Agenda: exercises-log-management-rsyslog.page

File exercises-log-management-rsyslog.page, 9.0 KB (added by andy, 6 years ago)

Line
1	% Log Management Part 1: Using rsyslog
2	%
3	% Network Monitoring & Management
4
5	# Notes
6
7	* Commands preceded with "$" imply that you should execute the command as
8	a general user - not as root.
9	* Commands preceded with "#" imply that you should be working as root.
10	* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
11	imply that you are executing commands on remote equipment, or within
12	another program.
13
14	# Exercise
15
16	The routers are able to send syslog messages to multiple destinations,
17	so that 1 router can send messages to 4 or even 5 destinations.
18	We therefore need to configure the router to send messages to each of
19	the PCs in the group.
20
21	## Configure sending of syslog messages from your group's router
22
23	Configure your virtual router to send syslog messages to every server
24	in your group.
25
26	Everyone in your group should log into your group's router and do the
27	following (assuming you are already logging in on your virtual machine):
28
29	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
30	$ ssh cisco@rtrX
31	rtrX> enable
32	rtrX# config terminal
33
34	rtrX(config)# logging 10.10.X.Y
35
36	... where X.Y is the IP of your PC (group + number, example pc2 = 10.10.1.2).
37
38	rtrX(config)# logging facility local0
39	rtrX(config)# logging userinfo
40	rtrX(config)# exit
41	rtrX# write memory
42	rtrX# exit
43	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
44
45	Now run `show logging` to see the summary of the log configuration.
46
47	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
48	rtrX# show logging
49	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
50
51	The other participants in your group will be doing the same thing, so you
52	should not be surprised if you see other destinations as well in the output
53	of "show logging" - Press SPACE to page through the output
54
55	Logout from the router (exit):
56
57	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
58	rtrX# exit
59	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
60
61	That's it. The router should now be sending UDP SYSLOG packets to your PC
62	on port 514.
63
64	To verify this log in on your PC as user sysadm (if you have not already done so)
65	and do the following:
66
67	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
68	$ sudo bash
69	# apt-get install tcpdump (if already installed dont worry)
70	# tcpdump -s0 -n -i eth0 udp port 514
71	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
72
73	Then have one person in your group log back in on the router and do the
74	following:
75
76	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
77	$ ssh cisco@rtrX
78	rtrX> enable
79	rtrX# config terminal
80	rtrX(config)# exit
81	rtrX> exit
82	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
83
84	You should see some output on your PC's screen from `tcpdump`. It should look
85	something like:
86
87	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
88	11:20:24.942289 10.10.1.254.63515 > 10.10.1.1.514: SYSLOG local0.notice, length: 110
89	11:20:24.944376 10.10.1.254.53407 > 10.10.1.1.514: SYSLOG local0.notice, length: 102
90	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
91
92	When you have seen this, hit Ctrl-C to exit tcpdump.
93
94	Aside: tcpdump would also show you the content of the syslog messages if you
95	add `-v` to the command line. To learn more about tcpdump type "man tcpdump" at
96	the command line
97
98	Now you can configure the logging software on your PC to receive this
99	information and log it to a new set of files.
100
101
102	## Configure rsyslog
103
104	Be sure you are logged in to your virtual machine and that you are the
105	root user.
106
107	Edit the file /etc/rsyslog.conf:
108
109	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
110	# editor /etc/rsyslog.conf
111	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
112
113	...and find and un-comment the following lines
114	(that is, remove the initial '#' only)
115
116	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
117	#$ModLoad imudp
118	#$UDPServerRun 514
119
120	change to:
121
122	$ModLoad imudp
123	$UDPServerRun 514
124	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
125
126	Then change this line:
127
128	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
129	$PrivDropToGroup syslog
130
131	change to:
132
133	$PrivDropToGroup adm
134	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
135
136	Then save the file and exit.
137
138	Now, create a file named "/etc/rsyslog.d/30-routerlogs.conf"
139
140	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
141	# editor /etc/rsyslog.d/30-routerlogs.conf
142	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
143
144	... and add the following lines (carefully COPY and PASTE):
145
146	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
147	$template RouterLogs,"/var/log/network/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%-%$HOUR%.log"
148	local0.* -?RouterLogs
149	& ~
150	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151
152	PLEASE double check (verify) that what you have pasted is the SAME as what
153	is above. In particular, make sure that you are using TAB and not SPACE
154	between "template" and "RouterLogs", and also between "local0.*" and
155	"-?RouterLogs".
156
157	If the above is not pasted correctly, it will NOT work.
158
159	Save and exit, then do:
160
161	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
162	# mkdir /var/log/network
163	# chown syslog:adm /var/log/network
164	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
165
166	Restart rsyslog:
167
168	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
169	# service rsyslog restart
170	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
171
172
173	## Test syslog
174
175	To be sure there are some logging messages log back in to the router, and run
176	some "config" commands, then logout. e.g.
177
178	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
179	$ ssh cisco@rtrX
180	rtrX> enable
181	rtrX# config terminal
182	rtrX(config)# exit
183	rtrX> exit
184	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
185
186	Be sure you log out of the router when you are finished. If too many people
187	log in without logging out then others cannot gain access to the router.
188
189	On your PC, See if messages are starting to appear under
190	`/var/log/network/<year>/<month>/<day>/`
191
192	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
193	$ cd /var/log/network
194	$ ls
195	$ cd 2012
196	$ ls
197	... this will show you the directory for the month
198	... cd into this directory
199	$ ls
200	... repeat for the next level (the day of the month)
201	$ ls
202	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
203
204	Then use 'tail' to look at the log file(s) in this directory. The names
205	are dynamic based on the sender and the host, so use the file that you see.
206	It may be something like this:
207
208	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
209	$ ls
210	rtr8-16.log
211	$ tail rtr8-16.log
212	... logging messages are shown ...
213	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
214
215	## Troubleshooting rsyslog
216
217	If no files are appearing under the /var/log/network directory, then
218	another command to try while logged into the router, in config mode, is
219	to shutdown / no shutdown a Loopback interface, for example:
220
221	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
222	$ ssh cisco@rtrX
223	rtrX> enable
224	rtrX# conf t
225	rtrX(config)# interface Loopback 999
226	rtrX(config-if)# shutdown
227	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
228
229	wait a few seconds
230
231	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
232	rtrX(config-if)# no shutdown
233	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
234
235	Then exit, and save the config ("write mem"):
236
237	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
238	rtrX(config-if)# exit
239	rtrX(config)# exit
240	rtrX# write memory
241	rtr1# exit
242	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
243
244	Check the logs under `/var/log/network`
245
246	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
247	# cd /var/log/network
248	# ls
249	...follow the directory trail
250	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
251
252	Still no logs?
253
254	Try the following command to send a test log message locally:
255
256	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
257	# logger -p local0.info "Hello World\!"
258	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
259
260	If a file has not been created yet under `/var/log/network`, then check your
261	configuration for typos. Don't forget to restart the rsyslog service each
262	time you change the configuration.
263
264	What other commands can you think of that you can run on the router (BE CAREFUL!)
265	that will trigger syslog messages? You could try logging in on the router
266	and typing an incorrect password for "enable".
267
268	Be sure that you do an "ls" command in your logging directory to see if a new
269	log file has been created at some point.
270