JumpServer V3 对接 Syslog 日志系统


Administrator
飞致云 发布于 2022-07-11 / 4787 阅读 / 0 评论 /
本文章主要介绍 JumpServer 如何对接 Syslog 日志系统,并将 JumpServer 的日志输出到 Syslog 服务器中。配置测试 Syslog 与 JumpServer 对接测试日志说明

一、概述

本文章主要介绍 JumpServer 如何对接 Syslog 日志系统,并将 JumpServer 的日志输出到 Syslog 服务器中。

二、配置 Syslog 服务器

1、服务器配置

服务器需求:UNIX 系统(示例服务器为 CentOS 7)。

服务器规格:2C4G 200G。

其他需求:开启服务器 TCP/UDP 的 514 端口或关闭防火墙。重启 Syslog 服务

2、修改配置文件

Syslog 的配置文件为 /etc/rsyslog.conf。

修改 Syslog 的配置文件设置日志输入位置以及端口等信息。修改如下:

#打开如下注释( UDP 方式)
$ModLoad imudp
$UDPServerRun 514
 
#打开如下注释( TCP 方式)
#$ModLoad imtcp
#$InputTCPServerRun 514
 
添加如下配置
local2.*         /tmp/messages

修改完成后 Syslog 配置文件如下所示:

3、重启 Syslog

修改完成后重启 Syslog 服务以加载新的配置文件。

systemctl restart rsyslog

4、测试 Syslog 服务

测试 Syslog 是否可以正常对接 JumpServer 服务器。判断网络是否连通,以及 Syslog 配置是否生效。

#在 JumpServer 服务器上执行以下命令(注:10.1.12.116 为 Syslog 服务器的 IP):
logger -n 10.1.12.116 -T -P 514 -p local2.info "message:rsyslog loggging From JumpServer"
logger -n 10.1.12.116 -T -P 514 -p local2.info "message:rsyslog loggging From JumpServer(UDP)"

查看 Syslog 服务器中是否已经存在输出的日志信息。

三、配置 JumpServer 侧

1、修改 JumpServer 的配置文件

JumpServer 的配置文件的默认存储位置位于:/opt/jumpserver/config/config.txt

JumpServer 中需要添加的配置项如下所示:

#配置 syslog
SYSLOG_ENABLE=true
SYSLOG_ADDR=10.1.12.116:514  # Syslog 服务器的IP以及端口
SYSLOG_FACILITY=local2  #根据 Syslog 配置文件的配置

2、重启 JumpServer

修改 JumpServer 配置文件后需要重启 JumpServer 以加载配置项。

jmsctl restart

3、验证配置

登录 JumpServer 服务生成一条登录日志,查看 Syslog 服务器中是否有输出。输出的登录日志如下所示:

四、Syslog日志信息解析

日志名称

Syslog输出样例

登录日志


Apr 19 15:25:11 10.1.14.125 jumpserver: login_log - {"backend": "Password", "backend_display": "密码", "city": "局域网", "datetime": "2023/04/19 15:18:36 +0800", "id": "cfc378e5-6337-4bf9-a8ac-15f33c2b0314", "ip": "10.1.10.35", "mfa": {"label": "禁用", "value": 0}, "reason": "", "reason_display": "", "status": {"label": "成功", "value": true}, "type": {"label": "Web", "value": "W"}, "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.48", "username": "admin"}

上传文件日志

Apr 19 15:27:26 10.1.14.125 jumpserver: ftp_log - {"account": "root(root)", "asset": "10.1.12.182-root(10.1.12.182)", "date_start": "2023/04/19 15:20:51 +0800", "filename": "/tmp/vmware-root/上传示例.pdf", "id": "6e7721c0-2091-49fb-8853-fc18e0a2e432", "is_success": true, "operate": {"label": "上传文件", "value": "upload"}, "org_id": "00000000-0000-0000-0000-000000000002", "remote_addr": "10.1.10.35", "user": "Administrator(admin)"}

下载文件日志

Apr 19 15:28:08 10.1.14.125 jumpserver: ftp_log - {"account": "root(root)", "asset": "10.1.12.182-root(10.1.12.182)", "date_start": "2023/04/19 15:21:33 +0800", "filename": "/tmp/vmware-root/下载示例.pdf", "id": "113c0601-80c1-47d1-a053-5038fd89698c", "is_success": true, "operate": {"label": "下载文件", "value": "download"}, "org_id": "00000000-0000-0000-0000-000000000002", "remote_addr": "10.1.10.35", "user": "Administrator(admin)"}

操作日志

Apr 19 15:28:44 10.1.14.125 jumpserver: operation_log - {"action": {"label": "Update", "value": "update"}, "datetime": "2023/04/19 15:22:09 +0800", "id": "f844f014-2ac5-459d-abd0-ec8f853fa09c", "org_id": "00000000-0000-0000-0000-000000000004", "org_name": "SYSTEM", "remote_addr": "10.1.10.35", "resource": "[基本] 全局组织名", "resource_type": "System setting", "user": "Administrator(admin)"}

改密日志

Apr 19 15:29:58 10.1.14.125 jumpserver: password_change_log - {"change_by": "Administrator(admin)", "datetime": "2023/04/19 15:23:23 +0800", "id": "0cd278ed-8335-49d5-a0c3-0211e9858441", "remote_addr": "10.1.10.35", "user": "MFA全局(MFA)"}

会话日志

Apr 19 15:31:29 10.1.14.125 jumpserver: host_session_log - {"account": "root(root)", "account_id": "49536b5e-bf06-4d16-bacd-7d628de3a3f2", "asset": "10.1.12.182-root(10.1.12.182)", "asset_id": "dfba9962-7988-4d29-9b04-6f82dd8e02c3", "can_join": true, "can_replay": false, "can_terminate": true, "comment": null, "date_end": null, "date_start": "2023/04/19 15:24:54 +0800", "has_command": false, "has_replay": false, "id": "4896b882-299a-4759-804e-32250f5b05b7", "is_finished": false, "is_success": true, "login_from": {"label": "Web Terminal", "value": "WT"}, "org_id": "00000000-0000-0000-0000-000000000002", "org_name": "Default", "protocol": "ssh", "remote_addr": "10.1.10.35", "terminal": {"id": "7076d4aa-4050-4a2f-855b-2af7a7bd6674", "name": "[KoKo]-jumpserver-v3-86c4b2fc7167"}, "type": {"label": "正常", "value": "normal"}, "user": "Administrator(admin)", "user_id": "cdeb8352-9f45-46d9-8873-b3c7c53022fd"}

Apr 19 15:31:29 10.1.14.125 jumpserver: host_session_log - {"account": "root(root)", "account_id": "49536b5e-bf06-4d16-bacd-7d628de3a3f2", "asset": "10.1.12.182-root(10.1.12.182)", "asset_id": "dfba9962-7988-4d29-9b04-6f82dd8e02c3", "can_join": true, "can_replay": false, "can_terminate": true, "comment": null, "date_end": null, "date_start": "2023/04/19 15:24:54 +0800", "has_command": false, "has_replay": false, "id": "4896b882-299a-4759-804e-32250f5b05b7", "is_finished": false, "is_success": true, "login_from": {"label": "Web Terminal", "value": "WT"}, "org_id": "00000000-0000-0000-0000-000000000002", "org_name": "Default", "protocol": "ssh", "remote_addr": "10.1.10.35", "terminal": {"id": "7076d4aa-4050-4a2f-855b-2af7a7bd6674", "name": "[KoKo]-jumpserver-v3-86c4b2fc7167"}, "type": {"label": "正常", "value": "normal"}, "user": "Administrator(admin)", "user_id": "cdeb8352-9f45-46d9-8873-b3c7c53022fd"}

命令日志

Apr 19 15:34:00 10.1.14.125 jumpserver: session_command_log - {"account": "root(root)", "asset": "10.1.12.182-root(10.1.12.182)", "id": "28400256-e9e2-4454-8127-4880fe5b9684", "input": "free -h", "org_id": "00000000-0000-0000-0000-000000000002", "output": "free -h\r\n              total        used        free      shared  buff/cache   available\r\nMem:           7.6G        4.3G        136M         28M        3.2G        3.0G", "remote_addr": "10.1.10.35", "risk_level": {"label": "普通", "value": 0}, "session": "4896b882-299a-4759-804e-32250f5b05b7", "timestamp": 1681889159, "timestamp_display": "2023/04/19 15:25:59 +0800", "user": "Administrator(admin)"}



是否对你有帮助?