Configurare Syslog-ng pentru a primi loguri de la distanta

Buna ziua dragii mei!

A trecut ceva timp de cand nu am mai postat nimic nou pe acest site. Am fost prins cu ceva treaba. Mi-am schimbat jobul si m-am pregatit pentru primul examen pe Junos OS. :)

Astazi, voi vorbi mai putin despre Junos si mai mult despre cum configuram Syslog-ng, astfel incat sa putem stoca centralizat logurile pe care echipamentele noastre de retea le creeaza.

Pentru aceasta avem nevoie de un server cu sitem de operare Linux. Eu am ales Ubuntu pentru acest scenariu. Mai avem nevoie si de echipamente de retea, router/switch pe care sa configuram syslog. Eu am folosit 2 switch-uri: Juniper EX4300-48t. Mai jos puteti vedea topologia logica a retelei.

Remote_logging_Syslog-ng

 

Daca dispunem de un switch Juniper si vrem sa-l configuram pentru ca sa trimita logurile pe un server central, folosim comanda:

set system syslog host 10.10.10.254 port 20514 any any

Verificam configuratia, pentru a ne asigura ca logurile vor fi trimise catre 10.10.10.254. Ar trebui sa arate cam asa:

{master:0}[edit]
test@Bucuresti# edit system syslog

{master:0}[edit system syslog]
test@Bucurest# show
user * {
any emergency;
}
host 10.10.10.254 {
any any;
port 20514;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file default-log-messages {
any any;
match “(FRU Offline)|(FRU Online)|(FRU insertion)|(FRU power)|(FRU removal)| (commit complete)|(copying configuration to juniper.save)|(license add)|(license delete)|(link UP)|(package -X delete)|(package -X update)|(plugged in)|(request ed ‘commit’ operation)|(unplugged)|Transferred|ifAdminStatus|transfer-file|trans itioned| LFMD_3AH | RPD_MPLS_PATH_BFD|(Backup changed)|(Backup detected)|(Master Changed, Members Changed)|(Master Detected, Members Changed)|(Master Unchanged, Members Changed)|(Master changed)|(Master detected)|(interface vcp-)|(vc add)|( vc delete)|CFMD_CCM_DEFECT|(AIS_DATA_AVAILABLE)”;
structured-data;
}

{master:0}[edit system syslog]
test@Bucuresti#

Dupa ce am configurat switchurile sa trimita logurile pe serverul central, continuam cu configurarea serverului Linux.

Pe server vom instala aplicatia Open Source Syslog-ng. Pentru asta, folosim comanda:

petregmd@ubuntu-server:~$ sudo apt-get install syslog-ng

Dupa instalare folosim comanda:

whereis syslog-ng

pentru a vedea unde au fost puse toate fisierele.

petregmd@ubuntu-server:~$ whereis syslog-ng
syslog-ng: /usr/sbin/syslog-ng /etc/syslog-ng /usr/lib/syslog-ng /usr/share/syslog-ng /usr/share/man/man8/syslog-ng.8.gz
petregmd@ubuntu-server:~$

Ne mutam in directorul in care au fost puse fisierele de configurare a syslog-ng.

petregmd@ubuntu-server:~$ cd /etc/syslog-ng/
petregmd@ubuntu-server:~$ ls -a
. .. conf.d patterndb.d scl.conf syslog-ng.conf syslog-ng.conf.bkp
petregmd@ubuntu-server:~$

Editam fisierul syslog-ng.conf. Vom adauga liniile cu bold pe care le vedeti mai jos.

@version: 3.5
@include “scl.conf”
@include “`scl-root`/system/tty10.conf”

# Syslog-ng configuration file, compatible with default Debian syslogd
# installation.

# First, set some global options.
options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
owner(“root”); group(“adm”); perm(0640); stats_freq(0);
bad_hostname(“^gconfd$”);
};

########################
# Sources
########################
# This is the default behavior of sysklogd package
# Logs may come from unix stream, but not from another machine.
#
#source s_src {
# system();
# internal();
#};

#Adaugam liniile de mai jos
# If you wish to get logs from remote machine you should uncomment
# this and comment the above source line.
#
source s_net { udp(ip(10.10.10.253) port(20514)); };

########################
# Destinations
########################
# First some standard logfile
#destination d_auth { file(“/var/log/auth.log”); };
#destination d_cron { file(“/var/log/cron.log”); };
#destination d_daemon { file(“/var/log/daemon.log”); };
#destination d_kern { file(“/var/log/kern.log”); };
#destination d_lpr { file(“/var/log/lpr.log”); };
#destination d_mail { file(“/var/log/mail.log”); };
#destination d_syslog { file(“/var/log/syslog”); };
#destination d_user { file(“/var/log/user.log”); };
#destination d_uucp { file(“/var/log/uucp.log”); };

# This files are the log come from the mail subsystem.
#
#destination d_mailinfo { file(“/var/log/mail.info”); };
#destination d_mailwarn { file(“/var/log/mail.warn”); };
#destination d_mailerr { file(“/var/log/mail.err”); };

#Adaugam cele 2 linii de mai jos
# This files are the log come from remote hosts
destination d_$HOST {file(“/var/log/remote/$HOST.log”);};

# Logging for INN news system
#
#destination d_newscrit { file(“/var/log/news/news.crit”); };
#destination d_newserr { file(“/var/log/news/news.err”); };
#destination d_newsnotice { file(“/var/log/news/news.notice”); };

# Some `catch-all’ logfiles.
#
#destination d_debug { file(“/var/log/debug”); };
#destination d_error { file(“/var/log/error”); };
#destination d_messages { file(“/var/log/messages”); };

# The root’s console.
#
#destination d_console { usertty(“root”); };

# Virtual console.
#
#destination d_console_all { file(`tty10`); };

# The named pipe /dev/xconsole is for the nsole’ utility. To use it,
# you must invoke nsole’ with the -file’ option:
#
# $ xconsole -file /dev/xconsole […]
#
#destination d_xconsole { pipe(“/dev/xconsole”); };

# Send the messages to an other host
#
#destination d_net { tcp(“127.0.0.1″ port(1000) log_fifo_size(1000)); };

# Debian only
#destination d_ppp { file(“/var/log/ppp.log”); };

########################
# Filters
########################
# Here’s come the filter options. With this rules, we can set which
# message go where.

#filter f_dbg { level(debug); };
#filter f_info { level(info); };
#filter f_notice { level(notice); };
#filter f_warn { level(warn); };
#filter f_err { level(err); };
#filter f_crit { level(crit .. emerg); };

#filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
#filter f_error { level(err .. emerg) ; };
#filter f_messages { level(info,notice,warn) and
# not facility(auth,authpriv,cron,daemon,mail,news); };

#filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
#filter f_cron { facility(cron) and not filter(f_debug); };
#filter f_daemon { facility(daemon) and not filter(f_debug); };
#filter f_kern { facility(kern) and not filter(f_debug); };
#filter f_lpr { facility(lpr) and not filter(f_debug); };
#filter f_local { facility(local0, local1, local3, local4, local5,
# local6, local7) and not filter(f_debug); };
#filter f_mail { facility(mail) and not filter(f_debug); };
#filter f_news { facility(news) and not filter(f_debug); };
#filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); };
#filter f_user { facility(user) and not filter(f_debug); };
#filter f_uucp { facility(uucp) and not filter(f_debug); };

#filter f_cnews { level(notice, err, crit) and facility(news); };
#filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

#filter f_ppp { facility(local2) and not filter(f_debug); };
#filter f_console { level(warn .. emerg); };

########################
# Log paths
########################
log {source(s_net);destination(df_wrt0);};
#log { source(s_src); filter(f_auth); destination(d_auth); };
#log { source(s_src); filter(f_cron); destination(d_cron); };
#log { source(s_src); filter(f_daemon); destination(d_daemon); };
#log { source(s_src); filter(f_kern); destination(d_kern); };
#log { source(s_src); filter(f_lpr); destination(d_lpr); };
#log { source(s_src); filter(f_syslog3); destination(d_syslog); };
#log { source(s_src); filter(f_user); destination(d_user); };
#log { source(s_src); filter(f_uucp); destination(d_uucp); };

#log { source(s_src); filter(f_mail); destination(d_mail); };
#log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); };
#log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
#log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); };

#log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); };
#log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
#log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
#log { source(s_src); filter(f_cnews); destination(d_console_all); };
#log { source(s_src); filter(f_cother); destination(d_console_all); };

#log { source(s_src); filter(f_ppp); destination(d_ppp); };

#log { source(s_src); filter(f_debug); destination(d_debug); };
#log { source(s_src); filter(f_error); destination(d_error); };
#log { source(s_src); filter(f_messages); destination(d_messages); };

#log { source(s_src); filter(f_console); destination(d_console_all);
# destination(d_xconsole); };
#log { source(s_src); filter(f_crit); destination(d_console); };

# All messages send to a remote site
#
#log { source(s_src); destination(d_net); };

#Adaugam liniile de mai jos
#Logs received from remote hosts
log {source(s_net);destination(d_$HOST);};
###
# Include all config files in /etc/syslog-ng/conf.d/
###
@include “/etc/syslog-ng/conf.d/*.conf”

Dupa editarea fisierului, nu uitati sa-l salvati si sa restartati serviciul syslog-ng.

Vom restarta serviciul cu comanda:

petregmd@ubuntu-server:~$/etc/syslog-ng$ sudo service syslog-ng restart
* Stopping system logging syslog-ng [ OK ]
* Starting system logging syslog-ng [ OK ]
petregmd@ubuntu-server:~$/etc/syslog-ng$ ^C

Teoretic am terminat cu configurarea syslog-ng. Verificam daca logurile sunt trimise pe serverul central, dupa ce dam vreo cateva comenzi pe switch. Mai jos vedeti comenzile pe care le-am dat pe switch.

{master:0}[edit]
test@Bucuresti# edit system syslog

{master:0}[edit system syslog]
test@Bucuresti# top

{master:0}[edit]
test@Bucuresti# exit
Exiting configuration mode

{master:0}
test@Bucuresti> start shell
%

Ne intoarcem pe serverul de linux, pentru a vedea daca am primit ceva loguri de la switch. Dupa cum puteti vedea mai jos, serverul primeste loguri de la switch:

petregmd@ubuntu-server:/var/log/remote$ sudo tail -f 10.10.10.20.log
[sudo] password for test:
Dec 23 15:42:21 10.10.10.20 mgd[14450]: UI_CMDLINE_READ_LINE: User ‘test’, command ‘edit system syslog ‘
Dec 23 15:42:43 10.10.10.20 xntpd[1224]: NTP Server 172.17.28.5 is Unreachable
Dec 23 15:42:57 10.10.10.20 last message repeated 7 times
Dec 23 15:42:58 10.10.10.20 mgd[14450]: UI_CMDLINE_READ_LINE: User ‘test’, command ‘top ‘
Dec 23 15:42:59 10.10.10.20 xntpd[1224]: NTP Server 172.17.28.5 is Unreachable
Dec 23 15:43:02 10.10.10.20 mgd[14450]: UI_CMDLINE_READ_LINE: User ‘test’, command ‘exit ‘
Dec 23 15:43:02 10.10.10.20 mgd[14450]: UI_DBASE_LOGOUT_EVENT: User ‘test’ exiting configuration mode
Dec 23 15:43:10 10.10.10.20 mgd[14450]: UI_CMDLINE_READ_LINE: User ‘test’, command ‘start shell ‘
Dec 23 15:45:00 10.10.10.20 /usr/sbin/cron[17460]: (root) CMD ( /usr/libexec/atrun)
Dec 23 15:45:00 10.10.10.20 /usr/sbin/cron[17461]: (root) CMD (newsyslog)

Dupa cum putem vedea mai jos, in folderul remote, pe care l-am creat in /var/log/ inainte de a instala syslog-ng, au fost create 2 fisiere, corespunzatoare celor 2 switchuri.

petregmd@ubuntu-server:/var/log/remote$ ls -lh
total 72K
-rw-r—– 1 root adm 19K Dec 23 15:20 10.10.10.30.log
-rw-r—– 1 root adm 37K Dec 23 15:20 10.10.10.20.log
petregmd@ubuntu-server:/var/log/remote$

Cam atat am avut sa va spun legat de configurarea serverului Syslog-ng.

Va multumesc ca imi sunteti alaturi! Daca va place acest post, va rog sa dati share mai departe. :)