systemd netlogd
v1.4.3
Syslog 프로토콜(RFC 5424 및 RFC 3339)을 사용하여 네트워크를 통해 저널에서 다른 호스트로 메시지를 전달합니다. 유니캐스트 주소와 멀티캐스트 주소 모두에 메시지를 보내도록 구성할 수 있습니다. systemd-netlogd는 자체 사용자 systemd-journal-netlog로 실행됩니다. 네트워크가 작동되면 로그 전송을 시작하고 네트워크가 다운되자마자 전송을 중지합니다(sd-network 사용). 저널에서 읽어서 하나씩 네트워크로 전달합니다. 추가 디스크 공간을 사용하지 않습니다. systemd-netlogd는 UDP, TCP, TLS 및 DTLS(데이터그램 전송 계층 보안 RFC 6012)를 지원합니다.
빌드 종속성을 설치합니다.
# On Debian/Ubuntu
sudo apt install build-essential gperf libcap-dev libsystemd-dev pkg-config meson python3-sphinx
# On CentOS/RHEL/Fedora
sudo dnf group install 'Development Tools'
sudo dnf install gperf libcap-devel pkg-config systemd-devel meson python3-sphinx
빌드 및 설치:
make
sudo make install
사용자 생성:
sudo useradd -r -d / -s /usr/sbin/nologin -g systemd-journal systemd-journal-netlog또는 sysusers를 통해
/usr/lib/sysusers.d/systemd-netlogd.conf
# Type Name ID GECOS Home directory Shell
u systemd-journal-netlog -:systemd-journal - / /bin/nologin systemd-netlogd는 /etc/systemd/netlogd.conf 및 /etc/systemd/netlogd.conf.d/*.conf 라는 구성 파일을 읽습니다.
[네트워크] 섹션 옵션
The "[Network]" section only applies for UDP multicast address and Port:
Address=
Controls whether log messages received by the systemd-netlogd daemon shall be forwarded to a unicast UDP address or multicast UDP network group in syslog RFC 5424 format. The the address string format is similar to socket units. See systemd.socket(1)
Protocol=
Specifies whether to use udp, tcp, tls or dtls (Datagram Transport Layer Security) protocol. Defaults to udp.
LogFormat=
Specifies whether to use RFC 5424 format or RFC 3339 format. Takes one of rfc5424 or rfc3339. Defaults to rfc5424.
Directory=
Takes a directory path. Specifies whether to operate on the specified journal directory DIR instead of the default runtime and system journal paths.
Namespace=
Takes a journal namespace identifier string as argument. If not specified the data collected by the default namespace is shown. If specified shows the log data of the specified namespace instead. If the namespace is specified as "*" data from all namespaces is shown, interleaved. If the namespace identifier is prefixed with "+" data from the specified namespace and the default namespace is shown, interleaved, but no other.
ConnectionRetrySec=
Specifies the minimum delay before subsequent attempts to contact a Log server are made. Takes a time span value. The default unit is seconds, but other units may be specified, see systemd.time(5). Defaults to 30 seconds and must not be smaller than 1 second.
TLSCertificateAuthMode=
Specifies whether to validate the certificate. Takes one of no, allow, deny, warn. Defaults to 'deny' which rejects certificates failed to validate.
TLSServerCertificate=
Specify a custom certificate to validate the server against. Takes a path to a certificate file in PEM format.
KeepAlive=
Takes a boolean argument. If true, the TCP/IP stack will send a keep alive message after 2h (depending on the configuration of /proc/sys/net/ipv4/tcp_keepalive_time) for all TCP streams accepted on this socket. This controls the SO_KEEPALIVE socket option (see socket(7) and the TCP Keepalive HOWTO for details.) Defaults to false.
KeepAliveTimeSec=
Takes time (in seconds) as argument. The connection needs to remain idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE socket option (see socket(7) and the TCP Keepalive HOWTO for details.) Default value is 7200 seconds (2 hours).
KeepAliveIntervalSec=
Takes time (in seconds) as argument between individual keepalive probes, if the socket option SO_KEEPALIVE has been set on this socket. This controls the TCP_KEEPINTVL socket option (see socket(7) and the TCP Keepalive HOWTO for details.) Default value is 75 seconds.
KeepAliveProbes=
Takes an integer as argument. It is the number of unacknowledged probes to send before considering the connection dead and notifying the application layer. This controls the TCP_KEEPCNT socket option (see socket(7) and the TCP Keepalive HOWTO for details.) Default value is 9.
SendBuffer=
Takes an integer argument controlling the receive or send buffer sizes of this socket, respectively. This controls the SO_SNDBUF socket options (see socket(7) for details.). The usual suffixes K, M, G are supported and are understood to the base of 1024.
NoDelay=
Takes a boolean argument. TCP Nagle's algorithm works by combining a number of small outgoing messages, and sending them all at once. This controls the TCP_NODELAY socket option (see tcp(7)). Defaults to false.
선택적 설정
StructuredData=
Meta information about the syslog message, which can be used for Cloud Based syslog servers, such as Loggly
UseSysLogStructuredData=
A boolean. Specifies whether to extract SYSLOG_STRUCTURED_DATA= from journal. Defaults to false.
UseSysLogMsgId=
A boolean. Specifies whether to extract SYSLOG_MSGID= from journal. Defaults to false.
ExcludeSyslogFacility=
A list of strings. Specifies the syslog facilities to skip forwarding. Possible values are: "kern", "user", "mail", "daemon", "auth", "syslog", "lpr", "news", "uucp", "cron", "authpriv", "ftp", "ntp", "security", "console", "solaris-cron", "local0", "local1", "local2", "local3", "local4", "local5", "local6" and "local7".
ExcludeSyslogLevel=
A list of strings. Specifies the syslog levels to skip forwarding. Possible values are: "emerg", "alert", "crit", "err", "warning", "notice", "info" and "debug".
예
예제 1.UDP 멀티캐스트
[ Network ]
Address = 239.0 .0.1:6000
# Protocol=udp
# LogFormat=rfc5424예시 2.UDP
[ Network ]
Address = 192.168 .8.101:514
# Protocol=udp
LogFormat =r fc3339예시 3. 구조화된 데이터
[ Network ]
Address = 192.168 .8.101:514
# Protocol=udp
LogFormat =r fc5424
StructuredData =[ 1 ab456b6-90bb-6578-abcd-5b734584aaaa@41058]예 4. 사용자 정의 syslog 구조화된 데이터 및 메시지 ID
[ Network ]
Address = 192.168 .8.101:514
# Protocol=udp
LogFormat =r fc5424
UseSysLogStructuredData =y es
UseSysLogMsgId =y es예 5. AUTH 또는 AUTHPRIV 기능이 포함된 메시지 및 DEBUG 수준이 포함된 메시지 건너뛰기
[ Network ]
Address = 192.168 .8.101:514
# Protocol=udp
LogFormat =r fc3339
ExcludeSyslogFacility =a uth authpriv
ExcludeSyslogLevel =d ebug예 6. 인증서 인증 모드를 사용하는 TLS
[ Network ]
Address = 192.168 .8.101:4433
Protocol =t ls
# LogFormat=rfc5424
TLSCertificateAuthMode =w arn예 7. 인증서 인증 모드를 사용하는 DTLS
[ Network ]
Address = 192.168 .8.101:4433
Protocol =d tls
# LogFormat=rfc5424
TLSCertificateAuthMode =a llow UseSysLogStructuredData= 및 UseSysLogMsgId= 의 사용 사례
sd_journal_send (
"MESSAGE=%s" , "Message to process" ,
"PRIORITY=%s" , "4" ,
"SYSLOG_FACILITY=%s" , "1" ,
"SYSLOG_MSGID=%s" , "1011" ,
"SYSLOG_STRUCTURED_DATA=%s" , R "([exampleSDID@32473 iut=" 3 " eventSource=" Application "])" ,
NULL
);
