Syslog

From Ever changing code
Revision as of 15:14, 11 March 2015 by Pio2pio (talk | contribs) (→‎Example logroatate config)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Configure Ubuntu syslog-ng to receive logs form specific host

I wanted to log messages from Billion BiPac 7800GZ router and Netgear to a specific file on my local Ubuntu 13.04 box. Unfortunately the regular syslog daemon will not allow this. Syslog-ng is a replacement and will remove legacy syslog packages like klogd, sysklogd, rsyslog and ubuntu-minimal. 

# sudo apt-get install syslog-ng

Then edit /etc/syslog-ng/syslog-ng.conf to add udp listening to accept remote syslogs. We could do this under the s_all source, but we need to define a different source so our remote hosts logs do not get mixed in with our regular ones. Place this after source s_all is finished. 

source s_net { udp (); };

Add filter for my Billion router host I use its ip 192.168.1.254 

filter f_billion { host( "192.168.1.254" ); };

Add destination logging file 

destination d_billion { file("/var/log/billion.log"); };

Put all rules together source (s_net); filter (f_billion); destination file (d_billion) into logging rule 

log { source ( s_net ); filter( f_billion); destination ( d_billion); };

Restart syslog-ng 

# sudo /etc/init.d/syslog-ng restart

Verify that syslog-ng demon is listening 

# netstat -lu | grep syslog
udp        0      0 *:syslog                *:*
# netstat -ln | grep :514
udp        0      0 0.0.0.0:514             0.0.0.0:*

Since we added a new logfile, we need to modify /etc/logrotate.d/syslog-ng to make sure our new logfile gets rolled. This entry below has to go in before the last one which restarts the syslog-ng daemon. 

/var/log/billion.log {
   rotate 7
   weekly
   missingok
   notifempty
   compress
}

Sending Netgear & Billion syslog messages to external host

Netgear

Navigate to web interface (default ip: 192.168.0.1) > Logs > Syslog section choose: Send to this Syslog server IP address [192.168.1.250] > apply

!Note: in this example our Ubuntu box is configured with static ip address 192.168.0.250

Netgear router MBRN3000

Billion

Please input your syslog Ubuntu box ip into 'Server IP Address' box. Then press apply. Router will restart.

Billion-syslog

Cradlepoint

Please navigate to System Settings -> System Logging tab > tick Enable Logging to a Syslog Server, input syslog server IP address (here: 192.168.0.250), press Apply. Router will not restart.

Creadlepoint-syslog
  • Enable SNMP

Navigate to System Settings / SNMP Configuration -> tick: Enable SNMP, Enable SNMP on LAN, select SNMP v2, input 'public' at Get community string and at Set community string. Fill Contact details and press Apply. Router will not restart. Note! 'public' string is default snmpd string configured on Ubuntu box. I have not tested with different string.

Creadlepoint-snmp

Cisco SNMP and Syslog

References

Extract logs & email them

Below just for information are the orginal /var/log/billion.log* permissions 

ll billion.log*
-rw-r----- 1 root adm 79768 Jul 22 13:06 billion.log
-rw-r----- 1 root adm 53096 Jul 21 07:51 billion.log.1.gz
-rw-r----- 1 root adm 44947 Jul 14 07:19 billion.log.2.gz

Issue commands below to copy logs on your desktop then add read permission to be able to attach to an email 

sudo cp /var/log/billion.log* ~/Desktop
sudo chmod a+r billion.log*

Example syslog-ng config

Here multiple devices are being logged to Linux syslog-ng server: 10.0.99.6

  • router -> 10.0.99.100
  • ap1 -> ap3 : 10.0.99.1 -> 10.0.99.3

Each of Cisco devices have syslog messages enabled using logging host 10.0.99.6 command. Additional we can specify logging source-interface Vlan99 to expressively make sending syslog packets with SRC IP of vlan99 interface. Path: /etc/syslog-ng/syslog-ng.conf 

@version: 3.3
 @include "scl.conf"
 
 # Syslog-ng configuration file, compatible with default Debian syslogd
 # installation.
 
 # First, set some global options.
 options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
 	  owner("root"); group("adm"); perm(0640); stats_freq(0);
 	  bad_hostname("^gconfd$");
 };
 
 ########################
 # Sources
 ########################
 # This is the default behavior of sysklogd package
 # Logs may come from unix stream, but not from another machine.
 #
 # source s_src {
 #       system();
 #       internal();
 # };
 
 # If you wish to get logs from remote machine you should uncomment
 # this and comment the above source line.
 #
 # source s_net { tcp(ip(127.0.0.1) port(1000)); };
 
 source s_net { udp (); };
 
 ########################
 # Destinations
 ########################
 # First some standard logfile
 #
 # changed by me@
 destination d_router { file("/var/log/router.log"); };
 destination d_ap1 { file("/var/log/ap1.log"); };
 destination d_ap2 { file("/var/log/ap2.log"); };
 destination d_ap3 { file("/var/log/ap3.log"); };
 
 destination d_auth { file("/var/log/auth.log"); };
 destination d_cron { file("/var/log/cron.log"); };
 destination d_daemon { file("/var/log/daemon.log"); };
 destination d_kern { file("/var/log/kern.log"); };
 destination d_lpr { file("/var/log/lpr.log"); };
 destination d_mail { file("/var/log/mail.log"); };
 destination d_syslog { file("/var/log/syslog"); };
 destination d_user { file("/var/log/user.log"); };
 destination d_uucp { file("/var/log/uucp.log"); };
 
 # This files are the log come from the mail subsystem.
 #
 destination d_mailinfo { file("/var/log/mail/mail.info"); };
 destination d_mailwarn { file("/var/log/mail/mail.warn"); };
 destination d_mailerr { file("/var/log/mail/mail.err"); };
 
 # Logging for INN news system
 #
 destination d_newscrit { file("/var/log/news/news.crit"); };
 destination d_newserr { file("/var/log/news/news.err"); };
 destination d_newsnotice { file("/var/log/news/news.notice"); };
 
 # Some `catch-all' logfiles.
 #
 destination d_debug { file("/var/log/debug"); };
 destination d_error { file("/var/log/error"); };
 destination d_messages { file("/var/log/messages"); };
 
 # The root's console.
 #
 destination d_console { usertty("root"); };
 
 # Virtual console.
 #
 destination d_console_all { file("/dev/tty10"); };
 
 # The named pipe /dev/xconsole is for the nsole' utility.  To use it,
 # you must invoke nsole' with the -file' option:
 #
 #    $ xconsole -file /dev/xconsole [...]
 #
 destination d_xconsole { pipe("/dev/xconsole"); };
 
 # Send the messages to an other host
 #
 #destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); };
 
 # Debian only
 destination d_ppp { file("/var/log/ppp.log"); };
 
 ########################
 # Filters
 ########################
 # Here's come the filter options. With this rules, we can set which 
 # message go where.
 
 # changed me@ 19/11/2013
 filter f_router { host( "10.0.99.100" ); };
 filter f_ap1 { host( "10.0.99.1" ); };
 filter f_ap2 { host( "10.0.99.2" ); };
 filter f_ap3 { host( "10.0.99.3" ); };
 
 filter f_dbg { level(debug); };
 filter f_info { level(info); };
 filter f_notice { level(notice); };
 filter f_warn { level(warn); };
 filter f_err { level(err); };
 filter f_crit { level(crit .. emerg); };
 
 filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
 filter f_error { level(err .. emerg) ; };
 filter f_messages { level(info,notice,warn) and 
                     not facility(auth,authpriv,cron,daemon,mail,news); };
 
 filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
 filter f_cron { facility(cron) and not filter(f_debug); };
 filter f_daemon { facility(daemon) and not filter(f_debug); };
 filter f_kern { facility(kern) and not filter(f_debug); };
 filter f_lpr { facility(lpr) and not filter(f_debug); };
 filter f_local { facility(local0, local1, local3, local4, local5,
                         local6, local7) and not filter(f_debug); };
 filter f_mail { facility(mail) and not filter(f_debug); };
 filter f_news { facility(news) and not filter(f_debug); };
 filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); };
 filter f_user { facility(user) and not filter(f_debug); };
 filter f_uucp { facility(uucp) and not filter(f_debug); };
 
 filter f_cnews { level(notice, err, crit) and facility(news); };
 filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };
 
 filter f_ppp { facility(local2) and not filter(f_debug); };
 filter f_console { level(warn .. emerg); };
 
 ########################
 # Log paths
 ########################
 log { source ( s_net ); filter( f_router ); destination ( d_router); };
 log { source ( s_net ); filter( f_ap1 ); destination ( d_ap1); };
 log { source ( s_net ); filter( f_ap2 ); destination ( d_ap2); };
 log { source ( s_net ); filter( f_ap3 ); destination ( d_ap3); };
 
 #log { source(s_src); filter(f_auth); destination(d_auth); };
 #log { source(s_src); filter(f_cron); destination(d_cron); };
 #log { source(s_src); filter(f_daemon); destination(d_daemon); };
 #log { source(s_src); filter(f_kern); destination(d_kern); };
 #log { source(s_src); filter(f_lpr); destination(d_lpr); };
 #log { source(s_src); filter(f_syslog3); destination(d_syslog); };
 #log { source(s_src); filter(f_user); destination(d_user); };
 #log { source(s_src); filter(f_uucp); destination(d_uucp); };
 
 #log { source(s_src); filter(f_mail); destination(d_mail); };
 #log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); };
 #log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
 #log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); };
 
 #log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); };
 #log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
 #log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
 #log { source(s_src); filter(f_cnews); destination(d_console_all); };
 #log { source(s_src); filter(f_cother); destination(d_console_all); };
 
 #log { source(s_src); filter(f_ppp); destination(d_ppp); };
 
 #log { source(s_src); filter(f_debug); destination(d_debug); };
 #log { source(s_src); filter(f_error); destination(d_error); };
 #log { source(s_src); filter(f_messages); destination(d_messages); };
 
 #log { source(s_src); filter(f_console); destination(d_console_all);
 
 #log { source(s_src); filter(f_crit); destination(d_console); };
 
 # All messages send to a remote site
 #
 #log { source(s_src); destination(d_net); };
 
 ###
 # Include all config files in /etc/syslog-ng/conf.d/
 ###
 @include "/etc/syslog-ng/conf.d/*.conf"

Example logroatate config

Path: /etc/logrotate.d/syslog-ng 

/var/log/syslog
 {
 	rotate 7
 	daily
 	missingok
 	notifempty
 	delaycompress
 	compress
 	postrotate
 		invoke-rc.d syslog-ng reload > /dev/null
 	endscript
 }
 
 /var/log/mail.info
 /var/log/mail.warn
 /var/log/mail.err
 /var/log/mail.log
 /var/log/daemon.log
 /var/log/kern.log
 /var/log/auth.log
 /var/log/user.log
 /var/log/lpr.log
 /var/log/cron.log
 /var/log/debug
 /var/log/messages
 /var/log/router.log {
    rotate 7
    weekly
    missingok
    notifempty
    compress
 }
 /var/log/router.log {
    rotate 7
    weekly
    missingok
    notifempty
    compress
 }
 /var/log/ap1.log {
    rotate 7
    weekly
    missingok
    notifempty
    compress
 }
 /var/log/ap2.log {
    rotate 7
    weekly
    missingok
    notifempty
    compress
 }
 /var/log/ap3.log {
    rotate 7
    weekly
    missingok
    notifempty
    compress
 }
 
 {
 	rotate 4
 	weekly
 	missingok
 	notifempty
 	compress
 	delaycompress
 	sharedscripts
 	postrotate
 		invoke-rc.d syslog-ng reload > /dev/null
 	endscript
 }
ISSUES

/var/log/apX.log does not rotate. please note router.log section is entered here doubled

Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Syslog&oldid=1660