


[root@localhost ~]# rpm -qa | grep rsyslog


[root@localhost ~]# yum list rsyslog
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
appstream                                                                                                                                  3.1 MB/s | 3.2 kB     00:00    
baseos                                                                                                                                     2.7 MB/s | 2.8 kB     00:00    
Installed Packages
[root@localhost ~]# yum install -y rsyslog


  • 编辑配置文件(/etc/rsyslog.conf) , 将下列内容前面的注释去掉,然后重启rsyslog服务即可:
    • #module(load="imudp")
    • #input(type="imudp" port="514")
    • #module(load="imtcp")
    • #input(type="imtcp" port="514")
[root@localhost ~]# vim /etc/rsyslog.conf 
# Provides UDP syslog reception
# for parameters see
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")


[root@localhost ~]# systemctl restart rsyslog
[root@localhost ~]# netstat -tunlp | grep rsyslog
tcp        0      0   *               LISTEN      1814/rsyslogd       
tcp6       0      0 :::514                  :::*                    LISTEN      1814/rsyslogd       
udp        0      0   *                           1814/rsyslogd       
udp6       0      0 :::514                  :::*                                1814/rsyslogd     

[root@localhost ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-08-23 00:57:37 CST; 31s ago
     Docs: man:rsyslogd(8)
 Main PID: 1814 (rsyslogd)
    Tasks: 9 (limit: 11340)
   Memory: 3.7M
   CGroup: /system.slice/rsyslog.service
           └─1814 /usr/sbin/rsyslogd -n

Aug 23 00:57:37 localhost.localdomain systemd[1]: Stopped System Logging Service.
Aug 23 00:57:37 localhost.localdomain systemd[1]: Starting System Logging Service...
Aug 23 00:57:37 localhost.localdomain rsyslogd[1814]: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime  [v8.37.0-13.el8 try http://www.rsyslo>
Aug 23 00:57:37 localhost.localdomain rsyslogd[1814]:  [origin software="rsyslogd" swVersion="8.37.0-13.el8" x-pid="1814" x-info=""] start
Aug 23 00:57:37 localhost.localdomain systemd[1]: Started System Logging Service.


  • 首先进入/var/log/secure下监控日志状态 
[root@localhost ~]# tail -f /var/log/secure 
Aug 22 21:36:16 localhost sshd[1051]: Server listening on :: port 22.
Aug 22 21:36:16 localhost polkitd[1019]: Loading rules from directory /etc/polkit-1/rules.d
Aug 22 21:36:16 localhost polkitd[1019]: Loading rules from directory /usr/share/polkit-1/rules.d
Aug 22 21:36:16 localhost polkitd[1019]: Finished loading, compiling and executing 2 rules
Aug 22 21:36:16 localhost polkitd[1019]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Aug 22 21:36:37 localhost sshd[1519]: Accepted password for root from port 2335 ssh2
Aug 22 21:36:37 localhost systemd[1522]: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Aug 22 21:36:38 localhost sshd[1519]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 23 01:01:41 localhost sshd[1843]: Accepted password for root from port 11157 ssh2
Aug 23 01:01:41 localhost sshd[1843]: pam_unix(sshd:session): session opened for user root by (uid=0)

  • 使用远程登陆,故意输入错误的密码,看该文件是否接受到错误的日志消息




  •  查看/var/log/secre文件是否收到错误的日志信息
