Please find your classmates that are using the same router as you. Get in to a group and do the following exercise together. That is, pick one person who will log in to your group’s router, but all of you should assist with the actual configuration.
Configure network devices below to send logs to srv1.campusY.ws.nsrc.org (100.68.Y.130)
You will SSH to your group’s network devices and do the following:
$ ssh nmmlab@bdr1.campusY.ws.nsrc.org
bdr1.campusY> enable
bdr1.campusY# config terminalRepeat the next command “logging 100.68.Y.130” for each network device in your campus group.
logging 100.68.6.130 logging facility local0 logging userinfo
bdr1.campusY(config)# logging 100.68.Y.130
bdr1.campusY(config)# logging facility local0
bdr1.campusY(config)# logging userinfo
bdr1.campusY(config)# exit
bdr1.campusY# write memoryNow run ‘show logging’ to see the summary of the logging configuration.
bdr1.campusY# show loggingLogout from the router (exit)
bdr1.campusY# exitThat’s it. The network device should now be sending UDP SYSLOG packets to your shared server (srv1) on port 514. To verify this log in on your shared server and do the following:
Now ssh into srv1-campusY, and run the following command.
$ ssh sysadm@srv1.campusY.ws.nsrc.org # apt-get install tcpdump (don't worry if it's already installed)
# tcpdump -s0 -nv -i eth0 port 514Then have one person in your group log back in on the network device and do the following:
$ ssh nmmlab@bdr1.campusY.ws.nsrc.org
bdr1.campusY> enable
bdr1.campusY# config terminal
(config)# exit
bdr1.campusY> exitYou should see some output on your shared server’s (srv1) screen from TCPDUMP. It should look something like:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:05:02.620767 IP (tos 0x0, ttl 254, id 43, offset 0, flags [none], proto UDP (17), length 215)
100.68.6.1.62222 > 100.68.6.130.514: [udp sum ok] SYSLOG, length: 187
Facility local0 (16), Severity notice (5)
Msg: 466: Feb 22 14:05:01.545: %SSH-5-SSH2_USERAUTH: User 'nmmlab' authentication for SSH2 Session from 100.64.0.241 (tty = 2) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' SucceededNow you can configure the logging software on your shared server (srv1) to receive this information and log it to a new set of files.
SSH into your shared server (srv1)
$ ssh sysadm@srv1.campusY.ws.nsrc.org These exercises are done as root. If you are not root on your machine then become root by typing:
$ sudo -s
# apt-get install syslog-ng syslog-ng-core# nano /etc/syslog-ng/syslog-ng.confFind the lines:
source s_src {
system();
internal();
};Add “udp();” and it will look like below:
source s_src {
system();
internal();
udp();
};Save the file and exit.
Now, create a config section for our network logs:
# cd /etc/syslog-ng/conf.d/
# nano 10-network.confIn this file, copy and paste the following:
filter f_routers { facility(local0); };
log {
source(s_src);
filter(f_routers);
destination(routers);
};
destination routers {
file("/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log"
owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
template("$YEAR $DATE $HOST $MSG\n"));
};Save the file and exit.
# mkdir -p /var/log/network/# systemctl restart syslog-ngTo be sure there are some logging messages log back in to the network device, and run some “config” commands, then logout. e.g.
# ssh nmmlab@bdr1.campusY.ws.nsrc.org
bdr1.campusY> enable
bdr1.campusY# config terminal
bdr1.campusY(config)# exit
bdr1.campusY> exitBe sure you log out of the network device. If too many people log in without logging out then others cannot gain access to the network device.
# cd /var/log/network
# ls
2018
# cd 2018
# ls
02 03
... above will show you the directory for the month
# cd 02
# ls
22 23
... above will show you the day of the month
# cd 23
# ls
100.68.6.1-2018-02-22-14.log
... above will show you the router's You can view the resulting log file by using a pager program such as less, more, cat, etc…
You will see the logging is capture like below;
# less 100.68.6.1-2018-02-22-14.log
2018 Feb 22 14:11:04 100.68.6.1 %SYS-5-CONFIG_I: Configured from console by nmmlab on vty0 (100.64.0.241)
2018 Feb 22 14:11:05 100.68.6.1 %SSH-5-SSH2_CLOSE: SSH2 Session from 100.64.0.241 (tty = 0) for user 'nmmlab' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' closed
2018 Feb 22 14:12:24 100.68.6.1 %SSH-5-SSH2_SESSION: SSH2 Session request from 100.68.2.135 (tty = 0) using crypto cipher '', hmac '' Failed
2018 Feb 22 14:12:24 100.68.6.1 %SSH-5-SSH2_CLOSE: SSH2 Session from 100.68.2.135 (tty = 0) for user '' using crypto cipher '', hmac '' closedIf no files are appearing under the /var/log/network directory, then another command to try while logged into the router, in config mode, is to shutdown / no shutdown a Loopback interface, for example:
$ ssh nmmlab@bdr1.campusY.ws.nsrc.org
bdr1.campusY> enable
bdr1.campusY# conf t
bdr1.campusY(config)# interface Loopback 999
bdr1.campusY(config-if)# shutdownwait a few seconds
bdr1.campusY(config-if)# no shutdownThen exit, and save the config (“write mem”):
bdr1.campusYconfig-if)# exit
bdr1.campusY(config)# exit
bdr1.campusY# write memory
bdr1.campusY# exitCheck the logs under /var/log/network
# cd /var/log/network
# ls…follow the directory trail
Still no logs?
Try the following command to send a test log message locally:
# logger -p local0.info "Hello World\!"If a file has not been created yet under /var/log/network, then check your configuration for typos. Don’t forget to restart the syslog-ng service each time you change the configuration.
What other commands can you think of that you can run on the router (BE CAREFUL!) that will trigger syslog messages? You could try logging in on the router and typing an incorrect password for “enable”.
Be sure that you do an “ls” command in your logging directory to see if a new log file has been created at some point.