12.8.4 高可用切换的审计与日志管理

高可用切换涉及主备状态变更、VIP 漂移、健康检查判定等关键事件，必须建立可追溯、可核验的审计链路。本节给出日志链路原理、落地配置、排错与练习，确保切换过程可重放与可审计。

日志链路与时间同步（示例）#

1）检查时间同步与日志源

# 查看时钟同步状态（Chrony）
chronyc tracking

# 查看Keepalived服务状态与最近日志
systemctl status keepalived
journalctl -u keepalived -n 50 --no-pager

• chronyc tracking：确认NTP偏移与同步状态，保证跨节点时间一致
• journalctl -u keepalived：快速查看切换前后的日志片段

2）Keepalived 独立日志文件与详细度

# /etc/rsyslog.d/30-keepalived.conf
if ($programname == 'Keepalived') then /var/log/keepalived/keepalived.log
& stop

# 创建目录与权限
mkdir -p /var/log/keepalived
chmod 750 /var/log/keepalived
systemctl restart rsyslog

# /etc/keepalived/keepalived.conf 关键片段（示例）
global_defs {
  router_id KA_NODE_A
  vrrp_mcast_group4 224.0.0.18
  # enable_script_security 若启用，请确保脚本属主与权限严格
}
vrrp_instance VI_1 {
  state BACKUP
  interface eth0
  virtual_router_id 51
  priority 100
  advert_int 1
  authentication {
    auth_type PASS
    auth_pass 123456
  }
  virtual_ipaddress {
    10.0.0.10/24 dev eth0
  }
  track_script {
    chk_haproxy
  }
}

预期效果：日志进入 /var/log/keepalived/keepalived.log，包含 STATE MASTER/STATE BACKUP、脚本返回码、VIP 添加/删除等信息。

审计与变更日志（auditd 示例）#

安装与启用

# CentOS/RHEL
yum install -y audit
systemctl enable --now auditd

# Ubuntu/Debian
apt-get update && apt-get install -y auditd
systemctl enable --now auditd

审计规则：监控关键路径与命令

# /etc/audit/rules.d/keepalived.rules
-w /etc/keepalived/keepalived.conf -p wa -k keepalived_conf
-w /etc/keepalived/scripts/ -p wa -k keepalived_scripts
-w /usr/sbin/keepalived -p x -k keepalived_bin
-w /etc/sysctl.conf -p wa -k sysctl_change

# 生效规则
augenrules --load
auditctl -l | grep keepalived

查询审计日志

# 查询配置变更
ausearch -k keepalived_conf --start today

# 查询脚本目录变更
ausearch -k keepalived_scripts --start today

日志集中化与字段规范（rsyslog 示例）#

# /etc/rsyslog.d/99-forward.conf
*.* @@log-server.example.com:514

字段建议：节点标识、实例名、状态迁移（MASTER/BACKUP/FAULT）、优先级、脚本返回码、VIP 操作结果、接口信息、关联网段。

关键排错流程（示例）#

1）切换未发生：

# 查看VRRP状态与优先级
grep -E "STATE|Priority|VRRP" /var/log/keepalived/keepalived.log

# 检查脚本返回码
grep -i "track_script" -A2 /var/log/keepalived/keepalived.log

2）频繁抖动：

# 查看健康检查脚本耗时
journalctl -u keepalived --since "10 min ago" | grep -i "script"

# 检查网络抖动与ARP
ip -s link show eth0
arp -n | grep 10.0.0.10

3）VIP 未漂移：

# 查看VIP是否绑定
ip addr show dev eth0 | grep 10.0.0.10

# 查看是否被防火墙/策略阻断
iptables -S | grep vrrp

练习与演练#

1）切换演练
- 在主节点执行：

systemctl stop keepalived

• 在备节点确认：

ip addr show dev eth0 | grep 10.0.0.10
grep "STATE MASTER" /var/log/keepalived/keepalived.log

2）日志完整性验证
- 修改配置后检查审计：

sed -i 's/priority 100/priority 90/' /etc/keepalived/keepalived.conf
ausearch -k keepalived_conf --start recent

3）回放复盘
- 导出切换窗口日志：

grep -E "STATE|VIP|track_script" /var/log/keepalived/keepalived.log > /tmp/ka_switch.log

• 复盘指标：发生时间、原因、持续时长、影响范围、恢复动作。

通过以上配置与流程，能够构建从 VRRP 事件、脚本执行、系统变更到集中日志的完整链路，实现切换可审计、可追踪、可复盘。