Configuring a Linux host to receive log messages from external systems, including Windows
This article explains how to configure a linux server to receive syslog messages from external sources and how to configure those external systems to send log messages to the server, including NetScreen, Cisco, Linux and Windows systems.
Background information
I'm using systems using Debian GNU/Linux as Linux hosts and Windows 2000 SP4 and Windows 2003 SP1 as Windows hosts. The Netscreen firewalls are running ScreenOS 5 and Cisco routers are using IOS 12.2.
1. Configuring the server
The first step to do is to install a syslog server. My choice is syslog-ng, because provide an easy to use configuration files and because I'm using it for more than ten years :-).
To install the syslog-ng software under Debian i have to execute:
In my environment the syslog-ng version is 1.6.5-2.2.Now it's time to configure the syslog-ng system. To do this, edit the file under /etc/syslog-ng/syslog-ng.conf and add the following line under the source s_all environment (between source s_all { and the } brackets) add the following line to enable the syslog listen udp paquets from outside:
Now it's time to restart the service (/etc/init.d/syslog-ng restart) and continue the installation.
2. Configuring the client
I provide the configuration guidelines for my systems, but the explanation is easy to extend to any system, specially if the system is a router, switch or similar with a configuration system using web pages.
2.1 Linux
To configure a linux host as a syslog client is as easy to do as configuring it as a server (that's the magic of Linux...). You only need to add a few lines to the syslog-ng.conf file located under /etc/syslog-ng:
The first line adds a new destination to the syslog system, changing the ip_address field using the ip address of the syslog server. The second line add a new filter that accept any level of information, and finally, the last entry adds a new log 'file' that links the source (the default source s_all accept any source), the filter and the destination.
2.2 Windows
To prepare the windows system to send the event viewer information to a syslog server we need to install a GPL software called ntsyslog. This software can be download from http://ntsyslog.sourceforge.net/.
To install the software you have un unpack it to the destination folder where you want to keep it and, under command line, execute the following commands to install it as a service:
Now you can configure it using a control tool called NTSyslogCtrl, where you can choose the destination host of the events (our sysloghost) and then choose which kind of events to send.
2.3 Cisco IOS
To configure a Cisco IOS to send syslog messages to a syslog server, you need, under config environment, execute the following command:
The first command add the sysloghost, and the second write the configuration :-).
2.4 NetScreen ScreenOS
The Juniper NetScreen can also send their messages. You can select this options under Configuration -> Report Settings -> Syslog, but take care of which kind of traffic you send to the syslog, or you'll get files of a few GB per month with all the logging from the rules!!!
3. Syslogging and beyond
Once we have all the systems targetting to our new syslog server, you'll see there is a lot of information saved that can make the files unreadable. That's a few suggestions about next steps to take, that i'll cover in next articles:
Disclaimer
I hope this article will give you the chance you need to start this fascinating world of the syslog messages and their management. Anyway the article is offered in good faith as comprising only safe programming and procedures. No responsibility is accepted by the author for any loss or damage caused in any way to any person or equipment, as a direct or indirect consequence of following these instructions.
You are welcome to send me any suggestion, comment or problem related to this article or their implementation to my e-mail address (josep.llaurado AT gmail.com).
Background information
I'm using systems using Debian GNU/Linux as Linux hosts and Windows 2000 SP4 and Windows 2003 SP1 as Windows hosts. The Netscreen firewalls are running ScreenOS 5 and Cisco routers are using IOS 12.2.
1. Configuring the server
The first step to do is to install a syslog server. My choice is syslog-ng, because provide an easy to use configuration files and because I'm using it for more than ten years :-).
To install the syslog-ng software under Debian i have to execute:
# apt-get install syslog-ng
In my environment the syslog-ng version is 1.6.5-2.2.Now it's time to configure the syslog-ng system. To do this, edit the file under /etc/syslog-ng/syslog-ng.conf and add the following line under the source s_all environment (between source s_all { and the } brackets) add the following line to enable the syslog listen udp paquets from outside:
udp();
Now it's time to restart the service (/etc/init.d/syslog-ng restart) and continue the installation.
2. Configuring the client
I provide the configuration guidelines for my systems, but the explanation is easy to extend to any system, specially if the system is a router, switch or similar with a configuration system using web pages.
2.1 Linux
To configure a linux host as a syslog client is as easy to do as configuring it as a server (that's the magic of Linux...). You only need to add a few lines to the syslog-ng.conf file located under /etc/syslog-ng:
destination sysloghost { udp(""); };
filter f_all { level(info, notice, warn, crit, err); };
log { source(s_all); filter(f_all); destination(sysloghost); };
The first line adds a new destination to the syslog system, changing the ip_address field using the ip address of the syslog server. The second line add a new filter that accept any level of information, and finally, the last entry adds a new log 'file' that links the source (the default source s_all accept any source), the filter and the destination.
2.2 Windows
To prepare the windows system to send the event viewer information to a syslog server we need to install a GPL software called ntsyslog. This software can be download from http://ntsyslog.sourceforge.net/.
To install the software you have un unpack it to the destination folder where you want to keep it and, under command line, execute the following commands to install it as a service:
c:\ntsyslog> ntsyslog -install
Now you can configure it using a control tool called NTSyslogCtrl, where you can choose the destination host of the events (our sysloghost) and then choose which kind of events to send.
2.3 Cisco IOS
To configure a Cisco IOS to send syslog messages to a syslog server, you need, under config environment, execute the following command:
# set logging
# wr
The first command add the sysloghost, and the second write the configuration :-).
2.4 NetScreen ScreenOS
The Juniper NetScreen can also send their messages. You can select this options under Configuration -> Report Settings -> Syslog, but take care of which kind of traffic you send to the syslog, or you'll get files of a few GB per month with all the logging from the rules!!!
3. Syslogging and beyond
Once we have all the systems targetting to our new syslog server, you'll see there is a lot of information saved that can make the files unreadable. That's a few suggestions about next steps to take, that i'll cover in next articles:
- Rotate the logs using a tool like logrotate daily. I have configured my syslog host keeping a month (previous month are compacted to a file by a script and backed up to a DAT cartridge
- Create a database to store online logs as they arrive to syslog
- Create a database to store logs as they are rotated if you have a big amount of entries
- Install a log checker as logcheck to resume the entries to those more interesting sending by e-mail the result
- Send the messages to a network management system like JFFNMS
Disclaimer
I hope this article will give you the chance you need to start this fascinating world of the syslog messages and their management. Anyway the article is offered in good faith as comprising only safe programming and procedures. No responsibility is accepted by the author for any loss or damage caused in any way to any person or equipment, as a direct or indirect consequence of following these instructions.
You are welcome to send me any suggestion, comment or problem related to this article or their implementation to my e-mail address (josep.llaurado AT gmail.com).
posted by Josep Llauradó i Selvas at 1:04 AM
0 Comments:
Post a Comment
<< Home