Agenda: exercises-log-management-rsyslog.txt

File exercises-log-management-rsyslog.txt, 3.9 KB (added by regnauld, 8 years ago)
Line 
1Network Management & Monitoring
2
3Log management, part I : Using syslog-ng
4----------------------------------------
5
6Notes:
7------
8* Commands preceded with "$" imply that you should execute the command as
9  a general user - not as root.
10* Commands preceded with "#" imply that you should be working as root.
11* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
12  imply that you are executing commands on remote equipment, or within
13  another program.
14
15Exercises
16---------
17
18The routers are able to send syslog messages to multiple destinations,
19so that 1 router can send messages to 4 or even 5 destinations.
20We therefore need to configure the router to send messages to each of
21the PCs in the group.
22
231. Configure your virtual routers to send syslog messages to your server:
24
25You will log in to your group's router and do the following:
26
27        $ ssh 10.10.X.254
28        rtrX.ws.nsrc.org> enable
29        rtrX.ws.nsrc.org# config terminal
30
31        rtrX.ws.nsrc.org(config)# logging 10.10.X.Y
32
33        ... where X.X is the IP of your PC (group + number).
34
35        rtrX.ws.nsrc.org(config)# logging facility local5
36        rtrX.ws.nsrc.org(config)# logging userinfo
37        rtrX.ws.nsrc.org(config)# exit
38        rtrX# write memory
39
40Now run "show logging" to see the summary of the log configuration.
41
42The other participants in your group will be doing the same thing,
43so you should not be surprised if you see other destinations as well
44in the output of "show logging"
45
46        logout from the router (exit)
47
48        rtrX# exit
49
50That's it. The router should now be sending UDP SYSLOG packets to your PC
51on port 514.
52
53To verify this log in on your PC and do the following:
54
55        $ sudo bash
56        # tcpdump -e -s0 -ni eth0 port 514
57
58Then have one person in your group log back in on the router and do the
59following:
60
61        $ ssh 10.10.X.254
62        rtrX.ws.nsrc.org> enable
63        rtrX.ws.nsrc.org# config terminal
64        rtrX.ws.nsrc.org(config)# exit
65        rtrX.ws.nsrc.org> exit
66
67You should see some output on your PC's screen from TCPDUMP. It should look
68something like:
69
7002:20:24.942289 ca:02:0d:b3:00:08 > 52:54:4a:5e:68:77, ethertype IPv4 (0x0800), length 144: 10.10.0.6.63515 > 10.10.0.250.514: SYSLOG local5.notice, length: 102
7102:20:24.944376 ca:02:0d:b3:00:08 > c4:2c:03:0b:3d:3a, ethertype IPv4 (0x0800), length 144: 10.10.0.6.53407 > 10.10.0.241.514: SYSLOG local5.notice, length: 102
72
73Now you can configure the logging softeware on your PC to receive this
74information and log it to a new set of files:
75
76
772. Configure rsyslog
78
79Edit file /etc/rsyslog.conf and find and change the following lines:
80
81        #$ModLoad imudp
82        #$UDPServerRun 514
83
84to
85
86        $ModLoad imudp
87        $UDPServerRun 514
88
89(remove #)
90
91Then change:
92
93        $PrivDropToUser syslog
94        $PrivDropToGroup syslog
95
96to
97
98        #$PrivDropToUser syslog
99        #$PrivDropToGroup syslog
100
101Finally add the lines:
102
103        $template RouterLogs,"/var/log/network/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%-%$HOUR%.log"
104        local5.*            -?RouterLogs
105
106Save and exit, then:
107
108        # mkdir /var/log/network
109        # chown syslog /var/log/network
110
1114. Restart rsyslog
112
113        # service rsyslog restart
114
1156. On your PC, See if messages are starting to appear under
116
117        /var/log/network/2011/.../
118
1197. If not, try to login back into the router, and run some "config" commands,
120   then logout. I.E.
121
122        # ssh 10.10.X.254
123        rtrX.ws.nsrc.org> enable
124        rtrX.ws.nsrc.org# config terminal
125        rtrX.ws.nsrc.org(config)# exit
126        rtrX.ws.nsrc.org> exit
127
128Be sure you log out of the router when you are finished.
129If too many people log in without logging out then others cannot gain access
130to the router.
131
132Other commands to try while you are logged into the router, in config mode:
133
134- shutdown / no shutdown the Loopback interfaces, for example:
135
136        rtrX# conf t
137        rtrX(config) # interface Loopback 999
138        rtrX(config-if) # shutdown
139
140        wait a few seconds
141
142        rtrX(config-if) # no shutdown
143
144        Then exit, and save the config ("write")
145
146
147Check the logs under /var/log/network
148
149What other commands can you think of that you can run on the
150router (BE CAREFUL!) that will trigger syslog messages ?
151
152What about access lists ?
153
154Others ?
155