Agenda: exercises-log-management-swatch.txt

File exercises-log-management-swatch.txt, 4.5 KB (added by regnauld, 8 years ago)
Line 
1Network Management & Monitoring
2
3Log management, part II : Using swatch
4--------------------------------------
5
6
7Notes:
8------
9* Commands preceded with "$" imply that you should execute the command as
10  a general user - not as root.
11* Commands preceded with "#" imply that you should be working as root.
12* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
13  imply that you are executing commands on remote equipment, or within
14  another program.
15
16Exercises
17---------
18
190. Log in to your PC or open a terminal window as the root user:
20
21        $ sudo bash
22
231. Let's enable logging of everything to a single file:
24
25        # vi /etc/rsyslog.conf
26
27        - Find the line
28       
29        local5.*                        -?RouterLogs
30
31        ... and add a new line below:
32
33        local5.*            /var/log/network/everything
34
35... this will enable logging of ALL messages to a single file, so that we
36can run a monitoring script on the messages.
37
38        - Now restart rsyslog:
39
40        # service rsyslog restart
41
422. Enable a daily automated script to truncate the log file so it doesn't
43grow too big:
44
45        # vi /etc/logrotate.d/everything
46       
47        - In the file add the following:
48
49/var/log/network/everything {
50  daily
51  copytruncate
52  rotate 1
53  postrotate
54        /etc/init.d/swatch restart
55  endscript
56}
57
58
592. Install swatch
60
61        # apt-get install swatch
62
633. Create the file /etc/swatch.conf and add the following rules in the file:
64
65        # vi /etc/swatch.conf
66
67watchfor /PRIV_AUTH_PASS/
68        mail=sysadm,subject=Enable mode entered
69        threshold type=limit,count=1,seconds=3600
70
71watchfor /CONFIG_I/
72        mail=sysadm,subject=Router configuration
73        threshold type=limit,count=1,seconds=3600
74
75watchfor /LINK/
76        mail=sysadm,subject=Link state change
77        threshold type=limit,count=1,seconds=3600
78
79watchfor /SSH/
80        mail=sysadm,subject=SSH connection
81        threshold type=limit,count=1,seconds=3600
82
83        Save the file and exit
84
85
864. Start swatch:
87
88        # swatch -c /etc/swatch.conf --daemon -t /var/log/network/everything
89
90        Check that it is running:
91
92        # ps ax | grep swatch
93
945. Log in to your router, and run some "config" commands (example below):
95
96        # telnet 10.10.X.254            [where "X" is your router number]
97        rtrX.ws.nsrc.org> enable
98        Password: <password>
99        rtrX.ws.nsrc.org# config terminal
100        rtrX.ws.nsrc.org(config)# int FastEthernet0/0
101        rtrX.ws.nsrc.org(config-int)# description Description Change for FastEthernet0/0 for Swatch
102        rtrX.ws.nsrc.org(config-int)# ctrl-z
103        rtrX.ws.nsrc.org# write memory
104        rtrX.ws.nsrc.org# exit
105
106        Just as in the previous exercise, attempt to shutdown / no shutdown
107        a loopback interface
108
1096. Verify that you are receiving emails to the sysadmin user from Swatch
110
111        $ su - sysadmn
112        $ mutt -f /var/mail/sysadm
113
114
1157.  Let's add some ACLs to the router
116
117        rtrX# conf t
118        rtrX(config)# access-list 123 deny tcp any host 10.10.X.254 eq 23 log
119        rtrX(config)# access-list 123 permit ip any any
120        rtrX(config)# interface fastEthernet 0/1
121        rtrX(config)# ip access-group 123 in
122        rtrX(config)# exit
123
124        (remember, X is the number of your group)
125
126        Explanation: we are now filtering Telnet to the router, on the inside
127        interface, explicitly, but we allow anything else.  The "permit" statement
128        is required or we will be disabling all IP access to the router!
129
1308. Test that it works:
131
132        From your PC:
133
134        $ telnet 10.10.X.254
135        Trying 10.10.X.254...
136        telnet: Unable to connect to remote host: No route to host
137        $
138
139        Notice that it says "No route to host" instead of "Connection refused"
140
141        This is because, although we have disabled Telnet already by enabling
142        SSH on the routers, an active ACL will respond differently than a closed
143        port (TCP RST vs. ICMP Host Unreachable)
144
145        Now check out /var/log/network/everything:
146
147        $ tail /var/log/network/everything
148        Jun  2 13:46:14 rtrX 6133: *Jun  2 15:46:13.552: %SEC-6-IPACCESSLOGP: list 123 denied tcp 10.10.X.37(43523) -> 10.10.X.254(23), 1 packet
149
150        Hint: if your log is filled with "SSH-5-*" messages, ignore them like this:
151
152        $ grep -v SSH-5 /var/log/network/everything | tail
153
154        ... you should see SEC-6-IPACCESSLOGP messages
155
1569. Add a new swatch rule to detect these events
157
158        # vi /etc/swatch.conf, and add this:
159
160        watchfor /SEC-6-IPACCESS/
161            mail=sysadm,subject=Blocked connection
162                threshold type=limit,count=1,seconds=3600
163
16410. Kill swatch, and restart it:
165
166        # ps ax |grep swatch | grep -v grep
167
16812345 ?        Ss     0:00 /usr/bin/swatch -c /etc/swatch.conf --daemon -t /var/log/network/everything
169
170
171        The number on the LEFT is the number you need to kill - here 12345
172
173        # kill 12345    (the number YOU got!!)
174
17511. Restart swatch
176
177        # swatch -c /etc/swatch.conf --daemon -t /var/log/network/everything
178
17912. Try to telnet to the router again, and check your mail!
180