Agenda: exercises-log-management-syslog-ng.txt

Network Management & Monitoring
Using syslog-ng
---------------

Notes:
------
* Commands preceded with "$" imply that you should execute the command as
  a general user - not as root.
* Commands preceded with "#" imply that you should be working as root.
* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") 
  imply that you are executing commands on remote equipment, or within 
  another program.

Exercises
---------

Please find your classmates that are using the same router as you. Get in to 
a group and do the following exercise together. That is, pick one person who will
log in to your group's router, but all of you should assist with the actual
configuration.

1. Configure your virtual routers to send syslog messages to your server:

You will telnet to your group's router and do the following:

        $ telnet 10.10.X.254
        rtrX.ws.nsrc.org> enable
        rtrX.ws.nsrc.org# config terminal

Repeat the next command "logging 10.10.X.X" for each PC in your group. That is, 
if your group is on router6 and you are using pcs 18, 20, 22, 24 and 26 you would 
repeat the command five times with the ip of each machine (10.10.6.18, 10.10.6, 20,
and so forth).

        rtrX.ws.nsrc.org(config)# logging 10.10.X.X             

        rtrX.ws.nsrc.org(config)# logging facility local5
        rtrX.ws.nsrc.org(config)# logging userinfo
        rtrX.ws.nsrc.org(config)# exit
        rtrX# write memory
        rtrX# exit

        logout from the router (exit)

That's it. The router should now be sending UDP SYSLOG packets to your PC on port 514. 
To verify this log in on your PC and do the following:

        $ sudo bash
        # tcpdump -e -s0 -ni eth0 port 514

Then have one person in your group log bck in on the router and do the following:

        $ telnet 10.10.X.254
        rtrX.ws.nsrc.org> enable
        rtrX.ws.nsrc.org# config terminal
        rtrX.ws.nsrc.org(config)# exit
        rtrX.ws.nsrc.org> exit

You should see some output on your PC's screen from TCPDUMP. It should look something like:

02:20:24.942289 ca:02:0d:b3:00:08 > 52:54:4a:5e:68:77, ethertype IPv4 (0x0800), length 144: 10.10.0.6.63515 > 10.10.0.250.514: SYSLOG local5.notice, length: 102
02:20:24.944376 ca:02:0d:b3:00:08 > c4:2c:03:0b:3d:3a, ethertype IPv4 (0x0800), length 144: 10.10.0.6.53407 > 10.10.0.241.514: SYSLOG local5.notice, length: 102

Now you can configure the logging softeware on your PC to receive this information and log
it to a new set of files:


2. Install syslog-ng

These exercises are done as root. If you are not root on your machine then become
root by typing:

        $ sudo bash

        # apt-get install syslog-ng

2. Edit /etc/syslog-ng/syslog-ng.conf

Find the lines:

        # (this is equivalent to the "-r" syslogd flag)
        # udp();

and change it to:

        # (this is equivalent to the "-r" syslogd flag)
        udp();

At the bottom of the file, add (copy and paste!):

filter f_routers { facility(local5); };
log {
        source(s_all);
        filter(f_routers);
        destination(routers);
};
destination routers {
 file("/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log"
 owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
 template("$YEAR $DATE $HOST $MSG\n"));
};

3. Create the directory /var/log/network/

        # mkdir /var/log/network/

4. Restart syslog-ng:

        # service syslog-ng restart
q
6. On your PC, See if messages are starting to appear under

        /var/log/network/2011/.../

7. If not, try to login back into the router, and run some "config" commands,
   then logout. I.E.

        # telnet 10.10.X.254
        rtrX.ws.nsrc.org> enable
        rtrX.ws.nsrc.org# config terminal
        rtrX.ws.nsrc.org(config)# exit
        rtrX.ws.nsrc.org> exit

Be sure you log out of the router. If too many people log in without logging out
then others cannot gain access to the router.