| 1 | Network Management & Monitoring |
|---|
| 2 | |
|---|
| 3 | Log management, part I : Using rsyslog |
|---|
| 4 | ---------------------------------------- |
|---|
| 5 | |
|---|
| 6 | Notes: |
|---|
| 7 | ------ |
|---|
| 8 | * Commands preceded with "$" imply that you should execute the command as |
|---|
| 9 | a general user - not as root. |
|---|
| 10 | * Commands preceded with "#" imply that you should be working as root. |
|---|
| 11 | * Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") |
|---|
| 12 | imply that you are executing commands on remote equipment, or within |
|---|
| 13 | another program. |
|---|
| 14 | |
|---|
| 15 | Exercises |
|---|
| 16 | --------- |
|---|
| 17 | |
|---|
| 18 | The routers are able to send syslog messages to multiple destinations, |
|---|
| 19 | so that 1 router can send messages to 4 or even 5 destinations. |
|---|
| 20 | We therefore need to configure the router to send messages to each of |
|---|
| 21 | the PCs in the group. |
|---|
| 22 | |
|---|
| 23 | 1. Configure your virtual routers to send syslog messages to your server: |
|---|
| 24 | |
|---|
| 25 | You will log in to your group's router and do the following: |
|---|
| 26 | |
|---|
| 27 | $ ssh 10.10.X.254 |
|---|
| 28 | rtrX.ws.nsrc.org> enable |
|---|
| 29 | rtrX.ws.nsrc.org# config terminal |
|---|
| 30 | |
|---|
| 31 | rtrX.ws.nsrc.org(config)# logging 10.10.X.Y |
|---|
| 32 | |
|---|
| 33 | ... where X.X is the IP of your PC (group + number). |
|---|
| 34 | |
|---|
| 35 | rtrX.ws.nsrc.org(config)# logging facility local5 |
|---|
| 36 | rtrX.ws.nsrc.org(config)# logging userinfo |
|---|
| 37 | rtrX.ws.nsrc.org(config)# exit |
|---|
| 38 | rtrX# write memory |
|---|
| 39 | |
|---|
| 40 | Now run "show logging" to see the summary of the log configuration. |
|---|
| 41 | |
|---|
| 42 | The other participants in your group will be doing the same thing, |
|---|
| 43 | so you should not be surprised if you see other destinations as well |
|---|
| 44 | in the output of "show logging" |
|---|
| 45 | |
|---|
| 46 | logout from the router (exit) |
|---|
| 47 | |
|---|
| 48 | rtrX# exit |
|---|
| 49 | |
|---|
| 50 | That's it. The router should now be sending UDP SYSLOG packets to your PC |
|---|
| 51 | on port 514. |
|---|
| 52 | |
|---|
| 53 | To verify this log in on your PC and do the following: |
|---|
| 54 | |
|---|
| 55 | $ sudo bash |
|---|
| 56 | # tcpdump -e -s0 -ni eth0 port 514 |
|---|
| 57 | |
|---|
| 58 | Then have one person in your group log back in on the router and do the |
|---|
| 59 | following: |
|---|
| 60 | |
|---|
| 61 | $ ssh 10.10.X.254 |
|---|
| 62 | rtrX.ws.nsrc.org> enable |
|---|
| 63 | rtrX.ws.nsrc.org# config terminal |
|---|
| 64 | rtrX.ws.nsrc.org(config)# exit |
|---|
| 65 | rtrX.ws.nsrc.org> exit |
|---|
| 66 | |
|---|
| 67 | You should see some output on your PC's screen from TCPDUMP. It should look |
|---|
| 68 | something like: |
|---|
| 69 | |
|---|
| 70 | 02:20:24.942289 ca:02:0d:b3:00:08 > 52:54:4a:5e:68:77, ethertype IPv4 (0x0800), length 144: 10.10.0.6.63515 > 10.10.0.250.514: SYSLOG local5.notice, length: 102 |
|---|
| 71 | 02:20:24.944376 ca:02:0d:b3:00:08 > c4:2c:03:0b:3d:3a, ethertype IPv4 (0x0800), length 144: 10.10.0.6.53407 > 10.10.0.241.514: SYSLOG local5.notice, length: 102 |
|---|
| 72 | |
|---|
| 73 | Now you can configure the logging software on your PC to receive this |
|---|
| 74 | information and log it to a new set of files: |
|---|
| 75 | |
|---|
| 76 | |
|---|
| 77 | 2. Configure rsyslog |
|---|
| 78 | |
|---|
| 79 | Edit file /etc/rsyslog.conf and find and un-comment the following lines: |
|---|
| 80 | |
|---|
| 81 | #$ModLoad imudp |
|---|
| 82 | #$UDPServerRun 514 |
|---|
| 83 | |
|---|
| 84 | (remove #) |
|---|
| 85 | |
|---|
| 86 | Then comment-out the following change: |
|---|
| 87 | |
|---|
| 88 | $PrivDropToUser syslog |
|---|
| 89 | $PrivDropToGroup syslog |
|---|
| 90 | |
|---|
| 91 | (add #) |
|---|
| 92 | |
|---|
| 93 | Then save the file and exit. |
|---|
| 94 | |
|---|
| 95 | Now, create a file named "/etc/rsyslog.d/99-routerlogs.conf, with the following lines: |
|---|
| 96 | |
|---|
| 97 | $template RouterLogs,"/var/log/network/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%-%$HOUR%.log" |
|---|
| 98 | local5.* -?RouterLogs |
|---|
| 99 | |
|---|
| 100 | Save and exit, then: |
|---|
| 101 | |
|---|
| 102 | # mkdir /var/log/network |
|---|
| 103 | # chown syslog /var/log/network |
|---|
| 104 | |
|---|
| 105 | 4. Restart rsyslog |
|---|
| 106 | |
|---|
| 107 | # service rsyslog restart |
|---|
| 108 | |
|---|
| 109 | 6. On your PC, See if messages are starting to appear under |
|---|
| 110 | |
|---|
| 111 | /var/log/network/2011/.../ |
|---|
| 112 | |
|---|
| 113 | 7. If not, try to login back into the router, and run some "config" commands, |
|---|
| 114 | then logout. I.E. |
|---|
| 115 | |
|---|
| 116 | # ssh 10.10.X.254 |
|---|
| 117 | rtrX.ws.nsrc.org> enable |
|---|
| 118 | rtrX.ws.nsrc.org# config terminal |
|---|
| 119 | rtrX.ws.nsrc.org(config)# exit |
|---|
| 120 | rtrX.ws.nsrc.org> exit |
|---|
| 121 | |
|---|
| 122 | Be sure you log out of the router when you are finished. |
|---|
| 123 | If too many people log in without logging out then others cannot gain access |
|---|
| 124 | to the router. |
|---|
| 125 | |
|---|
| 126 | Other commands to try while you are logged into the router, in config mode: |
|---|
| 127 | |
|---|
| 128 | - shutdown / no shutdown the Loopback interfaces, for example: |
|---|
| 129 | |
|---|
| 130 | rtrX# conf t |
|---|
| 131 | rtrX(config)# interface Loopback 999 |
|---|
| 132 | rtrX(config-if) # shutdown |
|---|
| 133 | |
|---|
| 134 | wait a few seconds |
|---|
| 135 | |
|---|
| 136 | rtrX(config-if) # no shutdown |
|---|
| 137 | |
|---|
| 138 | Then exit, and save the config ("write") |
|---|
| 139 | |
|---|
| 140 | |
|---|
| 141 | Check the logs under /var/log/network |
|---|
| 142 | |
|---|
| 143 | Still no logs? |
|---|
| 144 | |
|---|
| 145 | Try the following command to send a test log message locally: |
|---|
| 146 | |
|---|
| 147 | # logger -p local5.info "Hello World!" |
|---|
| 148 | |
|---|
| 149 | If a file has not been created yet under /var/log/network, then check your configuration for typos. |
|---|
| 150 | Don't forget to restart the rsyslog service each time you change the configuration. |
|---|
| 151 | |
|---|
| 152 | What other commands can you think of that you can run on the |
|---|
| 153 | router (BE CAREFUL!) that will trigger syslog messages ? |
|---|
| 154 | |
|---|
| 155 | What about access lists ? |
|---|
| 156 | |
|---|
| 157 | Others ? |
|---|
| 158 | |
|---|