1 | Network Management & Monitoring |
---|
2 | Using Swatch |
---|
3 | |
---|
4 | Notes: |
---|
5 | ------ |
---|
6 | * Commands preceded with "$" imply that you should execute the command as |
---|
7 | a general user - not as root. |
---|
8 | * Commands preceded with "#" imply that you should be working as root. |
---|
9 | * Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") |
---|
10 | imply that you are executing commands on remote equipment, or within |
---|
11 | another program. |
---|
12 | |
---|
13 | Exercises |
---|
14 | --------- |
---|
15 | |
---|
16 | 0. Log in to your PC or open a terminal window as the root user: |
---|
17 | |
---|
18 | $ sudo bash |
---|
19 | |
---|
20 | 1. Let's enable logging of everything to a single file: |
---|
21 | |
---|
22 | # vi /etc/syslog-ng/syslog-ng.conf |
---|
23 | |
---|
24 | - Add this line at the end of the file: |
---|
25 | |
---|
26 | destination everything { |
---|
27 | file("/var/log/everything" |
---|
28 | template("$DATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no) |
---|
29 | ); |
---|
30 | }; |
---|
31 | log { source(s_all); destination(everything); }; |
---|
32 | |
---|
33 | ... this will enable logging of ALL messages to a single file, so that we |
---|
34 | can run a monitoring script on the messages. |
---|
35 | |
---|
36 | - Now re-initialize Syslog: |
---|
37 | |
---|
38 | # service syslog-ng restart |
---|
39 | |
---|
40 | 2. Enable a daily automated script to truncate the log file so it doesn't |
---|
41 | grow too big: |
---|
42 | |
---|
43 | # vi /etc/logrotate.d/everything |
---|
44 | |
---|
45 | - In the file add the following: |
---|
46 | |
---|
47 | /var/log/everything { |
---|
48 | daily |
---|
49 | copytruncate |
---|
50 | rotate 1 |
---|
51 | postrotate |
---|
52 | /etc/init.d/swatch restart |
---|
53 | endscript |
---|
54 | } |
---|
55 | |
---|
56 | |
---|
57 | 2. Install swatch |
---|
58 | |
---|
59 | # apt-get install swatch |
---|
60 | |
---|
61 | 3. Create the file /etc/swatch.conf and add the following rules in the file: |
---|
62 | |
---|
63 | # vi /etc/swatch.conf |
---|
64 | |
---|
65 | watchfor /PRIV_AUTH_PASS/ |
---|
66 | mail=sysadm,subject=Enable mode entered |
---|
67 | threshold type=limit,count=1,seconds=3600 |
---|
68 | |
---|
69 | watchfor /CONFIG_I/ |
---|
70 | mail=sysadm,subject=Router configuration |
---|
71 | threshold type=limit,count=1,seconds=3600 |
---|
72 | |
---|
73 | watchfor /LINK-3-UPDOWN/ |
---|
74 | mail=sysadm,subject=Link state change |
---|
75 | threshold type=limit,count=1,seconds=3600 |
---|
76 | |
---|
77 | watchfor /SSH/ |
---|
78 | mail=sysadm,subject=SSH connection |
---|
79 | threshold type=limit,count=1,seconds=3600 |
---|
80 | |
---|
81 | watchfor /ssh/ |
---|
82 | mail=sysadm,subject=SSH connection |
---|
83 | threshold type=limit,count=1,seconds=3600 |
---|
84 | |
---|
85 | |
---|
86 | Save the file and exit |
---|
87 | |
---|
88 | |
---|
89 | 4. Start swatch: |
---|
90 | |
---|
91 | # swatch -c /etc/swatch.conf --daemon |
---|
92 | |
---|
93 | Check that it is running: |
---|
94 | |
---|
95 | # ps ax | grep swatch |
---|
96 | |
---|
97 | 5. Log in to your router, and run some "config" commands (example below): |
---|
98 | |
---|
99 | # telnet 10.10.X.254 [where "X" is your router number] |
---|
100 | rtrX.ws.nsrc.org> enable |
---|
101 | Password: <password> |
---|
102 | rtrX.ws.nsrc.org# config terminal |
---|
103 | rtrX.ws.nsrc.org(config)# int FastEthernet0/0 |
---|
104 | rtrX.ws.nsrc.org(config-int)# description Description Change for FastEthernet0/0 for Swatch |
---|
105 | rtrX.ws.nsrc.org(config-int)# ctrl-z |
---|
106 | rtrX.ws.nsrc.org# write memory |
---|
107 | rtrX.ws.nsrc.org# exit |
---|
108 | |
---|
109 | 6. Verify that you are receiving emails to the sysadmin user from Swatch |
---|
110 | |
---|
111 | $ su - sysadmn |
---|
112 | $ mutt -f /var/mail/sysadm |
---|
113 | |
---|
114 | |
---|