Sistema de recolección de logs mediante systemd-journal-remote en Debian 12
¿Que es systemd-journal-remote?
systemd-journal-remote es un servicio de systemd que permite la recolección de logs de forma remota.
Requisitos
- Sistema Debian 12 actualizado.
- Privilegios de root o sudo.
- Acceso a internet.
Instalación
Instalamos en todas las máquinas involucradas (tanto el servidor como los clientes de este servicio) el paquete systemd-journal-remote:
root@syslog:~# apt install systemd-journal-remote -y
Activamos en el servidor los servicios necesarios para recibir los logs de las máquinas clientes:
root@syslog:~# systemctl enable --now systemd-journal-remote.socket systemd-journal-remote.service
En los clientes que en este caso serán un servidor web apache2 y un servidor de base de datos mariadb activamos el servicio systemd-journal-upload para que puedan enviar los logs al servidor syslog:
root@syslog-apache:~# systemctl enable systemd-journal-upload.service
root@syslog-mariadb:~# systemctl enable systemd-journal-upload.service
Configuración
Debido a que no dispongo de los certificados ssl al ser esto una prueba, configuraré el servicio para que no sea necesario el uso de estos certificados.
En el servidor syslog copiamos el archivo de configuración systemd-journal-remote.service a la carpeta /etc/systemd/system/ y lo editamos:
root@syslog:~# cp /lib/systemd/system/systemd-journal-remote.service /etc/systemd/system/
nano /etc/systemd/system/systemd-journal-remote.service
[Unit]
Description=Journal Remote Sink Service
Documentation=man:systemd-journal-remote(8) man:journal-remote.conf(5)
Requires=systemd-journal-remote.socket
[Service]
ExecStart=/lib/systemd/systemd-journal-remote --listen-http=-3 --output=/var/log/journal/remote/
User=systemd-journal-remote
Group=systemd-journal-remote
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
WatchdogSec=3min
[Install]
Also=systemd-journal-remote.socket
Si el directorio –output=/var/log/journal/remote/ no existe lo creamos y cambiamos el propietario:
root@syslog:~# mkdir /var/log/journal/remote/
root@syslog:~# chown systemd-journal-remote /var/log/journal/remote/
Recaudamos la configuración del demonio:
root@syslog:~# systemctl daemon-reload
Una vez configurado el servidor syslog, configuramos los clientes para que envíen los logs al servidor.
Primero tendremos que crear un usuario llamado systemd-journal-upload:
root@syslog-apache:~# adduser --system --home /run/systemd --no-create-home --disabled-login --group systemd-journal-upload
root@syslog-mariadb:~# adduser --system --home /run/systemd --no-create-home --disabled-login --group systemd-journal-upload
Ahora tenemos que modificar el archivo de configuración journal-upload.conf en los clientes y añadimos en URL la ip o nombre de dominio del servidor syslog y el puerto 19532:
root@syslog-apache:~# nano /etc/systemd/journal-upload.conf
root@syslog-mariadb:~# nano /etc/systemd/journal-upload.conf
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the journal-upload.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# See journal-upload.conf(5) for details.
[Upload]
URL=http://192.168.50.25:19532
# ServerKeyFile=/etc/ssl/private/journal-upload.pem
# ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
# TrustedCertificateFile=/etc/ssl/ca/trusted.pem
Reiniciamos el servicio systemd-journal-upload en los clientes:
root@syslog-apache:~# systemctl restart systemd-journal-upload.service
root@syslog-mariadb:~# systemctl restart systemd-journal-upload.service
Comprobación
Con los que hemos hecho hasta ahora ya deberíamos de estar recibiendo los logs de los clientes en el servidor syslog.
Para comprobarlo nos dirigimos al servidor syslog y ejecutamos un ls en el directorio /var/log/journal/remote/:
Si hemos realizado todo correctamente deberíamos ver dos ficheros con las ips de los clientes:
root@syslog:~# ls /var/log/journal/remote/
remote-192.168.50.14.journal remote-192.168.50.38.journal
Para ver los logs de los clientes ejecutamos el siguiente comando:
root@syslog:~# journalctl --file=ruta/al/fichero
root@syslog:~# journalctl --file=/var/log/journal/remote/remote-192.168.50.14.journal
syslog-apache
root@syslog:~# journalctl -f --file=/var/log/journal/remote/remote-192.168.50.14.journal
Sep 27 16:25:34 syslog-apache systemd[1]: Started systemd-tmpfiles-clean.timer - Daily Cleanup of Temporary Directories.
Sep 27 16:25:34 syslog-apache systemd[1]: Reached target paths.target - Path Units.
Sep 27 16:25:34 syslog-apache systemd[1]: Reached target timers.target - Timer Units.
Sep 27 16:25:34 syslog-apache systemd[1]: Listening on dbus.socket - D-Bus System Message Bus Socket.
Sep 27 16:25:34 syslog-apache systemd[1]: Listening on ssh.socket - OpenBSD Secure Shell server socket.
Sep 27 16:25:34 syslog-apache systemd[1]: Reached target sockets.target - Socket Units.
Sep 27 16:25:34 syslog-apache systemd[1]: systemd-pcrphase-sysinit.service - TPM2 PCR Barrier (Initialization) was skipped because of a>
Sep 27 16:25:34 syslog-apache systemd[1]: Reached target basic.target - Basic System.
Sep 27 16:25:34 syslog-apache systemd[1]: Started cron.service - Regular background program processing daemon.
Sep 27 16:25:34 syslog-apache systemd[1]: Starting dbus.service - D-Bus System Message Bus...
Sep 27 16:25:34 syslog-apache systemd[1]: Starting e2scrub_reap.service - Remove Stale Online ext4 Metadata Check Snapshots...
Sep 27 16:25:34 syslog-apache systemd[1]: getty-static.service - getty on tty2-tty6 if dbus and logind are not available was skipped be>
Sep 27 16:25:34 syslog-apache systemd[1]: Started postfix-resolvconf.service - Copies updated resolv.conf to postfix chroot and restart>
Sep 27 16:25:34 syslog-apache systemd[1]: Starting systemd-logind.service - User Login Management...
Sep 27 16:25:34 syslog-apache systemd[1]: systemd-pcrphase.service - TPM2 PCR Barrier (User) was skipped because of an unmet condition >
Sep 27 16:25:34 syslog-apache systemd[1]: Finished systemd-machine-id-commit.service - Commit a transient machine-id on disk.
Sep 27 16:25:34 syslog-apache cron[83]: (CRON) INFO (pidfile fd = 3)
Sep 27 16:25:34 syslog-apache cron[83]: (CRON) INFO (Running @reboot jobs)
Sep 27 16:25:34 syslog-apache systemd[1]: Started dbus.service - D-Bus System Message Bus.
Sep 27 16:25:34 syslog-apache systemd[1]: postfix-resolvconf.service: Deactivated successfully.
Sep 27 16:25:34 syslog-apache systemd-logind[87]: New seat seat0.
Sep 27 16:25:34 syslog-apache systemd[1]: Started systemd-logind.service - User Login Management.
Sep 27 16:25:34 syslog-apache dhclient[101]: Internet Systems Consortium DHCP Client 4.4.3-P1
Sep 27 16:25:34 syslog-apache ifup[101]: Internet Systems Consortium DHCP Client 4.4.3-P1
Sep 27 16:25:34 syslog-apache dhclient[101]: Copyright 2004-2022 Internet Systems Consortium.
Sep 27 16:25:34 syslog-apache ifup[101]: Copyright 2004-2022 Internet Systems Consortium.
Sep 27 16:25:34 syslog-apache dhclient[101]: All rights reserved.
Sep 27 16:25:34 syslog-apache ifup[101]: All rights reserved.
Sep 27 16:25:34 syslog-apache dhclient[101]: For info, please visit https://www.isc.org/software/dhcp/
Sep 27 16:25:34 syslog-apache ifup[101]: For info, please visit https://www.isc.org/software/dhcp/
Sep 27 16:25:34 syslog-apache dhclient[101]:
Sep 27 16:25:34 syslog-apache systemd[1]: Starting systemd-networkd.service - Network Configuration...
Sep 27 16:25:34 syslog-apache dhclient[101]: Listening on LPF/eth0/7a:a6:c4:69:a1:82
lines 1-71
syslog-mariadb
root@syslog:~# journalctl --file=/var/log/journal/remote/remote-192.168.50.38.journal
Sep 27 16:26:27 syslog-mariadb systemd[1]: Reached target sysinit.target - System Initialization.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started postfix-resolvconf.path - Watch for resolv.conf updates and restart postfix.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started apt-daily.timer - Daily apt download activities.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started apt-daily-upgrade.timer - Daily apt upgrade and clean activities.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started dpkg-db-backup.timer - Daily dpkg database backup timer.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started e2scrub_all.timer - Periodic ext4 Online Metadata Check for All Filesystems.
Sep 27 16:26:27 syslog-mariadb systemd[1]: fstrim.timer - Discard unused blocks once a week was skipped because of an unmet condition c>
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started logrotate.timer - Daily rotation of log files.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started man-db.timer - Daily man-db regeneration.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started systemd-tmpfiles-clean.timer - Daily Cleanup of Temporary Directories.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Reached target paths.target - Path Units.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Reached target timers.target - Timer Units.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Listening on dbus.socket - D-Bus System Message Bus Socket.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Listening on ssh.socket - OpenBSD Secure Shell server socket.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Reached target sockets.target - Socket Units.
Sep 27 16:26:27 syslog-mariadb systemd[1]: systemd-pcrphase-sysinit.service - TPM2 PCR Barrier (Initialization) was skipped because of >
Sep 27 16:26:27 syslog-mariadb systemd[1]: Reached target basic.target - Basic System.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started cron.service - Regular background program processing daemon.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Starting dbus.service - D-Bus System Message Bus...
Sep 27 16:26:27 syslog-mariadb systemd[1]: Starting e2scrub_reap.service - Remove Stale Online ext4 Metadata Check Snapshots...
Sep 27 16:26:27 syslog-mariadb systemd[1]: getty-static.service - getty on tty2-tty6 if dbus and logind are not available was skipped b>
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started postfix-resolvconf.service - Copies updated resolv.conf to postfix chroot and restar>
Sep 27 16:26:27 syslog-mariadb systemd[1]: Starting systemd-logind.service - User Login Management...
Sep 27 16:26:27 syslog-mariadb systemd[1]: systemd-pcrphase.service - TPM2 PCR Barrier (User) was skipped because of an unmet condition>
Sep 27 16:26:27 syslog-mariadb systemd[1]: Finished systemd-machine-id-commit.service - Commit a transient machine-id on disk.
Sep 27 16:26:27 syslog-mariadb cron[84]: (CRON) INFO (pidfile fd = 3)
Sep 27 16:26:27 syslog-mariadb cron[84]: (CRON) INFO (Running @reboot jobs)
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started dbus.service - D-Bus System Message Bus.
Sep 27 16:26:27 syslog-mariadb systemd-logind[88]: New seat seat0.
Sep 27 16:26:27 syslog-mariadb systemd[1]: postfix-resolvconf.service: Deactivated successfully.
Sep 27 16:26:27 syslog-mariadb systemd[1]: Started systemd-logind.service - User Login Management.
Sep 27 16:26:27 syslog-mariadb dhclient[101]: Internet Systems Consortium DHCP Client 4.4.3-P1
Sep 27 16:26:27 syslog-mariadb ifup[101]: Internet Systems Consortium DHCP Client 4.4.3-P1
Sep 27 16:26:27 syslog-mariadb dhclient[101]: Copyright 2004-2022 Internet Systems Consortium.
Sep 27 16:26:27 syslog-mariadb ifup[101]: Copyright 2004-2022 Internet Systems Consortium.
Sep 27 16:26:27 syslog-mariadb dhclient[101]: All rights reserved.
Sep 27 16:26:27 syslog-mariadb ifup[101]: All rights reserved.
Sep 27 16:26:27 syslog-mariadb dhclient[101]: For info, please visit https://www.isc.org/software/dhcp/
Sep 27 16:26:27 syslog-mariadb ifup[101]: For info, please visit https://www.isc.org/software/dhcp/
Sep 27 16:26:27 syslog-mariadb dhclient[101]:
Sep 27 16:26:27 syslog-mariadb systemd[1]: Starting systemd-networkd.service - Network Configuration...
Sep 27 16:26:27 syslog-mariadb systemd[1]: e2scrub_reap.service: Deactivated successfully.
lines 1-71
Como podemos ver en los logs de los clientes, estos se están enviando correctamente al servidor syslog.
Con esto terminamos la configuración de un sistema de recolección de logs mediante systemd-journal-remote en Debian 12.