Configure logrotate + access to collect logs via SFTP

I had a task: to configure the compression of the DNS logs of the Unbound server, with the possibility of conveniently collecting these backups to the collector. It was also required to restrict access rights so that from the collector it was possible to go only to the directory where backup logs are stored. These actions were carried out on CentOS 7 Minimal and CentOS 6.6 Minimal.

1) First we create a user group for which access will be limited only by SFTP:

groupadd sftpd 

2) Next, edit the ssh configuration:

 vi /etc/ssh/sshd_config 

It is required at the very end to comment out the line #Subsystem sftp /usr/libexec/openssh/sftp-server and limit access for the sftpd user group only by SFTP and only to the home directory. To do this, add the following lines at the end:
')

 Subsystem sftp internal-sftp Match group sftpd ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp 

Reboot ssh:

 service sshd restart 

3) Create a dnslog user, assign him a home folder and rights to this folder. The owner must be root, no one else should have permission to write to this folder, otherwise it will not work:

 adduser -d /home/dnslog -s /sbin/nologin dnslog -g sftpd passwd dnslog 

 chown root /home/dnslog chmod 750 /home/dnslog 

4) Create a folder inside our user's home directory for which logrotate will have write permissions.

 mkdir /home/dnslog/logs chown dnslog /home/dnslog/logs chmod 775 /home/dnslog/logs 

Access to the collector is organized, now you can connect via SFTP and check that everything works. Next, configure the rotation logs:

5) Create a file in the /etc/logrotate.d/ folder in which the rotation settings of our logs will be written.

 vi /etc/logrotate.d/unbound_logrotate 

Settings like this:

 /var/log/unbound/unbound.log { daily rotate 48 missingok notifempty compress olddir /home/dnslog/logs size 1024M postrotate service rsyslog restart > /dev/null unbound-control log_reopen #  ,        endscript } 

Next, I set the rotation time through CZK.

6) In the / etc / crontab file add the following line:

23 * * * * root run-parts /etc/cron.hourly


And reload the crowns:

 service crond restart 

Rotation will be carried out every hour at 23 minutes.

7) In the /etc/cron.hourly/ folder, create a file with any name, where we write a script that will be executed when the rotation time comes, with the following contents:

/usr/sbin/logrotate /etc/logrotate.conf


That's all. Logs will automatically be added to the / home / dnslog / logs / folder.

You can check the rotation settings with the command:

 logrotate -d /etc/logrotate.conf 

Also, it is worth noting that there are two ways of logging in Unbound: by means of Unbound and via syslog. Using syslog is the best way, since it doesn’t slow down Unbound. In this example, the rotation of logs by means of Unbound is described. To configure logging via syslog, you need to enable the parameter in the Unbound configuration:

 use-syslog: yes 

And also rewrite the file /etc/logrotate.d/unbound_logrotate

 /var/log/messages { daily rotate 48 missingok notifempty compress size 1024M olddir /home/dnslog/logs create postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true chown dnslog /home/dnslog/logs/messages* chmod 775 /home/dnslog/logs/messages* endscript }