Agenda: exercises-log-management-rsyslog.page

File exercises-log-management-rsyslog.page, 6.3 KB (added by brian, 7 years ago)

Line
1	% Log Management Part 1: Using rsyslog
2	%
3	% Network Management & Monitoring
4
5	# Notes
6
7	* Commands preceded with "$" imply that you should execute the command as
8	a general user - not as root.
9	* Commands preceded with "#" imply that you should be working as root.
10	* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
11	imply that you are executing commands on remote equipment, or within
12	another program.
13
14	# Exercise
15
16	The routers are able to send syslog messages to multiple destinations,
17	so that 1 router can send messages to 4 or even 5 destinations.
18	We therefore need to configure the router to send messages to each of
19	the PCs in the group.
20
21	## Configure sending of syslog
22
23	Configure your virtual router to send syslog messages to every server
24	in your group.
25
26	Everyone in your group should log into your group's router and do the
27	following:
28
29	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
30	$ ssh cisco@rtrX
31	rtrX> enable
32	rtrX# config terminal
33
34	rtrX(config)# logging 10.10.Y.Y
35
36	... where X.Y is the IP of your PC (group + number).
37
38	rtrX(config)# logging facility local5
39	rtrX(config)# logging userinfo
40	rtrX(config)# exit
41	rtrX# write memory
42	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
43
44	Now run `show logging` to see the summary of the log configuration.
45
46	The other participants in your group will be doing the same thing,
47	so you should not be surprised if you see other destinations as well
48	in the output of "show logging"
49
50	Logout from the router (exit):
51
52	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
53	rtrX# exit
54	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55
56	That's it. The router should now be sending UDP SYSLOG packets to your PC
57	on port 514.
58
59	To verify this log in on your PC and do the following:
60
61	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
62	$ sudo bash
63	# tcpdump -s0 -n -i eth0 udp port 514
64	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
65
66	Then have one person in your group log back in on the router and do the
67	following:
68
69	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
70	$ ssh cisco@rtrX
71	rtrX> enable
72	rtrX# config terminal
73	rtrX(config)# exit
74	rtrX> exit
75	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
76
77	You should see some output on your PC's screen from `tcpdump`. It should look
78	something like:
79
80	02:20:24.942289 10.10.0.6.63515 > 10.10.0.250.514: SYSLOG local5.notice, length: 102
81	02:20:24.944376 10.10.0.6.53407 > 10.10.0.241.514: SYSLOG local5.notice, length: 102
82
83	(Aside: tcpdump will show you the content of the syslog messages if you
84	add `-v` to the command line)
85
86	Now you can configure the logging software on your PC to receive this
87	information and log it to a new set of files.
88
89
90	## Configure rsyslog
91
92	Edit file `/etc/rsyslog.conf` and find and un-comment the following lines
93	(that is, remove the initial '#' only)
94
95	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
96	#$ModLoad imudp
97	#$UDPServerRun 514
98	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
99
100	Then change this line:
101
102	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
103	$PrivDropToGroup syslog
104	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
105
106	to
107
108	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
109	$PrivDropToGroup adm
110	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
111
112	Then save the file and exit.
113
114	Now, create a file named `/etc/rsyslog.d/30-routerlogs.conf` with the following lines:
115
116	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
117	$template RouterLogs,"/var/log/network/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%-%$HOUR%.log"
118	local5.* -?RouterLogs
119	& ~
120	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
121
122	Save and exit, then:
123
124	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
125	# mkdir /var/log/network
126	# chown syslog:adm /var/log/network
127	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
128
129	Restart rsyslog:
130
131	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
132	# service rsyslog restart
133	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
134
135
136	## Test syslog
137
138	On your PC, See if messages are starting to appear under
139	`/var/log/network/<year>/.../`
140
141	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
142	$ cd /var/log/network
143	$ ls
144	$ cd 2012
145	$ ls
146	... etc
147	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
148
149	If not, try to login back into the router, and run some "config" commands,
150	then logout. e.g.
151
152	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
153	$ ssh cisco@rtrX
154	rtrX> enable
155	rtrX# config terminal
156	rtrX(config)# exit
157	rtrX> exit
158	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
159
160	Be sure you log out of the router when you are finished. If too many people
161	log in without logging out then others cannot gain access to the router.
162
163	Another command to try while logged into the router, in config mode, is
164	to shutdown / no shutdown a Loopback interface, for example:
165
166	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
167	rtrX# conf t
168	rtrX(config)# interface Loopback 999
169	rtrX(config-if) # shutdown
170	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
171
172	wait a few seconds
173
174	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
175	rtrX(config-if) # no shutdown
176	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
177
178	Then exit, and save the config ("write mem")
179
180	Check the logs under `/var/log/network`
181
182	Still no logs?
183
184	Try the following command to send a test log message locally:
185
186	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
187	# logger -p local5.info "Hello World\!"
188	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
189
190	If a file has not been created yet under `/var/log/network`, then check your
191	configuration for typos. Don't forget to restart the rsyslog service each
192	time you change the configuration.
193
194	What other commands can you think of that you can run on the
195	router (BE CAREFUL!) that will trigger syslog messages ?
196
197	What about access lists ?
198
199	Others ?
200