Agenda: exercises-log-management-swatch.txt

File exercises-log-management-swatch.txt, 2.6 KB (added by regnauld, 8 years ago)
Line 
1Network Management & Monitoring
2Using Swatch
3
4Notes:
5------
6* Commands preceded with "$" imply that you should execute the command as
7  a general user - not as root.
8* Commands preceded with "#" imply that you should be working as root.
9* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
10  imply that you are executing commands on remote equipment, or within
11  another program.
12
13Exercises
14---------
15
160. Log in to your PC or open a terminal window as the sysadmin user.
17
181. Let's enable logging of everything to a single file:
19
20        $ sudo vi /etc/syslog-ng/syslog-ng.conf
21
22        - Add this line at the end of the file:
23
24destination everything {
25  file("/var/log/everything"
26    template("$DATE <$FACILITY.$PRIORITY> $HOST $MSG\n") template_escape(no)
27  );
28};
29log { source(s_all); destination(everything); };
30
31... this will enable logging of ALL messages to a single file, so that we
32can run a monitoring script on the messages.
33
34        - Now re-initialize Syslog:
35
36        $ sudo /etc/init.d/syslog-ng restart
37
382. Enable a daily automated script to truncate the log file so it doesn't
39grow too big:
40
41        $ sudo vi /etc/logrotate.d/everything
42       
43        - In the file add the following:
44
45/var/log/everything {
46  daily
47  copytruncate
48  rotate 1
49  postrotate
50        /etc/init.d/swatch restart
51  endscript
52}
53
54
552. Install swatch
56
57        $ sudo apt-get install swatch
58
593. Create the file /etc/swatch.conf and add the following rules in the file:
60
61        $ sudo vi /etc/swatch.conf
62
63watchfor /PRIV_AUTH_PASS/
64        mail=sysadmin,subject=Enable mode entered
65        threshold type=limit,count=1,seconds=3600
66
67watchfor /CONFIG_I/
68        mail=sysadmin,subject=Router configuration
69        threshold type=limit,count=1,seconds=3600
70
71watchfor /LINK-3-UPDOWN/
72        mail=sysadmin,subject=Link state change
73        threshold type=limit,count=1,seconds=3600
74
75watchfor /SSH/
76        mail=sysadmin,subject=SSH connection
77        threshold type=limit,count=1,seconds=3600
78
79watchfor /ssh/
80        mail=sysadmin,subject=SSH connection
81        threshold type=limit,count=1,seconds=3600
82
834. Start swatch:
84
85        # swatch -c /etc/swatch.conf --daemon
86
87        Check that it is running:
88
89        # ps ax | grep swatch
90
915. Log in to your router, and run some "config" commands (example below):
92
93        $ ssh sysadmin@10.10.X.254              [where "X" is your number]
94        pc1-pcx-rtr> enable
95        Password: <password>
96        pc1-pcx-rtr# config terminal
97        pc1-pcx-rtr(config)# int FastEthernet0/0
98        pc1-pcx-rtr(config-int)# description Description Change for FastEthernet0/0 for Swatch
99        pc1-pcx-rtr(config-int)# ctrl-z
100        pc1-pcx-rtr# write memory
101        pc1-pcx-rtr# exit
102
1036. Verify that you are receiving emails to the sysadmin user from Swatch
104
105        $ su - sysadmin
106        $ mutt -f /var/mail/sysadmin
107
108