Agenda: exercises-log-management-syslog-ng.txt

File exercises-log-management-syslog-ng.txt, 3.6 KB (added by admin, 8 years ago)
Line 
1Network Management & Monitoring
2Using syslog-ng
3---------------
4
5Notes:
6------
7* Commands preceded with "$" imply that you should execute the command as
8  a general user - not as root.
9* Commands preceded with "#" imply that you should be working as root.
10* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
11  imply that you are executing commands on remote equipment, or within
12  another program.
13
14Exercises
15---------
16
17Please find your classmates that are using the same router as you. Get in to
18a group and do the following exercise together. That is, pick one person who will
19log in to your group's router, but all of you should assist with the actual
20configuration.
21
221. Configure your virtual routers to send syslog messages to your server:
23
24You will telnet to your group's router and do the following:
25
26        $ telnet 10.10.X.254
27        rtrX.ws.nsrc.org> enable
28        rtrX.ws.nsrc.org# config terminal
29
30Repeat the next command "logging 10.10.X.X" for each PC in your group. That is,
31if your group is on router6 and you are using pcs 18, 20, 22, 24 and 26 you would
32repeat the command five times with the ip of each machine (10.10.6.18, 10.10.6, 20,
33and so forth).
34
35        rtrX.ws.nsrc.org(config)# logging 10.10.X.X             
36
37        rtrX.ws.nsrc.org(config)# logging facility local5
38        rtrX.ws.nsrc.org(config)# logging userinfo
39        rtrX.ws.nsrc.org(config)# exit
40        rtrX# write memory
41        rtrX# exit
42
43        logout from the router (exit)
44
45That's it. The router should now be sending UDP SYSLOG packets to your PC on port 514.
46To verify this log in on your PC and do the following:
47
48        $ sudo bash
49        # tcpdump -e -s0 -ni eth0 port 514
50
51Then have one person in your group log bck in on the router and do the following:
52
53        $ telnet 10.10.X.254
54        rtrX.ws.nsrc.org> enable
55        rtrX.ws.nsrc.org# config terminal
56        rtrX.ws.nsrc.org(config)# exit
57        rtrX.ws.nsrc.org> exit
58
59You should see some output on your PC's screen from TCPDUMP. It should look something like:
60
6102:20:24.942289 ca:02:0d:b3:00:08 > 52:54:4a:5e:68:77, ethertype IPv4 (0x0800), length 144: 10.10.0.6.63515 > 10.10.0.250.514: SYSLOG local5.notice, length: 102
6202:20:24.944376 ca:02:0d:b3:00:08 > c4:2c:03:0b:3d:3a, ethertype IPv4 (0x0800), length 144: 10.10.0.6.53407 > 10.10.0.241.514: SYSLOG local5.notice, length: 102
63
64Now you can configure the logging softeware on your PC to receive this information and log
65it to a new set of files:
66
67
682. Install syslog-ng
69
70These exercises are done as root. If you are not root on your machine then become
71root by typing:
72
73        $ sudo bash
74
75        # apt-get install syslog-ng
76
772. Edit /etc/syslog-ng/syslog-ng.conf
78
79Find the lines:
80
81        # (this is equivalent to the "-r" syslogd flag)
82        # udp();
83
84and change it to:
85
86        # (this is equivalent to the "-r" syslogd flag)
87        udp();
88
89At the bottom of the file, add (copy and paste!):
90
91filter f_routers { facility(local5); };
92log {
93        source(s_all);
94        filter(f_routers);
95        destination(routers);
96};
97destination routers {
98 file("/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log"
99 owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
100 template("$YEAR $DATE $HOST $MSG\n"));
101};
102
1033. Create the directory /var/log/network/
104
105        # mkdir /var/log/network/
106
1074. Restart syslog-ng:
108
109        # service syslog-ng restart
110q
1116. On your PC, See if messages are starting to appear under
112
113        /var/log/network/2011/.../
114
1157. If not, try to login back into the router, and run some "config" commands,
116   then logout. I.E.
117
118        # telnet 10.10.X.254
119        rtrX.ws.nsrc.org> enable
120        rtrX.ws.nsrc.org# config terminal
121        rtrX.ws.nsrc.org(config)# exit
122        rtrX.ws.nsrc.org> exit
123
124Be sure you log out of the router. If too many people log in without logging out
125then others cannot gain access to the router.