系统日志在疯狂刷ssh日志

系统日志在疯狂刷ssh日志

背景:

华为云ecs(4.19.90-17.5.ky10.aarch64)发现系统日志在疯狂刷ssh日志

[root@ecs-5614 ~]# tail -f /var/log/messages
Sep 26 16:18:51 ecs-5614 audit[251418]: CRYPTO_KEY_USER pid=251418 uid=0 auid=0 ses=62 msg='op=destroy kind=server fp=SHA256:48:60:24:c4:0c:4b:1c:e2:22:74:02:57:b9:40:a2:1e:2c:e4:50:e5:d6:d4:db:5b:bc:eb:b8:49:14:8f:86:8e direction=? spid=251804 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Sep 26 16:18:51 ecs-5614 sftp-server[251804]: session opened for local user root from [公网ip]
Sep 26 16:18:51 ecs-5614 sshd[251680]: Starting session: subsystem 'sftp' for root from 公网ip port 57995 id 4

centos7使用systemd-journald做日志中心库,使用rsyslog来持久化日志,使用logrotate来轮转日志文件

停掉rsyslog

systemctl stop rsyslog.service

发现 tail -f /var/log/messages 没有输出了

但是 journalctl -f 还在疯狂输出

[root@ecs-5614 ~]# journalctl -f 
-- Logs begin at Tue 2021-09-21 09:38:22 CST. --
9月 26 16:22:53 node01 audit[1348124]: CRYPTO_KEY_USER pid=1348124 uid=0 auid=0 ses=1616 msg='op=destroy kind=server fp=SHA256:14:a3:ce:06:7a:d5:99:c9:a4:df:05:b5:12:b6:12:95:f0:83:8d:53:d0:43:e8:13:e5:82:0a:62:f9:d7:1b:37 direction=? spid=705038 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
9月 26 16:22:53 node01 audit[2191863]: USER_START pid=2191863 uid=0 auid=0 ses=1621 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=公网ip terminal=ssh res=success'
9月 26 16:22:53 node01 audit[2191863]: CRYPTO_KEY_USER pid=2191863 uid=0 auid=0 ses=1621 msg='op=destroy kind=server fp=SHA256:14:a3:ce:06:7a:d5:99:c9:a4:df:05:b5:12:b6:12:95:f0:83:8d:53:d0:43:e8:13:e5:82:0a:62:f9:d7:1b:37 direction=? spid=705086 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'

修改journal日志

注释的代表默认值

vim /etc/systemd/journald.conf

# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See journald.conf(5) for details.

[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=no
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug

#MaxLevelStore= 设置记录到日志文件中的最高日志等级,默认值为"debug";
#MaxLevelSyslog= 设置转发给传统的 syslog 守护进程的最高日志等级,默认值为"debug"; 
#MaxLevelKMsg= 设置转发给内核日志缓冲区(kmsg)的最高日志等级,默认值为"notice"; 
#MaxLevelConsole= 设置转发给系统控制台的最高日志等级,默认值为"info"; 
#MaxLevelWall= 设置作为警告信息发送给所有已登录用户的最高日志等级,默认值为"emerg"; 
#这些选项既可以设为日志等级的名称, 也可以设为日志等级对应的数字: 
#“emerg”(0), “alert”(1), “crit”(2), “err”(3), “warning”(4), “notice”(5), “info”(6), “debug”(7) 。

# 如果为warning journalctl -xe就没有输出了 nignx配置错了看不到 只能nignx -t
MaxLevelStore=warning

MaxLevelSyslog=warning


#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes

重启

systemctl restart systemd-journald.service

这时journalctl -f没有在疯狂输出了

这时 rsyslog 是停止的,需要修改 rsyslog 的配置文件

一步到胃的操作

cat > /etc/systemd/journald.conf <<EOF
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See journald.conf(5) for details.

[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
#SystemKeepFree=
#SystemMaxFileSize=
#SystemMaxFiles=100
#RuntimeMaxUse=
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=no
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
#TTYPath=/dev/console
#MaxLevelStore=debug
#MaxLevelSyslog=debug

#MaxLevelStore= 设置记录到日志文件中的最高日志等级,默认值为"debug";
#MaxLevelSyslog= 设置转发给传统的 syslog 守护进程的最高日志等级,默认值为"debug"; 
#MaxLevelKMsg= 设置转发给内核日志缓冲区(kmsg)的最高日志等级,默认值为"notice"; 
#MaxLevelConsole= 设置转发给系统控制台的最高日志等级,默认值为"info"; 
#MaxLevelWall= 设置作为警告信息发送给所有已登录用户的最高日志等级,默认值为"emerg"; 
#这些选项既可以设为日志等级的名称, 也可以设为日志等级对应的数字: 
#“emerg”(0), “alert”(1), “crit”(2), “err”(3), “warning”(4), “notice”(5), “info”(6), “debug”(7) 。

MaxLevelStore=warning
MaxLevelSyslog=warning


#MaxLevelKMsg=notice
#MaxLevelConsole=info
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
EOF
systemctl restart systemd-journald.service

#cp /etc/rsyslog.conf{,.bak}

cat > /etc/rsyslog.conf <<EOF
global(workDirectory="/var/lib/rsyslog")
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
$imjournalRatelimitInterval 0
include(file="/etc/rsyslog.d/*.conf" mode="optional")
# 修改了*.info 
*.warning;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
EOF

systemctl restart rsyslog.service

测试

tail -f /var/log/messages

journalctl -f
posted @ 2021-09-26 17:02  1769987233  阅读(449)  评论(0编辑  收藏  举报