Download - Configuring Syslog by Octavio
Overview
● Problems to solve● The Syslog protocol● Technicalities
– Protocol content, RFCs, etc.
● Example of topologies– A simple one and one a bit more complex.
● Simple demonstration
Feel free to interrupt me at any time!
Problems to solve
● Having to look in each device separately for information collection.
● Having the clocks not exactly synchronized.● Hard to search in devices without search support
(like "include" or "grep").● Having to look for past events (more than N-bytes
ago).
Introducing Syslog
● A protocol.● A de-facto standard...● ... a documented de-facto standard (RFC 3164)● ... and is being standardized (RFC 5424, obsoletes
RFC 3164).
The simplest possible logging implementation with Syslog
Content (obsolete, RFC 3164)
● Priority = 8 * Facility + Severity– Severity (0-7)
– Facility (0-23)
● Header– Timestamp (RFC3339 with restrictions)
– Hostname (a.k.a. Cisco's "origin") (FQDN, IP, hostname)
● Message
Content (new, RFC 5424)
● Version● Application● Process ID● Message ID● Structured data (Element, ID, Param)
– Elements: timeQuality, origin, meta
Severities
● 0: Emergency: system is unusable● 1: Alert: action must be taken immediately● 2: Critical: critical conditions● 3: Error: error conditions● 4: Warning: warning conditions● 5: Notice: normal but significant condition● 6: Informational: informational messages● 7: Debug: debug-level messages
Facilities (part 1)
● 0: kernel messages● 1: user-level messages● 2: mail system● 3: system daemons● 4: security/authorization messages● 5: messages generated internally by syslogd● 6: line printer subsystem● 7: network news subsystem (maybe: RSS, Google
group...)
Facilities (part 2)
● 8: UUCP subsystem (maybe: backup, rsync...)● 9: clock daemon● 10: security/authorization messages● 11: FTP daemon● 12: NTP subsystem● 13: log audit● 14: log alert● 15: clock daemon● 16-23: local use 0-7 (local0-7)
A slightly more complex Syslog usage
Syslog application-layer "components" (as per the RFC)
● Originator (application-layer)– Cisco router, Apache Server
● Collector (application-layer)– rsyslog, dsyslog, syslog-ng
– Solarwinds Kiwi Syslog Server
● Relay (application-layer)
Syslog application-layer "components" (as per the RFC)
An extra component: the front-end
● Depends on the storage method.● Text processors: grep, gawk● FOSS: php-syslog-ng, Adiscon's Log Analyzer
(PhpLogCon), Logzilla, logtool, petit...● Gratis: Kiwi (basic), WhatsUp Gold's Syslog Server● Commercial: Splunk, LogRhythm, LogClarity,
Logalot, Kiwi (full), XLog-Server, SyslogAppliance, WinSyslog
Simple demo: configuring a Cisco router as an originator
● Some IOS versions:– logging host A.B.C.D <level>
– logging origin <origin-type>
– logging on
● Some other IOS versions:– logging host A.B.C.D
– logging on
– logging trap <level>
Simple demo: configuring an Ubuntu box as a text collector
● rsyslog already installed● Edition of /etc/rsyslog.conf
Thanks! Any questions?
The only legal wayto burn a Windows disc
blog.alvarezp.org/categorias/por-idioma/english
@alvarezp2000
superkb.sf.net
a