Univention Bugzilla – Bug 15728
Remote logging per UCR
Last modified: 2023-08-29 18:32:27 CEST
Man sollte remote logging per UCR in der syslog.conf aktivieren können bzw. SYSLOGD="-r" in der /etc/default/syslogd
(In reply to comment #0) > Man sollte remote logging per UCR in der syslog.conf aktivieren können bzw. > SYSLOGD="-r" in der /etc/default/syslogd Wobei man sich letztes sparen kann da /etc/init.d/sysklogd ein UCR template ist in dem die defaults file nicht gesourced wird.
Die UCC Clients verwenden nun logger. Von daher wäre es praktisch, wenn bei der Installation von ucc-pxe-boot auch direkt das Remote Logging aktiviert werden könnte. Mittlerweile wird rsyslogd verwendet.
So kann es aktiviert werden: echo -e '$ModLoad imudp\n$UDPServerRun 514\n' >>/etc/rsyslog.d/ucc.conf ucr set security/packetfilter/udp/514/all=ACCEPT /etc/init.d/univention-firewall restart /etc/init.d/rsyslog restart
Die Client Seite sollte ebenfalls per UCR gesteuert werden. In UCC wurde das schon gemacht: https://forge.univention.org/websvn/filedetails.php?repname=dev&path=%2Fbranches%2Fucs-3.1%2Fucc%2Funivention-corporate-client%2Fconffiles%2Fetc%2Frsyslog.d%2F100-ucc.conf
(In reply to comment #3) > So kann es aktiviert werden: > > echo -e '$ModLoad imudp\n$UDPServerRun 514\n' >>/etc/rsyslog.d/ucc.conf > ucr set security/packetfilter/udp/514/all=ACCEPT ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑ Bitte security/packetfilter/package/PAKETNAME/udp/514/all=ACCEPT verwenden. Die oben genannte Variante ist für kundenspezifische Einstellungen.
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2. As such, this bug is moved to the new target milestone.
Asked again by a customer
We had numerous (kernel) bugs in the past, were the /-filesystem was no longer writable and valuable information was lost because UCS does no remote logging: Ticket #2016042621000189 Ticket #2016041221000419 Ticket #2016040721000198 Ticket #2016041221000419 See <http://sdb.univention.de/1362>: > 3. Configure a central syslog server to collect syslog messages from all/other hosts in your domain. > Setup one server (master) to store the log files: > printf '$ModLoad imudp\n$UDPServerRun 514\n' >/etc/rsyslog.d/ucs-logserver.conf > ucr set security/packetfilter/package/rsyslog/udp/514/all{=ACCEPT,/en=syslog} > /etc/init.d/rsyslog restart > /etc/init.d/univention-firewall restart > > Configure all other servers to send their syslog data to that server: > printf '*.* @%s\n' "$(dig +short +search master)" >/etc/rsyslog.d/ucs-remotelog.conf > /etc/init.d/rsyslog restart That should be configurable via UCR and policy.
Created attachment 7808 [details] UCS template for remote logging /etc/rsyslog.d/remote-syslog.conf A simple UCS template to enable a UCS system to send logs remotely (as for rsyslog 4.6.4 in UCS 3.X). It includes a failover host and a local buffer file, in case the remote servers are unreachable, as in http://wiki.rsyslog.com/index.php/FailoverSyslogServer UCR variables: [syslog/remote/destination] Description[de]=Zielsystem für die Syslog-Umleitung. Z.B. 192.168.225.122:5514 Description[en]=Target server for the syslog redirection. E.g. 192.168.225.122:5514 Type=str Categories=system-base [syslog/remote/destination/failover] Description[de]=Ersatzziele, sollte der erste Server nicht erreichbar sein. Server sind separiert durch Leerzeichen Description[en]=Additional servers that are used as fail over in case of unavailability of the first one. Servers are separated by blanks Type=str Categories=system-base [syslog/remote/channels] Description[de]=Syslog Channels die an den entfernten Server weitergeleitet werden. Standard: *.* Description[en]=Syslog channels that will be redirected to the receiving host. Default *.* Type=str Categories=system-base --- Notice that syslog/destination and syslog/destination/failover "support" extra options like sending the port or the format template of rsyslog (and override the default in /etc/rsyslog.conf). So one can do ucr set syslog/remote/destination='192.168.24.10:1514;RSYSLOG_FileFormat' to change the remote port to 1514 and the log format to RYSLOG_FileFormat
and again the /-filesystem was no longer writable and valuable information was lost because UCS does no remote logging: Ticket#2016091621002544
See also Bug #41815.
4.1-4: r74914 | Bug #15728 base: Enable remote syslog logging 4.2-0: r74925 | Bug #15728 base: Fix minor issues r74924 | Bug #15728 base: Enable remote syslog logging Package: univention-base-files Version: 5.0.1-3.217.201612011627 Version: 5.0.1-4.218.201612020906 Branch: ucs_4.1-0 Scope: errata4.1-4 r74921 | Bug #15728,Bug #41815,Bug #41816: base YAML univention-base-files.yaml TEST: @server: ucr set syslog/input/udp=514 syslog/input/tcp=10514 syslog/input/relp=2514 rsyslogd -N 1 -d | grep NOT /etc/init.d/univention-firewall restart /etc/init.d/rsyslog restart tail -f /var/log/user.log @client ucr set syslog/remote=@@10.200.17.28:10514 syslog/remote/fallback='@10.200.17.29:514 /var/log/failed' rsyslogd -N 1 -d | grep NOT logger Test3 ssh 10.200.17.28 /etc/init.d/rsyslog stop logger Fallback univention-install rsyslog-relp ucr set syslog/remote=:omrelp:10.200.17.28:2514 logger RELP
OK - univention-base-files.yaml OK - remote logging OK - merged to 4.2-0
<http://errata.software-univention.de/ucs/4.1/353.html>