Rsyslog -如何禁用udp syslog？

Question

目前，rsyslog正在监听UDP套接字和UNIX，如下所示：

[root@machine ~]# netstat -ap | grep rsyslog
udp        0      0 0.0.0.0:59018           0.0.0.0:*                           268440/rsyslogd     
unix  2      [ ]         DGRAM                    74163705 268440/rsyslogd      
[root@machine ~]# 
[root@machine ~]#
[root@machine ~]# 
[root@machine ~]# 
[root@machine ~]# uname -a
Linux machine.abc.com 3.10.0-693.17.1.el7.x86_64 #1 SMP Sun Jan 14 10:36:03 EST 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@machine ~]# 

不清楚是否需要对rsyslogd的UDP syslog接收进行配置更改。/etc/rsyslog.conf没有这样的更改，如下所示：

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf 

$OmitLocalLogging on

$IMJournalStateFile imjournal.state

authpriv.*                      @some_remote_machine.abc.com

其中/etc/rsyslog.d/*.conf有以下条目：

$SystemLogSocketName /run/systemd/journal/syslog

出于安全考虑，目标是禁用rsyslogd的UDP syslog接收

strace显示socket()在启动rsyslogd时只调用了一次

socket(AF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3

以下是与udp有关的细节：

[root@machine ~]#  rsyslogd -d 2>&1|grep -i udp
4078.341962469:main thread    : tplAddLine processing template 'RSYSLOG_omudpspoofDfltSourceTpl'
4078.350580740:main thread    : Template: Name='RSYSLOG_omudpspoofDfltSourceTpl' 
[root@machine ~]# rsyslogd -v
rsyslogd 8.24.0, compiled with:
        PLATFORM:                               x86_64-redhat-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.
[root@machine ~]# 

如何配置rsyslog以禁用UDP syslog接收？因为我们安装了系统日志.

Answer 1

禁用imudp模块的加载。下面的例子。

确认当前正在使用UDP

。

# netstat -ap|grep rsyslog
udp        0      0 0.0.0.0:syslog          0.0.0.0:*                           17076/rsyslogd
udp6       0      0 [::]:syslog             [::]:*                              17076/rsyslogd
unix  2      [ ]         DGRAM                    1074728  17076/rsyslogd
#

检查配置文件

# grep -i udp /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
#

禁用UDP并重新启动rsyslog

# sed -i 's/\$ModLoad imudp/#\$ModLoad imudp/' /etc/rsyslog.conf
# systemctl restart rsyslog
#

现在只使用TCP

确认

# netstat -ap|grep rsyslog
unix  2      [ ]         DGRAM                    1073845  16982/rsyslogd
#

Answer 2

我在RHEL7.5上运行rsyslog和syslog-ng时遇到了一些问题，甚至试图停止或终止进程也于事无补。所以我决定删除rsyslog。