Please find your classmates that are using the same router as you. Get in to a group and do the following exercise together. That is, pick one person who will log in to your group's router, but all of you should assist with the actual configuration.
The routers are able to send syslog messages to multiple destinations, so that 1 router can send messages to 4 or even 5 destinations. We therefore need to configure the router to send messages to each of the PCs in the group.
You will SSH to your group's router and do the following:
$ ssh cisco@10.10.X.254
rtrX> enable
rtrX# config terminal
Repeat the next command "logging 10.10.X.Y" for each PC in your group. That is, if your group is on router 6 and you are using pcs 21, 22, 23 and 24 you would repeat the command four times with the ip of each machine (10.10.6.21, 10.10.6.22, and so forth).
rtrX(config)# logging 10.10.X.Y
...
rtrX(config)# logging facility local0
rtrX(config)# logging userinfo
rtrX(config)# exit
rtrX# write memory
Now run 'show logging' to see the summary of the logging configuration.
rtrX# show logging
Logout from the router (exit)
rtrX# exit
That's it. The router should now be sending UDP SYSLOG packets to your PC on port 514. To verify this log in on your PC and do the following:
$ sudo -s
# apt-get update
# apt-get install tcpdump (don't worry if it's already installed)
# tcpdump -s0 -nv -i eth0 port 514
Then have one person in your group log back in on the router and do the following:
$ ssh cisco@10.10.X.254
rtrX> enable
rtrX# config terminal
(config)# exit
rtrX> exit
You should see some output on your PC's screen from TCPDUMP. It should look something like:
08:01:12.154604 IP (tos 0x0, ttl 255, id 11, offset 0, flags [none], proto UDP (17), length 138)
10.10.9.254.57429 > 10.10.9.36.514: SYSLOG, length: 110
Facility local0 (16), Severity notice (5)
Msg: 23: *Feb 19 08:01:10.855: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by cisco on vty0 (10.10.0.117)
08:01:15.519881 IP (tos 0x0, ttl 255, id 12, offset 0, flags [none], proto UDP (17), length 130)
10.10.9.254.57429 > 10.10.9.36.514: SYSLOG, length: 102
Facility local0 (16), Severity notice (5)
Msg: 24: *Feb 19 08:01:14.215: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (10.10.0.117)
Now you can configure the logging software on your PC to receive this information and log it to a new set of files.
These exercises are done as root. If you are not root on your machine then become root by typing:
$ sudo -s
# apt-get install syslog-ng syslog-ng-core
Find the lines:
source s_src {
system();
internal();
};
and change them to:
source s_src {
system();
internal();
udp();
};
Save the file and exit.
Now, create a config section for our network logs:
# cd /etc/syslog-ng/conf.d/
# editor 10-network.conf
In this file, copy and paste the following:
filter f_routers { facility(local0); };
log {
source(s_src);
filter(f_routers);
destination(routers);
};
destination routers {
file("/var/log/network/$YEAR/$MONTH/$DAY/$HOST-$YEAR-$MONTH-$DAY-$HOUR.log"
owner(root) group(root) perm(0644) dir_perm(0755) create_dirs(yes)
template("$YEAR $DATE $HOST $MSG\n"));
};
Save the file and exit.
# mkdir /var/log/network/
# service syslog-ng restart
To be sure there are some logging messages log back in to the router, and run some "config" commands, then logout. e.g.
# ssh cisco@10.10.X.254
rtrX> enable
rtrX# config terminal
rtrX(config)# exit
rtrX> exit
Be sure you log out of the router. If too many people log in without logging out then others cannot gain access to the router.
$ cd /var/log/network
$ ls
$ cd 20XX
$ ls
... this will show you the directory for the month
... cd into this directory
$ ls
... repeat for the next level (the day of the month)
$ ls
You can view the resulting log file by using a pager program such as less, more, cat, etc...
If no files are appearing under the /var/log/network directory, then another command to try while logged into the router, in config mode, is to shutdown / no shutdown a Loopback interface, for example:
$ ssh cisco@rtrX
rtrX> enable
rtrX# conf t
rtrX(config)# interface Loopback 999
rtrX(config-if)# shutdown
wait a few seconds
rtrX(config-if)# no shutdown
Then exit, and save the config ("write mem"):
rtrX(config-if)# exit
rtrX(config)# exit
rtrX# write memory
rtr1# exit
Check the logs under /var/log/network
# cd /var/log/network
# ls
...follow the directory trail
Still no logs?
Try the following command to send a test log message locally:
# logger -p local0.info "Hello World\!"
If a file has not been created yet under /var/log/network
, then check your configuration for typos. Don't forget to restart the syslog-ng service each time you change the configuration.
What other commands can you think of that you can run on the router (BE CAREFUL!) that will trigger syslog messages? You could try logging in on the router and typing an incorrect password for "enable".
Be sure that you do an "ls" command in your logging directory to see if a new log file has been created at some point.