Configuring Syslog by Octavio
0 likes•1,423 views
Syslog is a protocol and de facto standard for message logging that allows collection of logs from multiple devices to a central collector. It helps address issues with having to look through logs on individual devices, clocks not being synchronized, and searching logs. Syslog defines message priorities and facilities. The document demonstrates configuring a Cisco router to send logs and an Ubuntu system to collect logs using rsyslog. Questions are welcomed from the audience.
Configuring Syslog by Octavio
- 1. Introduction to Syslog Octavio Alvarez [email protected] San Diego Cisco User Group July 19th, 2012
- 2. Overview ● Problems to solve ● The Syslog protocol ● Technicalities – Protocol content, RFCs, etc. ● Example of topologies – A simple one and one a bit more complex. ● Simple demonstration Feel free to interrupt me at any time!
- 3. Problems to solve ● Having to look in each device separately for information collection. ● Having the clocks not exactly synchronized. ● Hard to search in devices without search support (like "include" or "grep"). ● Having to look for past events (more than N-bytes ago).
- 4. Introducing Syslog ● A protocol. ● A de-facto standard... ● ... a documented de-facto standard (RFC 3164) ● ... and is being standardized (RFC 5424, obsoletes RFC 3164).
- 5. The simplest possible logging implementation with Syslog
- 6. Content (obsolete, RFC 3164) ● Priority = 8 * Facility + Severity – Severity (0-7) – Facility (0-23) ● Header – Timestamp (RFC3339 with restrictions) – Hostname (a.k.a. Cisco's "origin") (FQDN, IP, hostname) ● Message
- 7. Content (new, RFC 5424) ● Version ● Application ● Process ID ● Message ID ● Structured data (Element, ID, Param) – Elements: timeQuality, origin, meta
- 8. Severities ● 0: Emergency: system is unusable ● 1: Alert: action must be taken immediately ● 2: Critical: critical conditions ● 3: Error: error conditions ● 4: Warning: warning conditions ● 5: Notice: normal but significant condition ● 6: Informational: informational messages ● 7: Debug: debug-level messages
- 9. Facilities (part 1) ● 0: kernel messages ● 1: user-level messages ● 2: mail system ● 3: system daemons ● 4: security/authorization messages ● 5: messages generated internally by syslogd ● 6: line printer subsystem ● 7: network news subsystem (maybe: RSS, Google group...)
- 10. Facilities (part 2) ● 8: UUCP subsystem (maybe: backup, rsync...) ● 9: clock daemon ● 10: security/authorization messages ● 11: FTP daemon ● 12: NTP subsystem ● 13: log audit ● 14: log alert ● 15: clock daemon ● 16-23: local use 0-7 (local0-7)
- 11. A slightly more complex Syslog usage
- 12. Syslog application-layer "components" (as per the RFC) ● Originator (application-layer) – Cisco router, Apache Server ● Collector (application-layer) – rsyslog, dsyslog, syslog-ng – Solarwinds Kiwi Syslog Server ● Relay (application-layer)
- 13. Syslog application-layer "components" (as per the RFC)
- 14. An extra component: the front-end ● Depends on the storage method. ● Text processors: grep, gawk ● FOSS: php-syslog-ng, Adiscon's Log Analyzer (PhpLogCon), Logzilla, logtool, petit... ● Gratis: Kiwi (basic), WhatsUp Gold's Syslog Server ● Commercial: Splunk, LogRhythm, LogClarity, Logalot, Kiwi (full), XLog-Server, SyslogAppliance, WinSyslog
- 15. Simple demo: configuring a Cisco router as an originator ● Some IOS versions: – logging host A.B.C.D <level> – logging origin <origin-type> – logging on ● Some other IOS versions: – logging host A.B.C.D – logging on – logging trap <level>
- 16. Simple demo: configuring an Ubuntu box as a text collector ● rsyslog already installed ● Edition of /etc/rsyslog.conf
- 17. Thanks! Any questions? a blog.alvarezp.org /categorias/por-idioma/english @alvarezp2000 [email protected] The only legal way to burn a Windows disc superkb.sf.net