Agenda: exercises-log-management-rsyslog.page

File exercises-log-management-rsyslog.page, 9.0 KB (added by andy, 6 years ago)
Line 
1% Log Management Part 1: Using rsyslog
2%
3% Network Monitoring & Management
4
5# Notes
6
7* Commands preceded with "$" imply that you should execute the command as
8  a general user - not as root.
9* Commands preceded with "#" imply that you should be working as root.
10* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
11  imply that you are executing commands on remote equipment, or within
12  another program.
13
14# Exercise
15
16The routers are able to send syslog messages to multiple destinations,
17so that 1 router can send messages to 4 or even 5 destinations.
18We therefore need to configure the router to send messages to each of
19the PCs in the group.
20
21## Configure sending of syslog messages from your group's router
22
23Configure your virtual router to send syslog messages to every server
24in your group.
25
26Everyone in your group should log into your group's router and do the
27following (assuming you are already logging in on your virtual machine):
28
29~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
30$ ssh cisco@rtrX
31rtrX> enable
32rtrX# config terminal
33
34rtrX(config)# logging 10.10.X.Y
35
36... where X.Y is the IP of your PC (group + number, example pc2 = 10.10.1.2).
37
38rtrX(config)# logging facility local0
39rtrX(config)# logging userinfo
40rtrX(config)# exit
41rtrX# write memory
42rtrX# exit
43~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
44
45Now run `show logging` to see the summary of the log configuration.
46
47~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
48rtrX# show logging
49~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
50
51The other participants in your group will be doing the same thing, so you
52should not be surprised if you see other destinations as well in the output
53of "show logging" - Press SPACE to page through the output
54
55Logout from the router (exit):
56
57~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
58rtrX# exit
59~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
60
61That's it. The router should now be sending UDP SYSLOG packets to your PC
62on port 514.
63
64To verify this log in on your PC as user sysadm (if you have not already done so)
65and do the following:
66
67~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
68$ sudo bash
69# apt-get install tcpdump                               (if already installed dont worry)
70# tcpdump -s0 -n -i eth0 udp port 514
71~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
72
73Then have one person in your group log back in on the router and do the
74following:
75
76~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
77$ ssh cisco@rtrX
78rtrX> enable
79rtrX# config terminal
80rtrX(config)# exit
81rtrX> exit
82~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
83
84You should see some output on your PC's screen from `tcpdump`. It should look
85something like:
86
87~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
8811:20:24.942289 10.10.1.254.63515 > 10.10.1.1.514: SYSLOG local0.notice, length: 110
8911:20:24.944376 10.10.1.254.53407 > 10.10.1.1.514: SYSLOG local0.notice, length: 102
90~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
91
92When you have seen this, hit Ctrl-C to exit tcpdump.
93
94Aside: tcpdump would also show you the *content* of the syslog messages if you
95add `-v` to the command line. To learn more about tcpdump type "man tcpdump" at
96the command line
97
98Now you can configure the logging software on your PC to receive this
99information and log it to a new set of files.
100
101
102## Configure rsyslog
103
104Be sure you are logged in to your virtual machine and that you are the
105root user.
106
107Edit the file /etc/rsyslog.conf:
108
109~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
110# editor /etc/rsyslog.conf
111~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
112
113...and find and un-comment the following lines
114(that is, remove the initial '#' only)
115
116~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
117#$ModLoad imudp
118#$UDPServerRun 514
119
120change to:
121
122$ModLoad imudp
123$UDPServerRun 514
124~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
125
126Then change this line:
127
128~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
129$PrivDropToGroup syslog
130
131change to:
132
133$PrivDropToGroup adm
134~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
135
136Then save the file and exit.
137
138Now, create a file named "/etc/rsyslog.d/30-routerlogs.conf"
139
140~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
141# editor /etc/rsyslog.d/30-routerlogs.conf
142~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
143
144... and add the following lines (carefully COPY and PASTE):
145
146~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
147$template       RouterLogs,"/var/log/network/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%-%$HOUR%.log"
148local0.*        -?RouterLogs
149& ~
150~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151
152PLEASE double check (verify) that what you have pasted is the SAME as what
153is above. In particular, make sure that you are using TAB and not SPACE
154between "template" and "RouterLogs", and also between "local0.*" and
155"-?RouterLogs".
156
157If the above is not pasted correctly, it will NOT work.
158
159Save and exit, then do:
160
161~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
162# mkdir /var/log/network
163# chown syslog:adm /var/log/network
164~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
165
166Restart rsyslog:
167
168~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
169# service rsyslog restart
170~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
171
172
173## Test syslog
174
175To be sure there are some logging messages log back in to the router, and run
176some "config" commands, then logout. e.g.
177
178~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
179$ ssh cisco@rtrX
180rtrX> enable
181rtrX# config terminal
182rtrX(config)# exit
183rtrX> exit
184~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
185
186Be sure you log out of the router when you are finished.  If too many people
187log in without logging out then others cannot gain access to the router.
188
189On your PC, See if messages are starting to appear under
190`/var/log/network/<year>/<month>/<day>/`
191
192~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
193$ cd /var/log/network
194$ ls
195$ cd 2012
196$ ls
197... this will show you the directory for the month
198... cd into this directory
199$ ls
200... repeat for the next level (the day of the month)
201$ ls
202~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
203
204Then use 'tail' to look at the log file(s) in this directory. The names
205are dynamic based on the sender and the host, so use the file that you see.
206It may be something like this:
207
208~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
209$ ls
210rtr8-16.log
211$ tail rtr8-16.log
212... logging messages are shown ...
213~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
214
215## Troubleshooting rsyslog
216
217If no files are appearing under the /var/log/network directory, then
218another command to try while logged into the router, in config mode, is
219to shutdown / no shutdown a Loopback interface, for example:
220
221~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
222$ ssh cisco@rtrX
223rtrX> enable
224rtrX# conf t
225rtrX(config)# interface Loopback 999
226rtrX(config-if)# shutdown
227~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
228
229wait a few seconds
230
231~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
232rtrX(config-if)# no shutdown
233~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
234
235Then exit, and save the config ("write mem"):
236
237~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
238rtrX(config-if)# exit
239rtrX(config)# exit
240rtrX# write memory
241rtr1# exit
242~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
243
244Check the logs under `/var/log/network`
245
246~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
247# cd /var/log/network
248# ls
249...follow the directory trail
250~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
251
252Still no logs?
253
254Try the following command to send a test log message locally:
255
256~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
257# logger -p local0.info "Hello World\!"
258~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
259
260If a file has not been created yet under `/var/log/network`, then check your
261configuration for typos.  Don't forget to restart the rsyslog service each
262time you change the configuration.
263
264What other commands can you think of that you can run on the router (BE CAREFUL!)
265that will trigger syslog messages? You could try logging in on the router
266and typing an incorrect password for "enable".
267
268Be sure that you do an "ls" command in your logging directory to see if a new
269log file has been created at some point.
270