Agenda: exercises-log-management-syslog-ng.htm

File exercises-log-management-syslog-ng.htm, 9.3 KB (added by admin, 5 years ago)
1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
2<html xmlns="">
4  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
5  <meta http-equiv="Content-Style-Type" content="text/css" />
6  <meta name="generator" content="pandoc" />
7  <title>Network Management &amp; Monitoring</title>
8  <link rel="stylesheet" href="../../style.css" type="text/css" />
11<div id="header">
12<h1 class="title">Network Management &amp; Monitoring</h1>
13<h3 class="date">Log management: Using syslog-ng</h3>
15<div id="TOC">
17<li><a href="#introduction"><span class="toc-section-number">1</span> Introduction</a><ul>
18<li><a href="#goals"><span class="toc-section-number">1.1</span> Goals</a></li>
19<li><a href="#notes"><span class="toc-section-number">1.2</span> Notes</a></li>
21<li><a href="#exercises"><span class="toc-section-number">2</span> Exercises</a></li>
22<li><a href="#configure-your-virtual-routers-to-send-syslog-messages-to-your-server"><span class="toc-section-number">3</span> 1. Configure your virtual routers to send syslog messages to your server:</a></li>
23<li><a href="#install-syslog-ng"><span class="toc-section-number">4</span> 2. Install syslog-ng</a></li>
24<li><a href="#edit-etcsyslog-ngsyslog-ng.conf"><span class="toc-section-number">5</span> 3. Edit /etc/syslog-ng/syslog-ng.conf</a></li>
25<li><a href="#create-the-directory-varlognetwork"><span class="toc-section-number">6</span> 4. Create the directory /var/log/network/</a></li>
26<li><a href="#restart-syslog-ng"><span class="toc-section-number">7</span> 5. Restart syslog-ng:</a></li>
27<li><a href="#test-syslog"><span class="toc-section-number">8</span> 6. Test syslog</a></li>
28<li><a href="#troubleshooting"><span class="toc-section-number">9</span> Troubleshooting</a></li>
31<h1 id="introduction"><a href="#TOC"><span class="header-section-number">1</span> Introduction</a></h1>
32<h2 id="goals"><a href="#TOC"><span class="header-section-number">1.1</span> Goals</a></h2>
34<li>Learn how to use syslog-ng to manage logs.</li>
36<h2 id="notes"><a href="#TOC"><span class="header-section-number">1.2</span> Notes</a></h2>
38<li>Commands preceded with &quot;$&quot; imply that you should execute the command as a general user - not as root.</li>
39<li>Commands preceded with &quot;#&quot; imply that you should be working as root.</li>
40<li>Commands with more specific command lines (e.g. &quot;rtrX&gt;&quot; or &quot;mysql&gt;&quot;) imply that you are executing commands on remote equipment, or within another program.</li>
42<h1 id="exercises"><a href="#TOC"><span class="header-section-number">2</span> Exercises</a></h1>
43<p>Please find your classmates that are using the same router as you. Get in to a group and do the following exercise together. That is, pick one person who will log in to your group's router, but all of you should assist with the actual configuration.</p>
44<h1 id="configure-your-virtual-routers-to-send-syslog-messages-to-your-server"><a href="#TOC"><span class="header-section-number">3</span> 1. Configure your virtual routers to send syslog messages to your server:</a></h1>
45<p>The routers are able to send syslog messages to multiple destinations, so that 1 router can send messages to 4 or even 5 destinations. We therefore need to configure the router to send messages to each of the PCs in the group.</p>
46<p>You will SSH to your group's router and do the following:</p>
47<pre><code>$ ssh cisco@10.10.X.254
48rtrX&gt; enable
49rtrX# config terminal</code></pre>
50<p>Repeat the next command &quot;logging 10.10.X.Y&quot; for each PC in your group. That is, if your group is on router 6 and you are using pcs 21, 22, 23 and 24 you would repeat the command four times with the ip of each machine (,, and so forth).</p>
51<pre><code>rtrX(config)# logging 10.10.X.Y
53rtrX(config)# logging facility local0
54rtrX(config)# logging userinfo
55rtrX(config)# exit
56rtrX# write memory</code></pre>
57<p>Now run 'show logging' to see the summary of the logging configuration.</p>
58<pre><code>rtrX# show logging</code></pre>
59<p>Logout from the router (exit)</p>
60<pre><code>rtrX# exit</code></pre>
61<p>That's it. The router should now be sending UDP SYSLOG packets to your PC on port 514. To verify this log in on your PC and do the following:</p>
62<pre><code>$ sudo -s
63# apt-get install tcpdump        (don&#39;t worry if it&#39;s already installed)
64# tcpdump -s0 -nv -i eth0 port 514</code></pre>
65<p>Then have one person in your group log back in on the router and do the following:</p>
66<pre><code>$ ssh cisco@10.10.X.254
67rtrX&gt; enable
68rtrX# config terminal
69(config)# exit
70rtrX&gt; exit</code></pre>
71<p>You should see some output on your PC's screen from TCPDUMP. It should look something like:</p>
72<pre><code>02:20:24.942289 ca:02:0d:b3:00:08 &gt; 52:54:4a:5e:68:77, ethertype IPv4 (0x0800), length 144: &gt; SYSLOG local0.notice, length: 102
7302:20:24.944376 ca:02:0d:b3:00:08 &gt; c4:2c:03:0b:3d:3a, ethertype IPv4 (0x0800), length 144: &gt; SYSLOG local0.notice, length: 102</code></pre>
74<p>Now you can configure the logging software on your PC to receive this information and log it to a new set of files.</p>
75<h1 id="install-syslog-ng"><a href="#TOC"><span class="header-section-number">4</span> 2. Install syslog-ng</a></h1>
76<p>These exercises are done as root. If you are not root on your machine then become root by typing:</p>
77<pre><code>$ sudo -s
78# apt-get install syslog-ng</code></pre>
79<h1 id="edit-etcsyslog-ngsyslog-ng.conf"><a href="#TOC"><span class="header-section-number">5</span> 3. Edit /etc/syslog-ng/syslog-ng.conf</a></h1>
80<p>Find the lines:</p>
81<pre><code>source s_src {
82       system();
83       internal();
85<p>and change them to:</p>
86<pre><code>source s_src {
87       system();
88       internal();
89       udp();
91<p>Save the file and exit.</p>
92<p>Now, create a config section for our network logs:</p>
93<pre><code># cd /etc/syslog-ng/conf.d/
94# editor 10-network.conf</code></pre>
95<p>In this file, copy and paste the following:</p>
96<pre><code>    filter f_routers { facility(local0); };
98    log {
99            source(s_src);
100            filter(f_routers);
101            destination(routers);
102    };
104    destination routers {
105     file(&quot;/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log&quot;
106     owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
107     template(&quot;$YEAR $DATE $HOST $MSG\n&quot;));
108    };</code></pre>
109<p>Save the file and exit.</p>
110<h1 id="create-the-directory-varlognetwork"><a href="#TOC"><span class="header-section-number">6</span> 4. Create the directory /var/log/network/</a></h1>
111<pre><code># mkdir /var/log/network/</code></pre>
112<h1 id="restart-syslog-ng"><a href="#TOC"><span class="header-section-number">7</span> 5. Restart syslog-ng:</a></h1>
113<pre><code># service syslog-ng restart</code></pre>
114<h1 id="test-syslog"><a href="#TOC"><span class="header-section-number">8</span> 6. Test syslog</a></h1>
115<p>To be sure there are some logging messages log back in to the router, and run some &quot;config&quot; commands, then logout. e.g.</p>
116<pre><code># ssh cisco@10.10.X.254
117rtrX&gt; enable
118rtrX# config terminal
119rtrX(config)# exit
120rtrX&gt; exit</code></pre>
121<p>Be sure you log out of the router. If too many people log in without logging out then others cannot gain access to the router.</p>
122<ol start="7" style="list-style-type: decimal">
123<li>On your PC, See if messages are starting to appear under /var/log/network/2013/.../</li>
125<pre><code>$ cd /var/log/network
126$ ls
127$ cd 2013
128$ ls
129... this will show you the directory for the month
130... cd into this directory
131$ ls
132... repeat for the next level (the day of the month)
133$ ls</code></pre>
134<h1 id="troubleshooting"><a href="#TOC"><span class="header-section-number">9</span> Troubleshooting</a></h1>
135<p>If no files are appearing under the /var/log/network directory, then another command to try while logged into the router, in config mode, is to shutdown / no shutdown a Loopback interface, for example:</p>
136<pre><code>$ ssh cisco@rtrX
138rtrX&gt; enable
139rtrX# conf t
140rtrX(config)# interface Loopback 999
141rtrX(config-if)# shutdown</code></pre>
142<p>wait a few seconds</p>
143<pre><code>rtrX(config-if)# no shutdown</code></pre>
144<p>Then exit, and save the config (&quot;write mem&quot;):</p>
145<pre><code>rtrX(config-if)# exit
146rtrX(config)# exit
147rtrX# write memory
148rtr1# exit</code></pre>
149<p>Check the logs under <code>/var/log/network</code></p>
150<pre><code># cd /var/log/network
151# ls</code></pre>
152<p>...follow the directory trail</p>
153<p>Still no logs?</p>
154<p>Try the following command to send a test log message locally:</p>
155<pre><code>    # logger -p &quot;Hello World\!&quot;</code></pre>
156<p>If a file has not been created yet under <code>/var/log/network</code>, then check your configuration for typos. Don't forget to restart the syslog-ng service each time you change the configuration.</p>
157<p>What other commands can you think of that you can run on the router (BE CAREFUL!) that will trigger syslog messages? You could try logging in on the router and typing an incorrect password for &quot;enable&quot;.</p>
158<p>Be sure that you do an &quot;ls&quot; command in your logging directory to see if a new log file has been created at some point.</p>