Question

我正在尝试创建具有多个侦听器的rsyslog.conf，例如使用和不使用TLS（使用streamdriver）。可以创建多个输入，但是正如我在rsyslog文档中阅读的那样，似乎无法移动streamdriver参数，例如。使用omfile时，从module（）到input（）或action（）的streamdriver.mode =“ 1”。有人知道是否可以使用 imtcp 和 omfile 作为输出方法创建多个侦听器吗？

我的单个侦听器工作脚本：

# Prints every message, even if repeated 1001 times in a second. Strongly recommend for use with Splunk
$RepeatedMsgReduction off

module(load="imtcp"
    streamdriver.name="gtls" # use gtls netstream driver
    streamdriver.mode="1" # require TLS for the connection
    streamdriver.authmode="x509/name" # server is NOT authenticated
)

global(
    defaultNetstreamDriverCAFile="/opt/splunk/etc/auth/sslCerts/CACertificate.pem"
    defaultNetstreamDriverCertFile="/opt/splunk/etc/auth/sslCerts/ServerCertificate.pem"
    defaultNetstreamDriverKeyFile="/opt/splunk/etc/auth/sslCerts/ServerPrivatKeyDec.key"
)

# Create as many inputs as you like. This listens to UDP + TCP 514.
input(type="imtcp" port="514" ruleset="SplunkNetwork")


# Template for directory + filename structure. Use %FROMHOST-IP% for IP without hostname resolution
template(name="filename-by-host" type="string" string="/opt/logfiles/%FROMHOST%/%$YEAR%-%$MONTH%-%$DAY%.log")

ruleset(name="SplunkNetwork") {
        action(type="omfile" DynaFile="filename-by-host" DirCreateMode="0755" FileCreateMode="0644" DirOwner="splunk" DirGroup="splunk" FileOwner="splunk" FileGroup="splunk")
}

我想做的-不起作用-将streamdriver参数传递给input（）或action（）：

# Prints every message, even if repeated 1001 times in a second. Strongly recommend for use with Splunk
$RepeatedMsgReduction off

module(load="imtcp")

global(
    defaultNetstreamDriverCAFile="/opt/splunk/etc/auth/sslCerts/CACertificate.pem"
    defaultNetstreamDriverCertFile="/opt/splunk/etc/auth/sslCerts/ServerCertificate.pem"
    defaultNetstreamDriverKeyFile="/opt/splunk/etc/auth/sslCerts/ServerPrivatKeyDec.key"
)

# Create as many inputs as you like. This listens to UDP + TCP 514.
input(type="imtcp" port="514" ruleset="SplunkNetwork-anon-no-tsl")
input(type="imtcp" port="1514" ruleset="SplunkNetwork-anon-tsl")


# Template for directory + filename structure. Use %FROMHOST-IP% for IP without hostname resolution
template(name="filename-by-host" type="string" string="/opt/logfiles/%FROMHOST%/%$YEAR%-%$MONTH%-%$DAY%.log")

ruleset(name="SplunkNetwork-anon-no-tsl") {
        action(type="omfile" DynaFile="filename-by-host" DirCreateMode="0755" FileCreateMode="0644" DirOwner="splunk" DirGroup="splunk" FileOwner="splunk" FileGroup="splunk" StreamDriverMode="0" StreamDriver="gtls" StreamDriverAuthMode="anon")
}

ruleset(name="SplunkNetwork-anon-tsl") {
        action(type="omfile" DynaFile="filename-by-host" DirCreateMode="0755" FileCreateMode="0644" DirOwner="splunk" DirGroup="splunk" FileOwner="splunk" FileGroup="splunk" StreamDriverMode="1" StreamDriver="gtls" StreamDriverAuthMode="anon")
}

Answer 1

您同时使用imptcp和imtcp模块来允许普通的TCP和TLS连接。下面的示例显示了为端口514上的纯TCP和端口1514上的TLS设置日志记录输入所需的rsyslog配置。

global(
    defaultNetstreamDriverCAFile="/opt/splunk/etc/auth/sslCerts/CACertificate.pem"
    defaultNetstreamDriverCertFile="/opt/splunk/etc/auth/sslCerts/ServerCertificate.pem"
    defaultNetstreamDriverKeyFile="/opt/splunk/etc/auth/sslCerts/ServerPrivatKeyDec.key"
)

# Load the imptcp module to provide the ability to receive messages over plain TCP
module(load="imptcp")

# Load the imtcp module to provide the ability to receive messages over TLS
module(
    load="imtcp"
    streamdriver.name="gtls" # use gtls netstream driver
    streamdriver.mode="1" # require TLS for the connection
    streamdriver.authmode="x509/name" # server is NOT authenticated
)

# Listen op port 514 (imptcp driver)
input(
    type="imptcp"
    port="514"
)

# Listen on port 1514 (imtcp driver)
input(
    type="imtcp"
    port="1514"
)

Answer 2

您可以使用

imtcp用于TLS
imptcp for TCP

Rsyslog创建两个带有omfile作为输出的侦听器（带有和不带有TLS）。有可能吗？

2 个答案: