Network Management Workshop

Using syslog-ng

1. Install syslog-ng

	# apt-get install syslog-ng

2. Edit /etc/syslog-ng/syslog-ng.conf

Find the lines:

	# (this is equivalent to the "-r" syslogd flag)
	# udp();

and change it to:

	# (this is equivalent to the "-r" syslogd flag)
	udp();

At the bottom of the file, add:

filter f_routers { facility(local5); };
log {
        source(s_all);
        filter(f_routers);
        destination(routers);
};
destination routers {
 file("/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log"
 owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
 template("$YEAR $DATE $HOST $MSG\n"));
};

3. Create the directory /var/log/network/

	# mkdir /var/log/network/

4. Restart syslog-ng:

	# /etc/init.d/syslog-ng restart

5. Configure your virtual routers to send syslog messages to your server:

	(Note: since you are working with 1 router / 2 PCs, you will need
	to configure your router send to 2 hosts:

	Hint: Use rancid clogin!

	rtrX# config terminal
	rtrX(config)# logging 169.223.142.X
	rtrX(config)# logging 169.223.142.Y
	rtrX(config)# logging facility local5
	rtrX(config)# logging userinfo
	rtrX(config)# exit
	rtrX# write
	...
	rtrX# copy running-config flash:running-config

	(Note: X and Y are the IPs of the PCs, for example, for PCs 1 and 2,
	use IPs 35 and 36, etc...)

	logout from the router (exit)

6. On your PC, See if messages are starting to appear under

	/var/log/network/2010/02/26/...

7. If not, try to login back into the router, and run some "config" commands,
   then logout.