Agenda: exercises-log-management-tenshi.htm

File exercises-log-management-tenshi.htm, 7.9 KB (added by admin, 5 years ago)
Line 
1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2<html xmlns="http://www.w3.org/1999/xhtml">
3<head>
4  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
5  <meta http-equiv="Content-Style-Type" content="text/css" />
6  <meta name="generator" content="pandoc" />
7  <title>Log Management Part 2: Using Tenshi</title>
8  <link rel="stylesheet" href="../../style.css" type="text/css" />
9</head>
10<body>
11<div id="header">
12<h1 class="title">Log Management Part 2: Using Tenshi</h1>
13<h3 class="date">Network Monitoring &amp; Management</h3>
14</div>
15<div id="TOC">
16<ul>
17<li><a href="#notes"><span class="toc-section-number">1</span> Notes</a></li>
18<li><a href="#exercises"><span class="toc-section-number">2</span> Exercises</a><ul>
19<li><a href="#update-syslog-ng-configuration"><span class="toc-section-number">2.1</span> Update syslog-ng configuration</a></li>
20<li><a href="#log-rotation"><span class="toc-section-number">2.2</span> Log rotation</a></li>
21<li><a href="#install-tenshi"><span class="toc-section-number">2.3</span> Install tenshi</a></li>
22<li><a href="#configure-tenshi"><span class="toc-section-number">2.4</span> Configure tenshi</a></li>
23<li><a href="#testing-tenshi"><span class="toc-section-number">2.5</span> Testing Tenshi</a></li>
24<li><a href="#optional-add-a-new-tenshi-rule"><span class="toc-section-number">2.6</span> Optional: Add a new Tenshi rule</a></li>
25</ul></li>
26</ul>
27</div>
28<h1 id="notes"><a href="#TOC"><span class="header-section-number">1</span> Notes</a></h1>
29<ul>
30<li>Commands preceded with &quot;$&quot; imply that you should execute the command as a general user - not as root.</li>
31<li>Commands preceded with &quot;#&quot; imply that you should be working as root.</li>
32<li>Commands with more specific command lines (e.g. &quot;rtrX&gt;&quot; or &quot;mysql&gt;&quot;) imply that you are executing commands on remote equipment, or within another program.</li>
33</ul>
34<h1 id="exercises"><a href="#TOC"><span class="header-section-number">2</span> Exercises</a></h1>
35<p>First make sure that your routers are configured to send logs to your PC (this should have been done in the previous exercise).</p>
36<h2 id="update-syslog-ng-configuration"><a href="#TOC"><span class="header-section-number">2.1</span> Update syslog-ng configuration</a></h2>
37<p>If you have not already done so, log in to your virtual machine and become the root user:</p>
38<pre><code>$ sudo -s
39#</code></pre>
40<p>Configure syslog-ng to save all router logs in one file for monitoring purposes.</p>
41<p>Edit <code>/etc/syslog-ng/conf.d/10-network.conf</code>,</p>
42<pre><code># cd /etc/syslog-ng/conf.d/
43# editor 10-network.conf</code></pre>
44<p>... and add this before the last closing brace ( }; ):</p>
45<pre><code>file(&quot;/var/log/network/everything&quot;, owner(root) group(root) perm(0644));</code></pre>
46<p>In the end, the contents of the file should look like:</p>
47<pre><code>filter f_routers { facility(local0); };
48
49log {
50    source(s_src);
51    filter(f_routers);
52    destination(routers);
53};
54
55destination routers {
56  file(&quot;/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log&quot;
57  owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
58  template(&quot;$YEAR $DATE $HOST $MSG\n&quot;));
59
60  file(&quot;/var/log/network/everything&quot;, owner(root) group(root) perm(0644));
61
62};</code></pre>
63<p>This will enable logging of ALL messages matching the local0 facility to a single file, so that we can run a monitoring script on the messages.</p>
64<p>Be sure to save and exit from the file.</p>
65<p>Now restart syslog-ng so that is sees the new configuration:</p>
66<pre><code># service syslog-ng restart</code></pre>
67<h2 id="log-rotation"><a href="#TOC"><span class="header-section-number">2.2</span> Log rotation</a></h2>
68<p>Create a daily automated script to truncate the log file so it doesn't grow too big (COPY and PASTE):</p>
69<pre><code># editor /etc/logrotate.d/everything
70
71/var/log/network/everything {
72  daily
73  copytruncate
74  rotate 1
75  postrotate
76    /etc/init.d/tenshi restart
77  endscript
78}</code></pre>
79<p>Then save and exit from the file.</p>
80<h2 id="install-tenshi"><a href="#TOC"><span class="header-section-number">2.3</span> Install tenshi</a></h2>
81<pre><code># apt-get install tenshi</code></pre>
82<h2 id="configure-tenshi"><a href="#TOC"><span class="header-section-number">2.4</span> Configure tenshi</a></h2>
83<p>Configure Tenshi to send you alarms when the routers are configured (COPY and PASTE):</p>
84<pre><code># editor /etc/tenshi/includes-available/network
85
86set logfile /var/log/network/everything
87set queue network_alarms tenshi@localhost sysadm@localhost [*/1 * * * *] Log check
88
89group_host 10.10
90network_alarms SYS-5-CONFIG_I
91network_alarms PRIV_AUTH_PASS
92network_alarms LINK
93group_end</code></pre>
94<p>Then save and exit from the file.</p>
95<p>Create a symlink so that Tenshi loads your new file (COPY and PASTE):</p>
96<pre><code># ln -s /etc/tenshi/includes-available/network /etc/tenshi/includes-active</code></pre>
97<p>Finally restart Tenshi:</p>
98<pre><code># service tenshi restart</code></pre>
99<h2 id="testing-tenshi"><a href="#TOC"><span class="header-section-number">2.5</span> Testing Tenshi</a></h2>
100<p>Log in to your router, and run some &quot;config&quot; commands (example below):</p>
101<pre><code>$ ssh cisco@rtrX        [where &quot;X&quot; is your router number]
102rtrX&gt; enable
103Password: &lt;password&gt;
104rtrX# config terminal
105rtrX(config)# int FastEthernet0/0
106rtrX(config-if)# description Description Change for FastEthernet0/0 for Tenshi
107rtrX(config-if)# ctrl-z
108rtrX# write memory</code></pre>
109<p>Don't exit from the router yet. Just as in the previous syslog-ng exercises, attempt to shutdown / no shutdown loopback interface:</p>
110<pre><code>rtrX# conf t
111rtrX(config)# interface Loopback 999
112rtrX(config-if)# shutdown</code></pre>
113<p>wait a few seconds</p>
114<pre><code>rtrX(config-if)# no shutdown</code></pre>
115<p>Then exit, and save the config (&quot;write mem&quot;):</p>
116<pre><code>rtrX(config-if)# ctrl-z                 (same as exit, exit twice)
117rtrX# write memory
118rtrX# exit</code></pre>
119<p>Verify that you are receiving emails to the sysadm user from Tenshi. A quick check is to look in the mail directory:</p>
120<pre><code>$ ls -l /var/mail</code></pre>
121<ul>
122<li>Note: Tenshi checks /var/log/network/everything once a minute, so you may have to wait up to a minute for the email to arrive to the sysadm user.</li>
123</ul>
124<p>Make sure you are logged in as sysadm (not root). Either open a new session to your virtual machine, or exit from the root user (exit). Then do:</p>
125<pre><code>$ mutt</code></pre>
126<p>Scroll <code>up/down</code> to select a message from &quot;tenshi@localhost&quot;, then press <code>ENTER</code> to view it, and <code>q</code> to quit and 'q' again to quit mutt.</p>
127<p>If mails are not arriving, then check the following:</p>
128<ul>
129<li><p>Are logs arriving in the file <code>/var/log/network/everything</code>?</p>
130<pre><code>$ tail /var/log/network/everything</code></pre></li>
131<li><p>Do these logs show a hostname like 'rtr5', or possibly an IP like 10.10.5.254 ? Remember that the way we have configured tenshi, it only looks at hostnames or IP addresses matching the pattern 'rtr' or '10.10' (depending on how you configured tenshi).</p></li>
132<li><p>Check your tenshi configuration file. Restart tenshi if you change it.</p></li>
133<li><p>If you are still stuck ask an instructor or a neighbor for help.</p></li>
134</ul>
135<h2 id="optional-add-a-new-tenshi-rule"><a href="#TOC"><span class="header-section-number">2.6</span> Optional: Add a new Tenshi rule</a></h2>
136<p>See if you can figure out how to add a rule to Tenshi so that an email is sent if someone enters an incorrect enable password on your router.</p>
137<p>Hints:</p>
138<ul>
139<li>&quot;PRIV_AUTH_FAIL&quot; is the Cisco IOS log message in such cases.</li>
140<li>To test your new rule log in to your router, type &quot;enable&quot; and then enter an incorrect enable password.</li>
141</ul>
142</body>
143</html>