Centralized Logging with syslog
-
Upload
amiableindian -
Category
Technology
-
view
7.250 -
download
6
Transcript of Centralized Logging with syslog
![Page 1: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/1.jpg)
Building Centralized Logging: Syslog
Steven “Maniac” McGrath
![Page 2: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/2.jpg)
Syslog?
• logging service
• UNIX based
• Networkable
![Page 3: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/3.jpg)
Wait a Sec...Network?
• UDP port 514
• Typically limited to 1024bytes
![Page 4: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/4.jpg)
One more thing...
• FIFO Buffers
• First In First Out
• Rolling View of Logs
• Type of Named Pipe
![Page 5: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/5.jpg)
FIFO...Tasty *chomp*
Item 5
Item 4Item 3Item 2
Item 1
3 Line FIFO Buffer
![Page 6: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/6.jpg)
Getting Started...
• Ubuntu 6.06 Server
• Base Install
![Page 7: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/7.jpg)
Installing Syslog...
• Update The Repository
![Page 8: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/8.jpg)
Upgrade the OS
• We need to upgrade the OS to current.
![Page 9: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/9.jpg)
Install Syslog-NG
• Syslog-NG will remove klogd, this is normal.
![Page 10: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/10.jpg)
Reconfiguring Syslog-ng
• Configuration depends on network environment.
• Windows Hosts
• Cisco Devices
• Linux Hosts
• Other Devices and Gear
![Page 11: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/11.jpg)
First off...Global!/etc/syslog-ng/syslog-ng.confoptions { chain_hostnames(0); time_reopen(10); time_reap(360); log_fifo_size(2048); create_dirs(yes); group(admin); perm(0640); dir_perm(0755); use_dns(no); stats_freq(0);};
• Disable Hostname Chaining• Time to wait before re-establishing a dead connection• Time to wait before an idle file is closed• FIFO Buffer size• Create Directories• Permissions• Disable DNS• Disable Statistic Logging
![Page 12: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/12.jpg)
Next, The Source
source s_all { internal(); unix-stream("/dev/log"); file("/proc/kmsg" log_prefix("kernel: ")); udp();};
/etc/syslog-ng/syslog-ng.conf
![Page 13: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/13.jpg)
Defining Filters
• Windows Filter
• Cisco Filter
![Page 14: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/14.jpg)
Windows Filter
filter f_windows { program(MSWinEventLog);};
/etc/syslog-ng/syslog-ng.conf
![Page 15: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/15.jpg)
Cisco Filter
filter f_cisco_pix {host(IP.OF.PIX.DEVICE);
};
/etc/syslog-ng/syslog-ng.conf
![Page 16: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/16.jpg)
General Filter
filter f_not_others {not host(IP.OF.PIX.DEVICE)and not program(MSWinEventLog);
};
/etc/syslog-ng/syslog-ng.conf
![Page 17: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/17.jpg)
Destinations
• FIFO Buffers
• One Large File
![Page 18: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/18.jpg)
Windows FIFO
destination d_windows {pipe(“/var/log/buffers/windows”);
};
/etc/syslog-ng/syslog-ng.conf
![Page 19: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/19.jpg)
Cisco FIFO
destination d_cisco {pipe(“/var/log/buffers/cisco”);
};
/etc/syslog-ng/syslog-ng.conf
![Page 20: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/20.jpg)
General FIFO/etc/syslog-ng/syslog-ng.conf
destination d_gen_fifo {pipe(“/var/log/buffers/syslog”);
};
![Page 21: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/21.jpg)
...And the Archive
destination d_all {file(“/var/log/arch/$MONTH$DAY$YEAR”);
};
/etc/syslog-ng/syslog-ng.conf
![Page 22: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/22.jpg)
Tying it all Together!
• Now we tell syslog to handle the configs. ;)
![Page 23: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/23.jpg)
Windows Log
log { source(s_all); filter(f_windows);destination(d_windows);
};
/etc/syslog-ng/syslog-ng.conf
![Page 24: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/24.jpg)
Cisco Log
log { source(s_all); filter(f_cisco_pix);destination(d_cisco);
};
/etc/syslog-ng/syslog-ng.conf
![Page 25: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/25.jpg)
General FIFO
log { source(s_all); filter(f_not_others);destination(d_gen_fifo);
};
/etc/syslog-ng/syslog-ng.conf
![Page 26: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/26.jpg)
Archive Log
log { source(s_all); destination(d_all);
};
/etc/syslog-ng/syslog-ng.conf
![Page 27: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/27.jpg)
Finishing up...
• Making the FIFO buffers
• Creating the directory structure
![Page 28: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/28.jpg)
Run me :)
$ sudo mkdir /var/log/arch$ sudo mkdir /var/log/buffers
$ sudo mkfifo /var/log/buffers/windows$ sudo mkfifo /var/log/buffers/cisco$ sudo mkfifo /var/log/buffers/syslog
![Page 29: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/29.jpg)
Restart Syslog-ng
$ sudo /etc/init.d/syslog-ng restart
![Page 30: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/30.jpg)
Is it working?
• Check your Logfiles (/var/log/arch/*)
• Check your FIFO Buffers
• cat /var/log/buffers/windows
• cat /var/log/buffers/cisco
• cat /var/log/buffers/syslog
![Page 31: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/31.jpg)
Awsome! Wait....
• How are we gonna view this data?
![Page 32: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/32.jpg)
splunk
• Web-based Interface
• Indexes arbitrary data
• Searchable
• Reporting
>
![Page 33: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/33.jpg)
• No, I don’t work for them...I just really like their product.
splunk>
![Page 34: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/34.jpg)
• Download The latest version (3.0b3 as of writing)
• Extract the tarball
• Run the application
• Make it startup with a system boot
Installing splunk>
![Page 35: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/35.jpg)
$ wget 'http://www.splunk.com/index.php/download_track?file=/3.0b3/linux/splunk-3.0b3-20872-Linux-i686.tgz&ac=&wget=true&name=wget'
$ sudo mkdir /opt;cd /opt
$ sudo tar xzvf ~/splunk-3.0b3-20872-Linux-i686.tgz
$ sudo /opt/splunk/bin
Installing splunk>
![Page 36: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/36.jpg)
Configuring splunk>
![Page 37: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/37.jpg)
Configuring splunk>
![Page 38: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/38.jpg)
Configuring splunk>
![Page 39: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/39.jpg)
Configuring splunk>
![Page 40: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/40.jpg)
Configuring splunk>
![Page 41: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/41.jpg)
splunk>
![Page 42: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/42.jpg)
Syslog Agents
• Windows Agents
• UNIX Agents
• Other Devices
![Page 43: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/43.jpg)
Windows Logs?
• SNARE Agent
• Converts Event Logs to Syslog
• Free
![Page 44: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/44.jpg)
UNIX Agents
• Use the syslog service!
• *.* @Syslog Server
![Page 45: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/45.jpg)
Other Devices
• Various systems can be configured
• Cisco, Juniper, Lotus Domino, Apache, IIS, etc. are just a few examples.
![Page 46: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/46.jpg)
Recap
• What is Syslog
• What is FIFO
• Installing and Configuring Syslog-NG
• Installing and Configuring Splunk
• Agents
![Page 47: Centralized Logging with syslog](https://reader033.fdocuments.us/reader033/viewer/2022052315/5554c689b4c90503388b51b6/html5/thumbnails/47.jpg)
Questions?