Network Management & Monitoring Using syslog-ng --------------- Notes: ------ * Commands preceded with "$" imply that you should execute the command as a general user - not as root. * Commands preceded with "#" imply that you should be working as root. * Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>") imply that you are executing commands on remote equipment, or within another program. Exercises --------- Please find your classmates that are using the same router as you. Get in to a group and do the following exercise together. That is, pick one person who will log in to your group's router, but all of you should assist with the actual configuration. 1. Configure your virtual routers to send syslog messages to your server: You will telnet to your group's router and do the following: $ telnet 10.10.X.254 rtrX.ws.nsrc.org> enable rtrX.ws.nsrc.org# config terminal Repeat the next command "logging 10.10.X.X" for each PC in your group. That is, if your group is on router6 and you are using pcs 18, 20, 22, 24 and 26 you would repeat the command five times with the ip of each machine (10.10.6.18, 10.10.6, 20, and so forth). rtrX.ws.nsrc.org(config)# logging 10.10.X.X rtrX.ws.nsrc.org(config)# logging facility local5 rtrX.ws.nsrc.org(config)# logging userinfo rtrX.ws.nsrc.org(config)# exit rtrX# write memory rtrX# exit logout from the router (exit) That's it. The router should now be sending UDP SYSLOG packets to your PC on port 514. To verify this log in on your PC and do the following: $ sudo bash # tcpdump -e -s0 -ni eth0 port 514 Then have one person in your group log bck in on the router and do the following: $ telnet 10.10.X.254 rtrX.ws.nsrc.org> enable rtrX.ws.nsrc.org# config terminal rtrX.ws.nsrc.org(config)# exit rtrX.ws.nsrc.org> exit You should see some output on your PC's screen from TCPDUMP. It should look something like: 02:20:24.942289 ca:02:0d:b3:00:08 > 52:54:4a:5e:68:77, ethertype IPv4 (0x0800), length 144: 10.10.0.6.63515 > 10.10.0.250.514: SYSLOG local5.notice, length: 102 02:20:24.944376 ca:02:0d:b3:00:08 > c4:2c:03:0b:3d:3a, ethertype IPv4 (0x0800), length 144: 10.10.0.6.53407 > 10.10.0.241.514: SYSLOG local5.notice, length: 102 Now you can configure the logging softeware on your PC to receive this information and log it to a new set of files: 2. Install syslog-ng These exercises are done as root. If you are not root on your machine then become root by typing: $ sudo bash # apt-get install syslog-ng 2. Edit /etc/syslog-ng/syslog-ng.conf Find the lines: # (this is equivalent to the "-r" syslogd flag) # udp(); and change it to: # (this is equivalent to the "-r" syslogd flag) udp(); At the bottom of the file, add (copy and paste!): filter f_routers { facility(local5); }; log { source(s_all); filter(f_routers); destination(routers); }; destination routers { file("/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log" owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes) template("$YEAR $DATE $HOST $MSG\n")); }; 3. Create the directory /var/log/network/ # mkdir /var/log/network/ 4. Restart syslog-ng: # service syslog-ng restart q 6. On your PC, See if messages are starting to appear under /var/log/network/2011/.../ 7. If not, try to login back into the router, and run some "config" commands, then logout. I.E. # telnet 10.10.X.254 rtrX.ws.nsrc.org> enable rtrX.ws.nsrc.org# config terminal rtrX.ws.nsrc.org(config)# exit rtrX.ws.nsrc.org> exit Be sure you log out of the router. If too many people log in without logging out then others cannot gain access to the router.