Agenda: exercises-log-management-rsyslog.txt

File exercises-log-management-rsyslog.txt, 4.2 KB (added by admin, 7 years ago)
Line 
1Network Management & Monitoring
2
3Log management, part I : Using rsyslog
4----------------------------------------
5
6Notes:
7------
8* Commands preceded with "$" imply that you should execute the command as
9  a general user - not as root.
10* Commands preceded with "#" imply that you should be working as root.
11* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
12  imply that you are executing commands on remote equipment, or within
13  another program.
14
15Exercises
16---------
17
18The routers are able to send syslog messages to multiple destinations,
19so that 1 router can send messages to 4 or even 5 destinations.
20We therefore need to configure the router to send messages to each of
21the PCs in the group.
22
231. Configure your virtual routers to send syslog messages to your server:
24
25You will log in to your group's router and do the following:
26
27        $ ssh 10.10.X.254
28        rtrX.ws.nsrc.org> enable
29        rtrX.ws.nsrc.org# config terminal
30
31        rtrX.ws.nsrc.org(config)# logging 10.10.X.Y
32
33        ... where X.X is the IP of your PC (group + number).
34
35        rtrX.ws.nsrc.org(config)# logging facility local5
36        rtrX.ws.nsrc.org(config)# logging userinfo
37        rtrX.ws.nsrc.org(config)# exit
38        rtrX# write memory
39
40Now run "show logging" to see the summary of the log configuration.
41
42The other participants in your group will be doing the same thing,
43so you should not be surprised if you see other destinations as well
44in the output of "show logging"
45
46        logout from the router (exit)
47
48        rtrX# exit
49
50That's it. The router should now be sending UDP SYSLOG packets to your PC
51on port 514.
52
53To verify this log in on your PC and do the following:
54
55        $ sudo bash
56        # tcpdump -e -s0 -ni eth0 port 514
57
58Then have one person in your group log back in on the router and do the
59following:
60
61        $ ssh 10.10.X.254
62        rtrX.ws.nsrc.org> enable
63        rtrX.ws.nsrc.org# config terminal
64        rtrX.ws.nsrc.org(config)# exit
65        rtrX.ws.nsrc.org> exit
66
67You should see some output on your PC's screen from TCPDUMP. It should look
68something like:
69
7002:20:24.942289 ca:02:0d:b3:00:08 > 52:54:4a:5e:68:77, ethertype IPv4 (0x0800), length 144: 10.10.0.6.63515 > 10.10.0.250.514: SYSLOG local5.notice, length: 102
7102:20:24.944376 ca:02:0d:b3:00:08 > c4:2c:03:0b:3d:3a, ethertype IPv4 (0x0800), length 144: 10.10.0.6.53407 > 10.10.0.241.514: SYSLOG local5.notice, length: 102
72
73Now you can configure the logging software on your PC to receive this
74information and log it to a new set of files:
75
76
772. Configure rsyslog
78
79Edit file /etc/rsyslog.conf and find and un-comment the following lines:
80
81        #$ModLoad imudp
82        #$UDPServerRun 514
83
84(remove #)
85
86Then comment-out the following change:
87
88        $PrivDropToUser syslog
89        $PrivDropToGroup syslog
90
91(add #)
92
93Then save the file and exit.
94
95Now, create a file named "/etc/rsyslog.d/99-routerlogs.conf, with the following lines:
96
97        $template RouterLogs,"/var/log/network/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%-%$HOUR%.log"
98        local5.*                -?RouterLogs
99
100Save and exit, then:
101
102        # mkdir /var/log/network
103        # chown syslog /var/log/network
104
1054. Restart rsyslog
106
107        # service rsyslog restart
108
1096. On your PC, See if messages are starting to appear under
110
111        /var/log/network/2011/.../
112
1137. If not, try to login back into the router, and run some "config" commands,
114   then logout. I.E.
115
116        # ssh 10.10.X.254
117        rtrX.ws.nsrc.org> enable
118        rtrX.ws.nsrc.org# config terminal
119        rtrX.ws.nsrc.org(config)# exit
120        rtrX.ws.nsrc.org> exit
121
122Be sure you log out of the router when you are finished.
123If too many people log in without logging out then others cannot gain access
124to the router.
125
126Other commands to try while you are logged into the router, in config mode:
127
128- shutdown / no shutdown the Loopback interfaces, for example:
129
130        rtrX# conf t
131        rtrX(config)# interface Loopback 999
132        rtrX(config-if) # shutdown
133
134        wait a few seconds
135
136        rtrX(config-if) # no shutdown
137
138        Then exit, and save the config ("write")
139
140
141Check the logs under /var/log/network
142
143Still no logs?
144
145Try the following command to send a test log message locally:
146
147# logger -p local5.info "Hello World!"
148
149If a file has not been created yet under /var/log/network, then check your configuration for typos.
150Don't forget to restart the rsyslog service each time you change the configuration.
151
152What other commands can you think of that you can run on the
153router (BE CAREFUL!) that will trigger syslog messages ?
154
155What about access lists ?
156
157Others ?
158