Agenda: exercises-log-management-swatch.txt

File exercises-log-management-swatch.txt, 2.6 KB (added by admin, 8 years ago)
Line 
1Network Management & Monitoring
2Using Swatch
3
4Notes:
5------
6* Commands preceded with "$" imply that you should execute the command as
7  a general user - not as root.
8* Commands preceded with "#" imply that you should be working as root.
9* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
10  imply that you are executing commands on remote equipment, or within
11  another program.
12
13Exercises
14---------
15
160. Log in to your PC or open a terminal window as the root user:
17
18        $ sudo bash
19
201. Let's enable logging of everything to a single file:
21
22        # vi /etc/syslog-ng/syslog-ng.conf
23
24        - Add this line at the end of the file:
25
26destination everything {
27  file("/var/log/everything"
28    template("$DATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no)
29  );
30};
31log { source(s_all); destination(everything); };
32
33... this will enable logging of ALL messages to a single file, so that we
34can run a monitoring script on the messages.
35
36        - Now re-initialize Syslog:
37
38        # service syslog-ng restart
39
402. Enable a daily automated script to truncate the log file so it doesn't
41grow too big:
42
43        # vi /etc/logrotate.d/everything
44       
45        - In the file add the following:
46
47/var/log/everything {
48  daily
49  copytruncate
50  rotate 1
51  postrotate
52        /etc/init.d/swatch restart
53  endscript
54}
55
56
572. Install swatch
58
59        # apt-get install swatch
60
613. Create the file /etc/swatch.conf and add the following rules in the file:
62
63        # vi /etc/swatch.conf
64
65watchfor /PRIV_AUTH_PASS/
66        mail=sysadm,subject=Enable mode entered
67        threshold type=limit,count=1,seconds=3600
68
69watchfor /CONFIG_I/
70        mail=sysadm,subject=Router configuration
71        threshold type=limit,count=1,seconds=3600
72
73watchfor /LINK-3-UPDOWN/
74        mail=sysadm,subject=Link state change
75        threshold type=limit,count=1,seconds=3600
76
77watchfor /SSH/
78        mail=sysadm,subject=SSH connection
79        threshold type=limit,count=1,seconds=3600
80
81watchfor /ssh/
82        mail=sysadm,subject=SSH connection
83        threshold type=limit,count=1,seconds=3600
84
85
86        Save the file and exit
87
88
894. Start swatch:
90
91        # swatch -c /etc/swatch.conf --daemon
92
93        Check that it is running:
94
95        # ps ax | grep swatch
96
975. Log in to your router, and run some "config" commands (example below):
98
99        # telnet 10.10.X.254            [where "X" is your router number]
100        rtrX.ws.nsrc.org> enable
101        Password: <password>
102        rtrX.ws.nsrc.org# config terminal
103        rtrX.ws.nsrc.org(config)# int FastEthernet0/0
104        rtrX.ws.nsrc.org(config-int)# description Description Change for FastEthernet0/0 for Swatch
105        rtrX.ws.nsrc.org(config-int)# ctrl-z
106        rtrX.ws.nsrc.org# write memory
107        rtrX.ws.nsrc.org# exit
108
1096. Verify that you are receiving emails to the sysadmin user from Swatch
110
111        $ su - sysadmn
112        $ mutt -f /var/mail/sysadm
113
114