Agenda: exercises-log-management-rsyslog.txt

File exercises-log-management-rsyslog.txt, 9.3 KB (added by sysadmin, 6 years ago)

Line
1	% Log Management Part 1: Using rsyslog
2	%
3	% Network Monitoring & Management
4
5	# Notes
6
7	* Commands preceded with "$" imply that you should execute the command as
8	a general user - not as root.
9	* Commands preceded with "#" imply that you should be working as root.
10	* Commands with more specific command lines (e.g. "RTR-GW>" or "mysql>")
11	imply that you are executing commands on remote equipment, or within
12	another program.
13
14	# Exercise
15
16	The routers are able to send syslog messages to multiple destinations,
17	so that 1 router can send messages to 4 or even 5 destinations.
18	We therefore need to configure the router to send messages to each of
19	the PCs in the group.
20
21	## Configure sending of syslog messages from your group's router
22
23	Configure your virtual router to send syslog messages to every server
24	in your group.
25
26	Everyone in your group should log into your group's router and do the
27	following (assuming you are already logging in on your virtual machine):
28
29	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
30	$ ssh cisco@rtrX
31	rtrX> enable
32	rtrX# config terminal
33
34	rtrX(config)# logging 10.10.X.Y
35
36	... where X.Y is the IP of your PC (group + number, example pc2 = 10.10.1.2).
37
38	rtrX(config)# logging facility local0
39	rtrX(config)# logging userinfo
40	rtrX(config)# exit
41	rtrX# write memory
42	rtrX# exit
43	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
44
45	Now run `show logging` to see the summary of the log configuration.
46
47	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
48	rtrX# show logging
49	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
50
51	The other participants in your group will be doing the same thing, so you
52	should not be surprised if you see other destinations as well in the output
53	of "show logging" - Press SPACE to page through the output
54
55	Logout from the router (exit):
56
57	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
58	rtrX# exit
59	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
60
61	That's it. The router should now be sending UDP SYSLOG packets to your PC
62	on port 514.
63
64	To verify this log in on your PC as user sysadm (if you have not already done so)
65	and do the following:
66
67	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
68	$ sudo bash
69	# apt-get install tcpdump (if already installed dont worry)
70	# tcpdump -s0 -n -i eth0 udp port 514
71	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
72
73	Then have one person in your group log back in on the router and do the
74	following:
75
76	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
77	$ ssh cisco@rtrX
78	rtrX> enable
79	rtrX# config terminal
80	rtrX(config)# exit
81	rtrX> exit
82	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
83
84	You should see some output on your PC's screen from `tcpdump`. It should look
85	something like:
86
87	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
88	11:20:24.942289 10.10.1.254.63515 > 10.10.1.1.514: SYSLOG local0.notice, length: 110
89	11:20:24.944376 10.10.1.254.53407 > 10.10.1.1.514: SYSLOG local0.notice, length: 102
90	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
91
92	When you have seen this, hit Ctrl-C to exit tcpdump.
93
94	Aside: tcpdump would also show you the content of the syslog messages if you
95	add `-v` to the command line. To learn more about tcpdump type "man tcpdump" at
96	the command line
97
98	Now you can configure the logging software on your PC to receive this
99	information and log it to a new set of files.
100
101
102	## Configure rsyslog
103
104	Be sure you are logged in to your virtual machine and that you are the
105	root user.
106
107	Edit the file /etc/rsyslog.conf:
108
109	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
110	# editor /etc/rsyslog.conf
111	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
112
113	...and find and un-comment the following lines
114	(that is, remove the initial '#' only)
115
116	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
117	#$ModLoad imudp
118	#$UDPServerRun 514
119
120	change to:
121
122	$ModLoad imudp
123	$UDPServerRun 514
124	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
125
126	Then change this line:
127
128	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
129	$PrivDropToGroup syslog
130
131	change to:
132
133	$PrivDropToGroup adm
134	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
135
136	Then save the file and exit.
137
138	Now, create a file named "/etc/rsyslog.d/30-routerlogs.conf"
139
140	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
141	# editor /etc/rsyslog.d/30-routerlogs.conf
142	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
143
144	... and add the following lines (carefully COPY and PASTE):
145
146	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
147	$template RouterLogs,"/var/log/network/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%-%$HOUR%.log"
148	local0.* -?RouterLogs
149	& ~
150	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151
152	PLEASE double check (verify) that what you have pasted is the SAME as what
153	is above. In particular, make sure that you are using TAB and not SPACE
154	between "template" and "RouterLogs", and also between "local0.*" and
155	"-?RouterLogs".
156
157	If the above is not pasted correctly, it will NOT work.
158
159	Save and exit, then do:
160
161	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
162	# mkdir /var/log/network
163	# chown syslog:adm /var/log/network
164	# chmod g+w /var/log/network
165	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
166
167	Restart rsyslog:
168
169	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
170	# service rsyslog restart
171	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
172
173
174	## Test syslog
175
176	To be sure there are some logging messages log back in to the router, and run
177	some "config" commands, then logout. e.g.
178
179	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
180	$ ssh cisco@rtrX
181	rtrX> enable
182	rtrX# config terminal
183	rtrX(config)# exit
184	rtrX> exit
185	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
186
187	Be sure you log out of the router when you are finished. If too many people
188	log in without logging out then others cannot gain access to the router.
189
190	On your PC, See if messages are starting to appear under
191	`/var/log/network/<year>/<month>/<day>/`
192
193	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
194	$ cd /var/log/network
195	$ ls
196	$ cd 2013
197	$ ls
198	... this will show you the directory for the month
199	... cd into this directory
200	$ ls
201	... repeat for the next level (the day of the month)
202	$ ls
203	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
204
205	Then use 'tail' to look at the log file(s) in this directory. The names
206	are dynamic based on the sender and the host, so use the file that you see.
207	It may be something like this:
208
209	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
210	$ ls
211	rtr8-16.log
212	$ tail rtr8-16.log
213	... logging messages are shown ...
214	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
215
216	## Troubleshooting rsyslog
217
218	If no files are appearing under the /var/log/network directory, then
219	another command to try while logged into the router, in config mode, is
220	to shutdown / no shutdown a Loopback interface, for example:
221
222	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
223	$ ssh cisco@rtrX
224	rtrX> enable
225	rtrX# conf t
226	rtrX(config)# interface Loopback 999
227	rtrX(config-if)# shutdown
228	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
229
230	wait a few seconds
231
232	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
233	rtrX(config-if)# no shutdown
234	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
235
236	Then exit, and save the config ("write mem"):
237
238	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
239	rtrX(config-if)# exit
240	rtrX(config)# exit
241	rtrX# write memory
242	rtr1# exit
243	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
244
245	Check the logs under `/var/log/network`
246
247	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
248	# cd /var/log/network
249	# ls
250	...follow the directory trail
251	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
252
253	Still no logs?
254
255	Try the following command to send a test log message locally:
256
257	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
258	# logger -p local0.info "Hello World\!"
259	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
260
261	If a file has not been created yet under `/var/log/network`, then check your
262	configuration for typos. Don't forget to restart the rsyslog service each
263	time you change the configuration.
264
265	What other commands can you think of that you can run on the router (BE CAREFUL!)
266	that will trigger syslog messages? You could try logging in on the router
267	and typing an incorrect password for "enable".
268
269	Be sure that you do an "ls" command in your logging directory to see if a new
270	log file has been created at some point.
271