1 | Network Management & Monitoring |
---|
2 | Using syslog-ng |
---|
3 | --------------- |
---|
4 | |
---|
5 | Notes: |
---|
6 | ------ |
---|
7 | * Commands preceded with "$" imply that you should execute the command as |
---|
8 | a general user - not as root. |
---|
9 | * Commands preceded with "#" imply that you should be working as root. |
---|
10 | * Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") |
---|
11 | imply that you are executing commands on remote equipment, or within |
---|
12 | another program. |
---|
13 | |
---|
14 | Exercises |
---|
15 | --------- |
---|
16 | |
---|
17 | Please find your classmates that are using the same router as you. Get in to |
---|
18 | a group and do the following exercise together. That is, pick one person who will |
---|
19 | log in to your group's router, but all of you should assist with the actual |
---|
20 | configuration. |
---|
21 | |
---|
22 | 1. Configure your virtual routers to send syslog messages to your server: |
---|
23 | |
---|
24 | You will telnet to your group's router and do the following: |
---|
25 | |
---|
26 | $ telnet 10.10.X.254 |
---|
27 | rtrX.ws.nsrc.org> enable |
---|
28 | rtrX.ws.nsrc.org# config terminal |
---|
29 | |
---|
30 | Repeat the next command "logging 10.10.X.X" for each PC in your group. That is, |
---|
31 | if your group is on router6 and you are using pcs 18, 20, 22, 24 and 26 you would |
---|
32 | repeat the command five times with the ip of each machine (10.10.6.18, 10.10.6, 20, |
---|
33 | and so forth). |
---|
34 | |
---|
35 | rtrX.ws.nsrc.org(config)# logging 10.10.X.X |
---|
36 | |
---|
37 | rtrX.ws.nsrc.org(config)# logging facility local5 |
---|
38 | rtrX.ws.nsrc.org(config)# logging userinfo |
---|
39 | rtrX.ws.nsrc.org(config)# exit |
---|
40 | rtrX# write memory |
---|
41 | rtrX# exit |
---|
42 | |
---|
43 | logout from the router (exit) |
---|
44 | |
---|
45 | That's it. The router should now be sending UDP SYSLOG packets to your PC on port 514. |
---|
46 | To verify this log in on your PC and do the following: |
---|
47 | |
---|
48 | $ sudo bash |
---|
49 | # tcpdump -e -s0 -ni eth0 port 514 |
---|
50 | |
---|
51 | Then have one person in your group log bck in on the router and do the following: |
---|
52 | |
---|
53 | $ telnet 10.10.X.254 |
---|
54 | rtrX.ws.nsrc.org> enable |
---|
55 | rtrX.ws.nsrc.org# config terminal |
---|
56 | rtrX.ws.nsrc.org(config)# exit |
---|
57 | rtrX.ws.nsrc.org> exit |
---|
58 | |
---|
59 | You should see some output on your PC's screen from TCPDUMP. It should look something like: |
---|
60 | |
---|
61 | 02:20:24.942289 ca:02:0d:b3:00:08 > 52:54:4a:5e:68:77, ethertype IPv4 (0x0800), length 144: 10.10.0.6.63515 > 10.10.0.250.514: SYSLOG local5.notice, length: 102 |
---|
62 | 02:20:24.944376 ca:02:0d:b3:00:08 > c4:2c:03:0b:3d:3a, ethertype IPv4 (0x0800), length 144: 10.10.0.6.53407 > 10.10.0.241.514: SYSLOG local5.notice, length: 102 |
---|
63 | |
---|
64 | Now you can configure the logging softeware on your PC to receive this information and log |
---|
65 | it to a new set of files: |
---|
66 | |
---|
67 | |
---|
68 | 2. Install syslog-ng |
---|
69 | |
---|
70 | These exercises are done as root. If you are not root on your machine then become |
---|
71 | root by typing: |
---|
72 | |
---|
73 | $ sudo bash |
---|
74 | |
---|
75 | # apt-get install syslog-ng |
---|
76 | |
---|
77 | 2. Edit /etc/syslog-ng/syslog-ng.conf |
---|
78 | |
---|
79 | Find the lines: |
---|
80 | |
---|
81 | # (this is equivalent to the "-r" syslogd flag) |
---|
82 | # udp(); |
---|
83 | |
---|
84 | and change it to: |
---|
85 | |
---|
86 | # (this is equivalent to the "-r" syslogd flag) |
---|
87 | udp(); |
---|
88 | |
---|
89 | At the bottom of the file, add (copy and paste!): |
---|
90 | |
---|
91 | filter f_routers { facility(local5); }; |
---|
92 | log { |
---|
93 | source(s_all); |
---|
94 | filter(f_routers); |
---|
95 | destination(routers); |
---|
96 | }; |
---|
97 | destination routers { |
---|
98 | file("/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log" |
---|
99 | owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) |
---|
100 | template("$YEAR $DATE $HOST $MSG\n")); |
---|
101 | }; |
---|
102 | |
---|
103 | 3. Create the directory /var/log/network/ |
---|
104 | |
---|
105 | # mkdir /var/log/network/ |
---|
106 | |
---|
107 | 4. Restart syslog-ng: |
---|
108 | |
---|
109 | # service syslog-ng restart |
---|
110 | q |
---|
111 | 6. On your PC, See if messages are starting to appear under |
---|
112 | |
---|
113 | /var/log/network/2011/.../ |
---|
114 | |
---|
115 | 7. If not, try to login back into the router, and run some "config" commands, |
---|
116 | then logout. I.E. |
---|
117 | |
---|
118 | # telnet 10.10.X.254 |
---|
119 | rtrX.ws.nsrc.org> enable |
---|
120 | rtrX.ws.nsrc.org# config terminal |
---|
121 | rtrX.ws.nsrc.org(config)# exit |
---|
122 | rtrX.ws.nsrc.org> exit |
---|
123 | |
---|
124 | Be sure you log out of the router. If too many people log in without logging out |
---|
125 | then others cannot gain access to the router. |
---|