<p class="shortdesc">本文介绍如何添加仅支持Syslog的设备为资产，并配置采集器采集资产上的日志数据。</p> <section class="section context"><div class="tasklabel"><h2 class="doc-tairway">背景信息</h2></div> <p class="p">本文以CentOS设备为例，介绍安全日志审计如何通过syslog收集日志。其中，CentOS设备IP地址为192.168.31.111，日志审计的IP地址为192.168.31.75。</p> </section> <section class="section limitation" id="syslogDevice__mqk_vxc_hsb"><div class="tasklabel"><h2 class="doc-tairway">使用限制</h2></div> <ul class="ul" id="syslogDevice__ul_hbb_t1d_hsb"> <li class="li">您已创建安全日志审计实例。</li> <li class="li">您已创建组织。</li> <li class="li">安全日志审计与要添加的资产之间网络通讯正常。</li> </ul> </section> <section><div class="tasklabel"><h2 class="doc-tairway">操作步骤</h2></div><ol class="ol steps"><li class="li step stepexpand"> <span class="ph cmd">修改CentOS设备配置文件。</span> <ol type="a" class="ol substeps" id="syslogDevice__substeps_bck_y1d_hsb"> <li class="li substep substepexpand"> <span class="ph cmd">打开/etc/rsyslog.conf文件，添加“*.info @192.168.31.75”并保存文件。</span> <div class="itemgroup info"> <img class="image" id="syslogDevice__image_yn5_hjn_prb" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222803112057-11f319e69721.png" width="830"> </div> </li> <li class="li substep substepexpand"> <span class="ph cmd">修改完成后，执行service rsyslog restart或systemctl restart rsyslog.service命令重启服务。</span> </li> </ol> </li><li class="li step stepexpand"> <span class="ph cmd">登录<a class="xref" href="https://www.ocftcloud.com/console/vpc/nat/list" target="_blank" rel="external noopener">NAT网关控制台</a>，选择<span class="ph uicontrol">安全组</span>，单击日志审计服务器名称进入<span class="keyword wintitle">安全组详情</span>页面， 依次单击<span class="ph uicontrol">安全组规则</span>、<span class="ph uicontrol">添加安全组</span>进入<span class="keyword wintitle">添加规则</span>页面，放行需要发送日志的客户端IP与端口号，如下图所示。</span> <div class="itemgroup info"> <img class="image" id="syslogDevice__image_yn5_hjn_prg" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222803112056-15c0d63c90f8.png" width="600"> <div class="note important note_important" id="syslogDevice__note_c1q_nzy_ysb"><span class="note__title">重要：</span> Syslog发送日志默认端口号为514，若资产发送日志使用的端口不是514，此处需要修改为资产发送日志使用的端口号与协议；授权IP即资产所在网段。其他配置项与上图保持一致即可。</div> </div> </li><li class="li step stepexpand"> <span class="ph cmd">登录<a class="xref" href="https://www.ocftcloud.com/console/log-audit" target="_blank" rel="external noopener">安全日志审计SLA控制台</a>，进入<span class="keyword wintitle">实例列表</span>页面。</span> </li><li class="li step stepexpand"> <span class="ph cmd">单击目标实例<span class="ph uicontrol"> 操作</span>列的<span class="ph uicontrol">管理</span>，进入安全日志审计控制台。</span> <div class="itemgroup info"> <img class="image" id="syslogDevice__d80e53" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222803112057-1ecc508f988a.png" width="830"> </div> </li><li class="li step stepexpand"> <span class="ph cmd">在页面上边栏选择<span class="ph uicontrol">资产管理</span>，在左侧菜单栏选择<span class="ph menucascade"><span class="ph uicontrol">资产</span><abbr> > </abbr><span class="ph uicontrol">发现资产</span></span>，进入<span class="keyword wintitle">发现资产</span>页面。</span> </li><li class="li step stepexpand"> <span class="ph cmd">在资产列表中找到CentOS设备192.168.31.111（以syslog发送日志），资产类型选择“Nix”，编码选择“gbk ”（实际环境中，请根据选中真实的编码方式），选择资产所属的组织，单击<span class="ph uicontrol">确定</span>。</span> <div class="itemgroup info"> <img class="image" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222803112057-111d5b369fd8.png" width="830"> <div class="note important note_important" id="syslogDevice__note_db3_5hd_hsb"><span class="note__title">重要：</span> 只有当CentOS设备向本系统上报日志后，系统才能发现并展示其信息。</div> </div> </li><li class="li step stepexpand"> <span class="ph cmd">在<span class="keyword wintitle">全部资产</span>页面找到新添加的资产设备192.168.31.111。</span> <div class="itemgroup info"> <img class="image" id="syslogDevice__image_efn_33d_hsb" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222803112057-1997c7529b7b.png" width="830"> </div> </li><li class="li step stepexpand"> <span class="ph cmd">单击资产名称<strong class="ph b">192.168.31.111</strong>，根据需要修改资产属性。</span> <div class="itemgroup info"> <img class="image" id="syslogDevice__image_prm_m3d_hsb" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222803112057-1ca0a4da9db2.png" width="830"> </div> </li><li class="li step stepexpand"> <span class="ph cmd">单击<span class="ph uicontrol">保存</span>。</span> </li></ol></section> <section class="section result" id="syslogDevice__result_khb_s3d_hsb"><div class="tasklabel"><h2 class="doc-tairway">执行结果</h2></div> <div class="p">在CentOS设备192.168.31.111上重启Syslog服务以触发日志生成，然后在安全日志审计控制台，选择<span class="ph menucascade"><span class="ph uicontrol">事件管理</span><abbr> > </abbr><span class="ph uicontrol">事件</span><abbr> > </abbr><span class="ph uicontrol">自定义查询</span></span>，进入<span class="keyword wintitle">自定义查询</span>页面，查询条件中，<strong class="ph b">日志源</strong>选择刚添加的资产192.168.31.111，单击<span class="ph uicontrol">查询</span>按钮看到如下图所示日志，说明资产添加成功，并且收集日志成功。<img class="image" id="syslogDevice__image_iys_3jd_hsb" src="https://obs-cn-shanghai.ocftcloud.com/pacloud/20222803112057-14cfe2439037.png" width="830"></div> </section>