTH/$HOST/maillog”); };
destination r_ipflog { file
(“/var/log/clients/$YEAR/$MONTH/$HOST/ipflog”); };
destination r_imaplog { file
(“/var/log/clients/$YEAR/$MONTH/$HOST/imaplog”); };
destination r_console { file
(“/var/log/clients/$YEAR/$MONTH/$HOST/consolelog”); };
destination r_syslog { file
(“/var/log/clients/$YEAR/$MONTH/$HOST/syslog”); };
destination r_fallback { file
(“/var/log/clients/$YEAR/$MONTH/$HOST/$FACILITY-$LEVEL”); };

# Log statements
# Local sources
log { source (s_local); filter (f_authinfo) destination (l_authlog); };
log { source (s_local); filter (f_mail); destination (l_maillog); };
log { source (s_local); filter (f_local0); destination (l_ipflog); };
log { source (s_local); filter (f_local1); destination (l_imaplog); };
log { source (s_local); filter (f_syslog); destination (l_syslog); };
log { source (s_local); filter (f_emerg); filter (f_user_none);
destination (l_console); };
log { source (s_local); filter (f_mesg); filter (f_user_none);
destination (l_messages); };

# All sources, since we want to archive local and remote logs
log { source (s_local); source (s_stunnel); filter (f_authinfo);
destination (r_authlog); };
log { source (s_local); source (s_stunnel); filter (f_mail);
destination (r_maillog); };
log { source (s_local); source (s_stunnel); filter (f_local0);
destination (r_ipflog); };
log { source (s_local); source (s_stunnel); filter (f_local1);
destination (r_imaplog); };
log { source (s_local); source (s_stunnel); filter (f_syslog);
destination (r_syslog); };
log { source (s_local); source (s_stunnel); filter (f_emerg);
filter (f_user_none);
destination (l_console); };
log { source (s_local); source (s_stunnel); filter (f_mesg);
filter (f_user_none);
destination (l_messages); };

在此示例客戶機 syslog-ng.conf 中,過濾器仍然是相同的,但是配置的其他部分大多已更改為反映客戶機狀態或者被刪除:

# Options
options {
sync(0);
use_fqdn(yes);
};

# Sources of syslog messages (only local on clients)
source s_local {
sun-streams(“/dev/log” door(“/etc/.syslog_door”));
internal();
};

# Destinations: local files, the console, and the remote syslog server
destination l_authlog { file (“/var/log/authlog”); };
destination l_messages { file (“/var/log/messages”); };
destination l_maillog { file (“/var/log/maillog”); };
destination l_ipflog { file (“/var/log/ipflog”); };
destination l_imaplog { file (“/var/log/imaplog”); };
destination l_console { file (“/dev/console”); };
destination l_syslog { file (“/var/log/syslog”); };
destination stunnel { tcp (“127.0.0.1”, port(514)); };

# Level Filters
filter f_emerg { level (emerg); };
filter f_alert { level (alert .. emerg); };
filter f_crit { level (crit .. emerg); };
filter f_err { level (err .. emerg); };
filter f_warning { level (warning .. emerg); };
filter f_notice { level (notice .. emerg); };
filter f_info { level (info .. emerg); };
filter f_debug { level (debug .. emerg); };

# Facility Filters
filter f_kern { facility (kern); };
filter f_user { facility (user); };
filter f_mail { facility (mail); };
filter f_daemon { facility (daemon); };
filter f_auth { facility (auth); };
filter f_syslog { facility (syslog); };
filter f_lpr { facility (lpr); };
filter f_news { facility (news); };
filter f_uucp { facility (uucp); };
filter f_cron { facility (cron); };
filter f_local0 { facility (local0); };
filter f_local1 { facility (local1); };
filter f_local2 { facility (local2); };
filter f_local3 { facility (local3); };
filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); };

# Custom Filters
filter f_user_none { not facility (user); };
filter f_kern_debug { filter (f_kern) and filter (f_debug); };
filter f_daemon_notice { filter (f_daemon) and filter (f_notice); };
filter f_mail_crit { filter (f_mail) and filter (f_crit); };
filter f_mesg { filter (f_kern_debug) or
filter (f_daemon_notice) or
filter (f_mail_crit); };
filter f_authinfo { filter (f_auth) or program (sudo); };

# Log statements
# Log things locally
log { source (s_local); filter (f_authinfo); destination (l_authlog); };
log { source (s_local); filter (f_mail); destination (l_maillog); };
log { source (s_local); filter (f_local0); destination (l_ipflog); };
log { source (s_local); filter (f_local1); destination (l_imaplog); };
log { source (s_local); filter (f_syslog); destination (l_syslog); };
log { source (s_local); filter (f_emerg); filter (f_user_none);
destination (l_console); };
log { source (s_local); filter (f_mesg); filter (f_user_none);
destination (l_messages); };

# Log everything remotely via stunnel
log { source (s_local); destination (stunnel); };

syslog-ng 的更高階用法包括根據日誌訊息的重要性將其直接傳送到資料探勘軟體、資料庫、電子郵件或印表機。另一個有用的提示是,將高優先順序日誌訊息傳送到一個可以由實時日誌分析器(如 swatch、logsurfer、Log Tool 或 Logwatch)監視的檔案。自動資料探勘和監視的可能性很大,原因是可以按各種方式組織和處理日誌條目。


相關文章