Files: log-management-syslog-ng.txt

Network Management Workshop

Using syslog-ng

1. Install syslog-ng

        # apt-get install syslog-ng

2. Edit /etc/syslog-ng/syslog-ng.conf

Find the lines:

        # (this is equivalent to the "-r" syslogd flag)
        # udp();

and change it to:

        # (this is equivalent to the "-r" syslogd flag)
        udp();

At the bottom of the file, add:

filter f_routers { facility(local5); };
log {
        source(s_all);
        filter(f_routers);
        destination(routers);
};
destination routers {
 file("/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log"
 owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
 template("$YEAR $DATE $HOST $MSG\n"));
};

3. Create the directory /var/log/network/

        # mkdir /var/log/network/

4. Restart syslog-ng:

        # /etc/init.d/syslog-ng restart

5. Configure your virtual routers to send syslog messages to your server:

        (Note: since you are working with 1 router / 2 PCs, you will need
        to configure your router send to 2 hosts:

        Hint: Use rancid clogin!

        rtrX# config terminal
        rtrX(config)# logging 169.223.142.X
        rtrX(config)# logging 169.223.142.Y
        rtrX(config)# logging facility local5
        rtrX(config)# logging userinfo
        rtrX(config)# exit
        rtrX# write
        ...
        rtrX# copy running-config flash:running-config

        (Note: X and Y are the IPs of the PCs, for example, for PCs 1 and 2,
        use IPs 35 and 36, etc...)

        logout from the router (exit)

6. On your PC, See if messages are starting to appear under

        /var/log/network/2010/02/26/...

7. If not, try to login back into the router, and run some "config" commands,
   then logout.