Agenda: exercises-log-management-tenshi.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta http-equiv="Content-Style-Type" content="text/css" />
  <meta name="generator" content="pandoc" />
  <title>Log Management Part 2: Using Tenshi</title>
  <link rel="stylesheet" href="../../style.css" type="text/css" />
</head>
<body>
<div id="header">
<h1 class="title">Log Management Part 2: Using Tenshi</h1>
<h3 class="date">Network Monitoring &amp; Management</h3>
</div>
<div id="TOC">
<ul>
<li><a href="#notes"><span class="toc-section-number">1</span> Notes</a></li>
<li><a href="#exercises"><span class="toc-section-number">2</span> Exercises</a><ul>
<li><a href="#update-syslog-ng-configuration"><span class="toc-section-number">2.1</span> Update syslog-ng configuration</a></li>
<li><a href="#log-rotation"><span class="toc-section-number">2.2</span> Log rotation</a></li>
<li><a href="#install-tenshi"><span class="toc-section-number">2.3</span> Install tenshi</a></li>
<li><a href="#configure-tenshi"><span class="toc-section-number">2.4</span> Configure tenshi</a></li>
<li><a href="#testing-tenshi"><span class="toc-section-number">2.5</span> Testing Tenshi</a></li>
<li><a href="#optional-add-a-new-tenshi-rule"><span class="toc-section-number">2.6</span> Optional: Add a new Tenshi rule</a></li>
</ul></li>
</ul>
</div>
<h1 id="notes"><a href="#TOC"><span class="header-section-number">1</span> Notes</a></h1>
<ul>
<li>Commands preceded with &quot;$&quot; imply that you should execute the command as a general user - not as root.</li>
<li>Commands preceded with &quot;#&quot; imply that you should be working as root.</li>
<li>Commands with more specific command lines (e.g. &quot;rtrX&gt;&quot; or &quot;mysql&gt;&quot;) imply that you are executing commands on remote equipment, or within another program.</li>
</ul>
<h1 id="exercises"><a href="#TOC"><span class="header-section-number">2</span> Exercises</a></h1>
<p>First make sure that your routers are configured to send logs to your PC (this should have been done in the previous exercise).</p>
<h2 id="update-syslog-ng-configuration"><a href="#TOC"><span class="header-section-number">2.1</span> Update syslog-ng configuration</a></h2>
<p>If you have not already done so, log in to your virtual machine and become the root user:</p>
<pre><code>$ sudo -s
#</code></pre>
<p>Configure syslog-ng to save all router logs in one file for monitoring purposes.</p>
<p>Edit <code>/etc/syslog-ng/conf.d/10-network.conf</code>,</p>
<pre><code># cd /etc/syslog-ng/conf.d/
# editor 10-network.conf</code></pre>
<p>... and add this before the last closing brace ( }; ):</p>
<pre><code>file(&quot;/var/log/network/everything&quot;, owner(root) group(root) perm(0644));</code></pre>
<p>In the end, the contents of the file should look like:</p>
<pre><code>filter f_routers { facility(local0); };

log {
    source(s_src);
    filter(f_routers);
    destination(routers);
};

destination routers {
  file(&quot;/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log&quot;
  owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
  template(&quot;$YEAR $DATE $HOST $MSG\n&quot;));

  file(&quot;/var/log/network/everything&quot;, owner(root) group(root) perm(0644));

};</code></pre>
<p>This will enable logging of ALL messages matching the local0 facility to a single file, so that we can run a monitoring script on the messages.</p>
<p>Be sure to save and exit from the file.</p>
<p>Now restart syslog-ng so that is sees the new configuration:</p>
<pre><code># service syslog-ng restart</code></pre>
<h2 id="log-rotation"><a href="#TOC"><span class="header-section-number">2.2</span> Log rotation</a></h2>
<p>Create a daily automated script to truncate the log file so it doesn't grow too big (COPY and PASTE):</p>
<pre><code># editor /etc/logrotate.d/everything

/var/log/network/everything {
  daily
  copytruncate
  rotate 1
  postrotate
    /etc/init.d/tenshi restart
  endscript
}</code></pre>
<p>Then save and exit from the file.</p>
<h2 id="install-tenshi"><a href="#TOC"><span class="header-section-number">2.3</span> Install tenshi</a></h2>
<pre><code># apt-get install tenshi</code></pre>
<h2 id="configure-tenshi"><a href="#TOC"><span class="header-section-number">2.4</span> Configure tenshi</a></h2>
<p>Configure Tenshi to send you alarms when the routers are configured (COPY and PASTE):</p>
<pre><code># editor /etc/tenshi/includes-available/network

set logfile /var/log/network/everything
set queue network_alarms tenshi@localhost sysadm@localhost [*/1 * * * *] Log check

group_host 10.10
network_alarms SYS-5-CONFIG_I
network_alarms PRIV_AUTH_PASS
network_alarms LINK
group_end</code></pre>
<p>Then save and exit from the file.</p>
<p>Create a symlink so that Tenshi loads your new file (COPY and PASTE):</p>
<pre><code># ln -s /etc/tenshi/includes-available/network /etc/tenshi/includes-active</code></pre>
<p>Finally restart Tenshi:</p>
<pre><code># service tenshi restart</code></pre>
<h2 id="testing-tenshi"><a href="#TOC"><span class="header-section-number">2.5</span> Testing Tenshi</a></h2>
<p>Log in to your router, and run some &quot;config&quot; commands (example below):</p>
<pre><code>$ ssh cisco@rtrX        [where &quot;X&quot; is your router number]
rtrX&gt; enable
Password: &lt;password&gt;
rtrX# config terminal
rtrX(config)# int FastEthernet0/0
rtrX(config-if)# description Description Change for FastEthernet0/0 for Tenshi
rtrX(config-if)# ctrl-z
rtrX# write memory</code></pre>
<p>Don't exit from the router yet. Just as in the previous syslog-ng exercises, attempt to shutdown / no shutdown loopback interface:</p>
<pre><code>rtrX# conf t
rtrX(config)# interface Loopback 999
rtrX(config-if)# shutdown</code></pre>
<p>wait a few seconds</p>
<pre><code>rtrX(config-if)# no shutdown</code></pre>
<p>Then exit, and save the config (&quot;write mem&quot;):</p>
<pre><code>rtrX(config-if)# ctrl-z                 (same as exit, exit twice)
rtrX# write memory
rtrX# exit</code></pre>
<p>Verify that you are receiving emails to the sysadm user from Tenshi. A quick check is to look in the mail directory:</p>
<pre><code>$ ls -l /var/mail</code></pre>
<ul>
<li>Note: Tenshi checks /var/log/network/everything once a minute, so you may have to wait up to a minute for the email to arrive to the sysadm user.</li>
</ul>
<p>Make sure you are logged in as sysadm (not root). Either open a new session to your virtual machine, or exit from the root user (exit). Then do:</p>
<pre><code>$ mutt</code></pre>
<p>Scroll <code>up/down</code> to select a message from &quot;tenshi@localhost&quot;, then press <code>ENTER</code> to view it, and <code>q</code> to quit and 'q' again to quit mutt.</p>
<p>If mails are not arriving, then check the following:</p>
<ul>
<li><p>Are logs arriving in the file <code>/var/log/network/everything</code>?</p>
<pre><code>$ tail /var/log/network/everything</code></pre></li>
<li><p>Do these logs show a hostname like 'rtr5', or possibly an IP like 10.10.5.254 ? Remember that the way we have configured tenshi, it only looks at hostnames or IP addresses matching the pattern 'rtr' or '10.10' (depending on how you configured tenshi).</p></li>
<li><p>Check your tenshi configuration file. Restart tenshi if you change it.</p></li>
<li><p>If you are still stuck ask an instructor or a neighbor for help.</p></li>
</ul>
<h2 id="optional-add-a-new-tenshi-rule"><a href="#TOC"><span class="header-section-number">2.6</span> Optional: Add a new Tenshi rule</a></h2>
<p>See if you can figure out how to add a rule to Tenshi so that an email is sent if someone enters an incorrect enable password on your router.</p>
<p>Hints:</p>
<ul>
<li>&quot;PRIV_AUTH_FAIL&quot; is the Cisco IOS log message in such cases.</li>
<li>To test your new rule log in to your router, type &quot;enable&quot; and then enter an incorrect enable password.</li>
</ul>
</body>
</html>