TL; DR
将容器优化的os host 日志(ssh和已执行的shell命令)发送到Stackdriver的最佳实践是什么?
背景:
我正在使用效果很好的Google容器优化操作系统。将容器日志发送到Stackdriver非常容易,但是如何将 host 日志发送到Stackdriver?
这是出于审计目的,我需要记录所有SSH连接(接受或拒绝)以及通过外壳执行的所有命令。以前,我只是通过堆栈驱动程序主机记录程序包将rsyslogd(auth,authpriv)发送到堆栈驱动程序。
这是针对在托管实例组(mig)中而不是在Google Kubernetes Engine中运行的Container Optimized OS VM:。
这可能是非常明显的,但是我似乎找不到任何文档。
答案 0 :(得分:1)
总的来说,这是任何GCP COS实例将操作系统审核日志发送到Google Stackdriver所需要做的事情:
首先,您需要使用以下命令在COS上启用审核日志: systemctl开始云审核设置 这样可以生成审核日志并将其捕获到计算实例日志中,您可以使用 journalctl 命令查看结果
第二,您需要在实例上安装Google Stackdriver代理,并将其配置为将审核日志从实例日志发送到堆栈驱动程序。这可以通过让docker容器运行fluentd-gcp谷歌容器映像来实现。
我正在共享下面的cloud-init来为您完成整个工作。您所需要做的就是拥有一个键为“用户数据”且实例值为以下脚本的实例元数据:
#cloud-config
users:
- name: logger
uid: 2001
groups: docker
write_files:
- path: /etc/google-fluentd/fluentd.conf
permissions: 0644
owner: root
content: |
# This config comes from a heavily trimmed version of the
# container-engine-customize-fluentd project. The upstream config is here:
# https://github.com/GoogleCloudPlatform/container-engine-customize-fluentd/blob/6a46d72b29f3d8e8e495713bc3382ce28caf744e/kubernetes/fluentd-
configmap.yaml
<source>
type systemd
path /var/log/journal
pos_file /var/log/gcp-journald.pos
filters [{ "SYSLOG_IDENTIFIER": "audit" }]
tag node-journal
read_from_head true
</source>
<match **>
@type copy
<store>
@type google_cloud
# Set the buffer type to file to improve the reliability
# and reduce the memory consumption
buffer_type file
buffer_path /var/log/google-fluentd/cos-system.buffer
# Set queue_full action to block because we want to pause gracefully
# in case of the off-the-limits load instead of throwing an exception
buffer_queue_full_action block
# Set the chunk limit conservatively to avoid exceeding the GCL limit
# of 10MiB per write request.
buffer_chunk_limit 2M
# Cap the combined memory usage of this buffer and the one below to
# 2MiB/chunk * (6 + 2) chunks = 16 MiB
buffer_queue_limit 6
# Never wait more than 5 seconds before flushing logs in the non-error
# case.
flush_interval 5s
# Never wait longer than 30 seconds between retries.
max_retry_wait 30
# Disable the limit on the number of retries (retry forever).
disable_retry_limit
# Use multiple threads for processing.
num_threads 2
</store>
</match>
- path: /etc/systemd/system/logger.service
permissions: 0644
owner: root
content: |
[Unit]
Description=logging docker container
Requires=network-online.target
After=network-online.target
[Service]
Environment="HOME=/home/logger"
ExecStartPre=/usr/share/google/dockercfg_update.sh
ExecStartPre=/bin/mkdir -p /var/log/google-fluentd/
ExecStartPre=-/usr/bin/docker rm -fv logger
ExecStart=/usr/bin/docker run --rm -u 0 \
--name=logger \
-v /var/log/:/var/log/ \
-v /var/lib/docker/containers:/var/lib/docker/containers \
-v /etc/google-fluentd/:/etc/fluent/config.d/ \
--env='FLUENTD_ARGS=-q' \
gcr.io/google-containers/fluentd-gcp:2.0.17
Restart=always
RestartSec=1
runcmd:
- systemctl daemon-reload
- systemctl start logger.service
- systemctl start cloud-audit-setup
答案 1 :(得分:0)
Google团队回答:
要在堆栈驱动程序中记录日志,则需要配置 熟练地这样做。请参阅流利的configmap的these lines,以了解一些 例子。请注意,configmap中的“ node-journal”过滤器不是 默认情况下在GKE上启用。
另外,要对COS节点进行审核,您将需要启用COS 审核日志记录系统服务。在COS节点上:运行“ systemctl start cloud-audit-setup”。那么您将获得审核日志,例如SSH登录 日志日志。
答案 2 :(得分:0)
如何将主机日志发送到Stackdriver?
Here是COS打包Stackdriver Logging代理的一些代码。您可以通过sudo systemctl start stackdriver-logging启动它。