Agenda: exercises-log-management-syslog-ng.txt

Advanced Registry Operations Curriculum
Using syslog-ng

Notes:
------
* Commands preceded with "$" imply that you should execute the command as
  a general user - not as root.
* Commands preceded with "#" imply that you should be working as root.
* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") 
  imply that you are executing commands on remote equipment, or within 
  another program.

Exercises
---------

1. Install syslog-ng

        # apt-get install syslog-ng

2. Edit /etc/syslog-ng/syslog-ng.conf

Find the lines:

        # (this is equivalent to the "-r" syslogd flag)
        # udp();

and change it to:

        # (this is equivalent to the "-r" syslogd flag)
        udp();

At the bottom of the file, add:

filter f_routers { facility(local5); };
log {
        source(s_all);
        filter(f_routers);
        destination(routers);
};
destination routers {
 file("/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log"
 owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
 template("$YEAR $DATE $HOST $MSG\n"));
};

3. Create the directory /var/log/network/

        # mkdir /var/log/network/

4. Restart syslog-ng:

        # /etc/init.d/syslog-ng restart

5. Configure your virtual routers to send syslog messages to your server:

        (Note: since you are working with 1 router / 2 PCs, you will need
        to configure your router send to 2 hosts:

        Hint: Use rancid clogin!

        rtrX# config terminal
        rtrX(config)# logging PC1
        rtrX(config)# logging PC2
        rtrX(config)# logging facility local5
        rtrX(config)# logging userinfo
        rtrX(config)# exit
        rtrX# write memory
        rtrX# exit

        logout from the router (exit)

6. On your PC, See if messages are starting to appear under

        /var/log/network/2010/02/26/...

7. If not, try to login back into the router, and run some "config" commands,
   then logout.