labunix's blog

labunixのラボUnix

socatによるTCP通信で送信した任意のログを、rsyslog受信側でデバッグする。 

■socatによるTCP通信で送信した任意のログを、rsyslog受信側でデバッグする。

 socatを使ってrsyslogに任意のログを記録する。
 http://labunix.hateblo.jp/entry/20180429/1525006357

■rsyslogdの設定で「RSYSLOG_DebugFormat」を使用するよう変更

$ w3m -dump "https://access.redhat.com/documentation/ja-jp/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-basic_configuration_of_rsyslog" | grep -A 1 RSYSLOG_DebugFormat
RSYSLOG_DebugFormat
    プロパティー問題のトラブルシューティングに使われる特別なフォーマット。

$ sudo sed -i -e 's/^\$Action.*Traditional.*/#&\n\$ActionFileDefaultTemplate RSYSLOG_DebugFormat/' /etc/rsyslog.conf

$ sudo grep Action /etc/rsyslog.conf 
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileDefaultTemplate RSYSLOG_DebugFormat

$ sudo systemctl restart rsyslog.service 
$ sudo systemctl status rsyslog.service | cat
● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2018-05-13 01:00:09 JST; 6s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 20592 (rsyslogd)
    Tasks: 9 (limit: 4915)
   CGroup: /system.slice/rsyslog.service
           └─20592 /usr/sbin/rsyslogd -n

 513 01:00:09 kvm-stretch systemd[1]: Starting System Logging Service...
 513 01:00:09 kvm-stretch liblogging-stdlog[20592]:  [origin software="rsyslogd" swVersion="8.24.0" x-pid="20592" x-info="http://www.rsyslog.com"] start
 513 01:00:09 kvm-stretch systemd[1]: Started System Logging Service.

■実ログ

$ sudo tail -f /var/log/syslog | tee a.log
Debug line with all properties:
FROMHOST: 'kvm-stretch', fromhost-ip: '127.0.0.1', HOSTNAME: 'kvm-stretch', PRI: 78,
syslogtag 'CRON[20404]:', programname: 'CRON', APP-NAME: 'CRON', PROCID: '20404', MSGID: '-',
TIMESTAMP: 'May 13 00:25:01', STRUCTURED-DATA: '-',
msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
escaped msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
inputname: imuxsock rawmsg: '<78>May 13 00:25:01 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
$!:
$.:
$/:

■socatで生成したログ

$ echo "<78>$(env LANG=C date '+%b %d %H:%M:%S') 10.0.0.1 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)" | socat - tcp4:127.0.0.1:514

$ sudo tail -11 /var/log/syslog | tee b.log
Debug line with all properties:
FROMHOST: 'localhost', fromhost-ip: '127.0.0.1', HOSTNAME: '10.0.0.1', PRI: 78,
syslogtag 'CRON[20404]:', programname: 'CRON', APP-NAME: 'CRON', PROCID: '20404', MSGID: '-',
TIMESTAMP: 'May 13 01:08:17', STRUCTURED-DATA: '-',
msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
escaped msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
inputname: imtcp rawmsg: '<78>May 13 01:08:17 10.0.0.1 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
$!:
$.:
$/:

■比較
 FROMHOSTは変えられない。
 HOSTNAMEは変えられるが、変えるには元メッセージもホスト名があるという制限がある。
 「imuxsock rawmsg:」は「unix-sendto;/dev/log」にする。HOSTNAMEを変えるとプロパティ値が大きく変わるので注意する。

$ tr ',' '\n' < a.log >c.log
$ tr ',' '\n' < b.log >d.log
$ diff c.log d.log 
2c2
< FROMHOST: 'kvm-stretch'
---
> FROMHOST: 'localhost'
4c4
<  HOSTNAME: 'kvm-stretch'
---
>  HOSTNAME: '10.0.0.1'
13c13
< TIMESTAMP: 'May 13 00:25:01'
---
> TIMESTAMP: 'May 13 01:08:17'
18c18
< inputname: imuxsock rawmsg: '<78>May 13 00:25:01 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
---
> inputname: imtcp rawmsg: '<78>May 13 01:08:17 10.0.0.1 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'

■上記を参考に日時のみ変えたログに変更する。

$ echo "<78>$(env LANG=C date '+%b %d %H:%M:%S') CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)" | socat - unix-sendto:/dev/log

$ sudo tail -11 /var/log/syslog | tee e.log
Debug line with all properties:
FROMHOST: 'kvm-stretch', fromhost-ip: '127.0.0.1', HOSTNAME: 'kvm-stretch', PRI: 78,
syslogtag 'CRON[20404]:', programname: 'CRON', APP-NAME: 'CRON', PROCID: '20404', MSGID: '-',
TIMESTAMP: 'May 13 01:26:57', STRUCTURED-DATA: '-',
msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
escaped msg: ' (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
inputname: imuxsock rawmsg: '<78>May 13 01:26:57 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
$!:
$.:
$/:

$ tr ',' '\n' < e.log > f.log

$ diff c.log f.log 
13c13
< TIMESTAMP: 'May 13 00:25:01'
---
> TIMESTAMP: 'May 13 01:26:57'
18c18
< inputname: imuxsock rawmsg: '<78>May 13 00:25:01 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'
---
> inputname: imuxsock rawmsg: '<78>May 13 01:26:57 CRON[20404]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)'