■socatによるTCP通信で送信した任意のログを、rsyslog受信側でデバッグする。
socatを使ってrsyslogに任意のログを記録する。
http://labunix.hateblo.jp/entry/20180429/1525006357
■rsyslogdの設定で「RSYSLOG_DebugFormat」を使用するよう変更
$ w3m -dump "https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-basic_configuration_of_rsyslog" | grep -A 1 RSYSLOG_DebugFormat
RSYSLOG_DebugFormat
プロパティー問題のトラブルシューティングに使われる特別なフォーマット。
$ sudo sed -i -e 's/^\$Action.*Traditional.*/#&\n\$ActionFileDefaultTemplate RSYSLOG_DebugFormat/' /etc/rsyslog.conf
$ sudo grep Action /etc/rsyslog.conf
$ActionFileDefaultTemplate RSYSLOG_DebugFormat
$ sudo systemctl restart rsyslog.service
$ sudo systemctl status rsyslog.service | cat
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2018-05-13 01:00:09 JST; 6s ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 20592 (rsyslogd)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/rsyslog.service
└─20592 /usr/sbin/rsyslogd -n
5月 13 01:00:09 kvm-stretch systemd[1]: Starting System Logging Service...
5月 13 01:00:09 kvm-stretch liblogging-stdlog[20592]: [origin software="rsyslogd" swVersion="8.24.0" x-pid="20592" x-info="http://www.rsyslog.com"] start
5月 13 01:00:09 kvm-stretch systemd[1]: Started System Logging Service.
■実ログ
$ sudo tail -f /var/log/syslog | tee a.log
Debug line with all properties:
FROMHOST: 'kvm-stretch', fromhost-ip: '127.0.0.1', HOSTNAME: 'kvm-stretch', PRI: 78,
syslogtag 'CRON[20404]:', programname: 'CRON', APP-NAME: 'CRON', PROCID: '20404', MSGID: '-',
TIMESTAMP: 'May 13 00:25:01', STRUCTURED-DATA: '-',
msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
escaped msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
inputname: imuxsock rawmsg: '<78>May 13 00:25:01 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
$!:
$.:
$/:
■socatで生成したログ
$ echo "<78>$(env LANG=C date '+%b %d %H:%M:%S') 10.0.0.1 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)" | socat - tcp4:127.0.0.1:514
$ sudo tail -11 /var/log/syslog | tee b.log
Debug line with all properties:
FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: '10.0.0.1', PRI: 78,
syslogtag 'CRON[20404]:', programname: 'CRON', APP-NAME: 'CRON', PROCID: '20404', MSGID: '-',
TIMESTAMP: 'May 13 01:08:17', STRUCTURED-DATA: '-',
msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
escaped msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
inputname: imtcp rawmsg: '<78>May 13 01:08:17 10.0.0.1 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
$!:
$.:
$/:
■比較
FROMHOSTは変えられない。
HOSTNAMEは変えられるが、変えるには元メッセージもホスト名があるという制限がある。
「imuxsock rawmsg:」は「unix-sendto;/dev/log」にする。HOSTNAMEを変えるとプロパティ値が大きく変わるので注意する。
$ tr ',' '\n' < a.log >c.log
$ tr ',' '\n' < b.log >d.log
$ diff c.log d.log
2c2
< FROMHOST: 'kvm-stretch'
---
> FROMHOST: 'localhost'
4c4
< HOSTNAME: 'kvm-stretch'
---
> HOSTNAME: '10.0.0.1'
13c13
< TIMESTAMP: 'May 13 00:25:01'
---
> TIMESTAMP: 'May 13 01:08:17'
18c18
< inputname: imuxsock rawmsg: '<78>May 13 00:25:01 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
---
> inputname: imtcp rawmsg: '<78>May 13 01:08:17 10.0.0.1 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
■上記を参考に日時のみ変えたログに変更する。
$ echo "<78>$(env LANG=C date '+%b %d %H:%M:%S') CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)" | socat - unix-sendto:/dev/log
$ sudo tail -11 /var/log/syslog | tee e.log
Debug line with all properties:
FROMHOST: 'kvm-stretch', fromhost-ip: '127.0.0.1', HOSTNAME: 'kvm-stretch', PRI: 78,
syslogtag 'CRON[20404]:', programname: 'CRON', APP-NAME: 'CRON', PROCID: '20404', MSGID: '-',
TIMESTAMP: 'May 13 01:26:57', STRUCTURED-DATA: '-',
msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
escaped msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
inputname: imuxsock rawmsg: '<78>May 13 01:26:57 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
$!:
$.:
$/:
$ tr ',' '\n' < e.log > f.log
$ diff c.log f.log
13c13
< TIMESTAMP: 'May 13 00:25:01'
---
> TIMESTAMP: 'May 13 01:26:57'
18c18
< inputname: imuxsock rawmsg: '<78>May 13 00:25:01 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
---
> inputname: imuxsock rawmsg: '<78>May 13 01:26:57 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'