fw、交换机等安全syslog采集

概述  

　　防火墙、交换机等设备会有syslog输出， 安全部门需要监控这些日志并进行分析。需要对这类设备进行日志采集， 但是这些设备有不能安装像filebeat、logstash、fluentd等日志采集。
但是他们默认提供了一个可以对外输出syslog的udp端口。 可以将日志采集到一个提供udp端口收集的服务里面， 由于比较熟悉rsyslog， 所以就采用rsyslog来采集。rsyslog server默认提供了
tcp和udp两种协议的采集端口，刚好满足采集需求。为了扩容方便， 所以把服务部署到k8s集群里面， 为rsyslog server挂载一个持久化存储。

一、首先构建自己的rsyslog server镜像，构建完镜像上传到私有仓库。

     

FROM ubuntu
RUN apt update && apt install rsyslog -y
RUN echo '$ModLoad imudp \n\
$UDPServerRun 514 \n\
$ModLoad imtcp \n\
$InputTCPServerRun 514 \n\
$template RemoteStore, "/var/log/remote/%$year%/%$Month%/%$Day%-%$Hour%.log" \n\
:source, !isequal, "localhost" -?RemoteStore \n\
:source, isequal, "last" ~ ' > /etc/rsyslog.conf
ENTRYPOINT ["rsyslogd", "-n"]

 

二、部署到k8s,默认使用hostpath

apiVersion: apps/v1
kind: Deployment
metadata:
  generation: 3
  labels:
    app: rsyslog
    workload.user.cattle.io/workloadselector: deployment-rsyslog-rsyslog
  name: rsyslog
  namespace: rsyslog
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: rsyslog
      workload.user.cattle.io/workloadselector: deployment-rsyslog-rsyslog
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: rsyslog
        workload.user.cattle.io/workloadselector: deployment-rsyslog-rsyslog
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: rsyslog 
                operator: In
                values:
                - "true"
      containers:
      - image: registry.hub.com/docker-sre/rsyslog:v1.1
        imagePullPolicy: IfNotPresent
        name: rsyslog
        ports:
        - containerPort: 514
          name: udp
          protocol: UDP
        resources: 
          requests:
            cpu: 250m
            memory: 524Mi
          limits:
            cpu: 2000m
            memory: 1024Mi
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          readOnlyRootFilesystem: false
          runAsNonRoot: false
        stdin: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        tty: true
        volumeMounts:
        - mountPath: /var/log/remote
          name: rsyslog
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoSchedule
        key: rsyslog
        operator: Equal
        value: "true"
      volumes:
      - hostPath:
          path: /logs/rsyslog
          type: DirectoryOrCreate
        name: rsyslog

apiVersion: v1
kind: Service
metadata:
  labels:
    app: rsyslog
  name: rsyslog-nodeport
  namespace: rsyslog
spec:
  externalTrafficPolicy: Cluster
  ports:
  - name: udp
    nodePort: 32378
    port: 514
    protocol: UDP
    targetPort: 514
  selector:
    app: rsyslog
  sessionAffinity: None
  type: NodePort

 

测试

docker run --log-driver syslog --log-opt syslog-address=udp://rsyslog-addr:port alpine echo hello world