Agenda: exercises-log-management-syslog-ng.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta http-equiv="Content-Style-Type" content="text/css" />
  <meta name="generator" content="pandoc" />
  <title>Network Management &amp; Monitoring</title>
  <style type="text/css">code{white-space: pre;}</style>
  <link rel="stylesheet" href="../../style.css" type="text/css" />
</head>
<body>
<div id="header">
<h1 class="title">Network Management &amp; Monitoring</h1>
</div>
<div id="TOC">
<ul>
<li><a href="#introduction"><span class="toc-section-number">1</span> Introduction</a><ul>
<li><a href="#goals"><span class="toc-section-number">1.1</span> Goals</a></li>
<li><a href="#notes"><span class="toc-section-number">1.2</span> Notes</a></li>
</ul></li>
<li><a href="#exercises"><span class="toc-section-number">2</span> Exercises</a></li>
<li><a href="#configure-your-virtual-routers-to-send-syslog-messages-to-your-server"><span class="toc-section-number">3</span> 1. Configure your virtual routers to send syslog messages to your server:</a></li>
<li><a href="#install-syslog-ng"><span class="toc-section-number">4</span> 2. Install syslog-ng</a></li>
<li><a href="#edit-etcsyslog-ngsyslog-ng.conf"><span class="toc-section-number">5</span> 3. Edit /etc/syslog-ng/syslog-ng.conf</a></li>
<li><a href="#create-the-directory-varlognetwork"><span class="toc-section-number">6</span> 4. Create the directory /var/log/network/</a></li>
<li><a href="#restart-syslog-ng"><span class="toc-section-number">7</span> 5. Restart syslog-ng:</a></li>
<li><a href="#test-syslog"><span class="toc-section-number">8</span> 6. Test syslog</a></li>
<li><a href="#troubleshooting"><span class="toc-section-number">9</span> Troubleshooting</a></li>
</ul>
</div>
<h1 id="introduction"><a href="#introduction"><span class="header-section-number">1</span> Introduction</a></h1>
<h2 id="goals"><a href="#goals"><span class="header-section-number">1.1</span> Goals</a></h2>
<ul>
<li>Learn how to use syslog-ng to manage logs.</li>
</ul>
<h2 id="notes"><a href="#notes"><span class="header-section-number">1.2</span> Notes</a></h2>
<ul>
<li>Commands preceded with &quot;$&quot; imply that you should execute the command as a general user - not as root.</li>
<li>Commands preceded with &quot;#&quot; imply that you should be working as root.</li>
<li>Commands with more specific command lines (e.g. &quot;rtrX&gt;&quot; or &quot;mysql&gt;&quot;) imply that you are executing commands on remote equipment, or within another program.</li>
</ul>
<h1 id="exercises"><a href="#exercises"><span class="header-section-number">2</span> Exercises</a></h1>
<p>Please find your classmates that are using the same router as you. Get in to a group and do the following exercise together. That is, pick one person who will log in to your group's router, but all of you should assist with the actual configuration.</p>
<h1 id="configure-your-virtual-routers-to-send-syslog-messages-to-your-server"><a href="#configure-your-virtual-routers-to-send-syslog-messages-to-your-server"><span class="header-section-number">3</span> 1. Configure your virtual routers to send syslog messages to your server:</a></h1>
<p>The routers are able to send syslog messages to multiple destinations, so that 1 router can send messages to 4 or even 5 destinations. We therefore need to configure the router to send messages to each of the PCs in the group.</p>
<p>You will SSH to your group's router and do the following:</p>
<pre><code>$ ssh cisco@10.10.X.254
rtrX&gt; enable
rtrX# config terminal</code></pre>
<p>Repeat the next command &quot;logging 10.10.X.Y&quot; for each PC in your group. That is, if your group is on router 6 and you are using pcs 21, 22, 23 and 24 you would repeat the command four times with the ip of each machine (10.10.6.21, 10.10.6.22, and so forth).</p>
<pre><code>rtrX(config)# logging 10.10.X.Y
...
rtrX(config)# logging facility local0
rtrX(config)# logging userinfo
rtrX(config)# exit
rtrX# write memory</code></pre>
<p>Now run 'show logging' to see the summary of the logging configuration.</p>
<pre><code>rtrX# show logging</code></pre>
<p>Logout from the router (exit)</p>
<pre><code>rtrX# exit</code></pre>
<p>That's it. The router should now be sending UDP SYSLOG packets to your PC on port 514. To verify this log in on your PC and do the following:</p>
<pre><code>$ sudo -s
# apt-get install tcpdump        (don&#39;t worry if it&#39;s already installed)
# tcpdump -s0 -nv -i eth0 port 514</code></pre>
<p>Then have one person in your group log back in on the router and do the following:</p>
<pre><code>$ ssh cisco@10.10.X.254
rtrX&gt; enable
rtrX# config terminal
(config)# exit
rtrX&gt; exit</code></pre>
<p>You should see some output on your PC's screen from TCPDUMP. It should look something like:</p>
<pre><code>08:01:12.154604 IP (tos 0x0, ttl 255, id 11, offset 0, flags [none], proto UDP (17), length 138)
    10.10.9.254.57429 &gt; 10.10.9.36.514: SYSLOG, length: 110
    Facility local0 (16), Severity notice (5)
    Msg: 23: *Feb 19 08:01:10.855: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by cisco on vty0 (10.10.0.117)
08:01:15.519881 IP (tos 0x0, ttl 255, id 12, offset 0, flags [none], proto UDP (17), length 130)
    10.10.9.254.57429 &gt; 10.10.9.36.514: SYSLOG, length: 102
    Facility local0 (16), Severity notice (5)
    Msg: 24: *Feb 19 08:01:14.215: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (10.10.0.117)</code></pre>
<p>Now you can configure the logging software on your PC to receive this information and log it to a new set of files.</p>
<h1 id="install-syslog-ng"><a href="#install-syslog-ng"><span class="header-section-number">4</span> 2. Install syslog-ng</a></h1>
<p>These exercises are done as root. If you are not root on your machine then become root by typing:</p>
<pre><code>$ sudo -s
# apt-get install syslog-ng</code></pre>
<h1 id="edit-etcsyslog-ngsyslog-ng.conf"><a href="#edit-etcsyslog-ngsyslog-ng.conf"><span class="header-section-number">5</span> 3. Edit /etc/syslog-ng/syslog-ng.conf</a></h1>
<p>Find the lines:</p>
<pre><code>source s_src {
       system();
       internal();
};</code></pre>
<p>and change them to:</p>
<pre><code>source s_src {
       system();
       internal();
       udp();
};</code></pre>
<p>Save the file and exit.</p>
<p>Now, create a config section for our network logs:</p>
<pre><code># cd /etc/syslog-ng/conf.d/
# editor 10-network.conf</code></pre>
<p>In this file, copy and paste the following:</p>
<pre><code>    filter f_routers { facility(local0); };

    log {
            source(s_src);
            filter(f_routers);
            destination(routers);
    };

    destination routers {
     file(&quot;/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log&quot;
     owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
     template(&quot;$YEAR $DATE $HOST $MSG\n&quot;));
    };</code></pre>
<p>Save the file and exit.</p>
<h1 id="create-the-directory-varlognetwork"><a href="#create-the-directory-varlognetwork"><span class="header-section-number">6</span> 4. Create the directory /var/log/network/</a></h1>
<pre><code># mkdir /var/log/network/</code></pre>
<h1 id="restart-syslog-ng"><a href="#restart-syslog-ng"><span class="header-section-number">7</span> 5. Restart syslog-ng:</a></h1>
<pre><code># service syslog-ng restart</code></pre>
<h1 id="test-syslog"><a href="#test-syslog"><span class="header-section-number">8</span> 6. Test syslog</a></h1>
<p>To be sure there are some logging messages log back in to the router, and run some &quot;config&quot; commands, then logout. e.g.</p>
<pre><code># ssh cisco@10.10.X.254
rtrX&gt; enable
rtrX# config terminal
rtrX(config)# exit
rtrX&gt; exit</code></pre>
<p>Be sure you log out of the router. If too many people log in without logging out then others cannot gain access to the router.</p>
<ol start="7" style="list-style-type: decimal">
<li>On your PC, See if messages are starting to appear under /var/log/network/2013/.../</li>
</ol>
<pre><code>$ cd /var/log/network
$ ls
$ cd 2014
$ ls
... this will show you the directory for the month
... cd into this directory
$ ls
... repeat for the next level (the day of the month)
$ ls</code></pre>
<p>You can view the resulting log file by using a pager program such as less, more, cat, etc...</p>
<h1 id="troubleshooting"><a href="#troubleshooting"><span class="header-section-number">9</span> Troubleshooting</a></h1>
<p>If no files are appearing under the /var/log/network directory, then another command to try while logged into the router, in config mode, is to shutdown / no shutdown a Loopback interface, for example:</p>
<pre><code>$ ssh cisco@rtrX

rtrX&gt; enable
rtrX# conf t
rtrX(config)# interface Loopback 999
rtrX(config-if)# shutdown</code></pre>
<p>wait a few seconds</p>
<pre><code>rtrX(config-if)# no shutdown</code></pre>
<p>Then exit, and save the config (&quot;write mem&quot;):</p>
<pre><code>rtrX(config-if)# exit
rtrX(config)# exit
rtrX# write memory
rtr1# exit</code></pre>
<p>Check the logs under <code>/var/log/network</code></p>
<pre><code># cd /var/log/network
# ls</code></pre>
<p>...follow the directory trail</p>
<p>Still no logs?</p>
<p>Try the following command to send a test log message locally:</p>
<pre><code>    # logger -p local0.info &quot;Hello World\!&quot;</code></pre>
<p>If a file has not been created yet under <code>/var/log/network</code>, then check your configuration for typos. Don't forget to restart the syslog-ng service each time you change the configuration.</p>
<p>What other commands can you think of that you can run on the router (BE CAREFUL!) that will trigger syslog messages? You could try logging in on the router and typing an incorrect password for &quot;enable&quot;.</p>
<p>Be sure that you do an &quot;ls&quot; command in your logging directory to see if a new log file has been created at some point.</p>
</body>
</html>