Building Centralized Logging: Syslog

8/14/2019 Building Centralized Logging: Syslog

1/47

Building Centralized

Logging: SyslogSteven Maniac McGrath


2/47

Syslog?

logging service UNIX based

Networkable


3/47

Wait a Sec...Network?

UDP port 514 Typically limited to 1024bytes


4/47

One more thing...

FIFO Buffers First In First Out Rolling View of Logs

Type of Named Pipe


5/47

FIFO...Tasty *chomp*

Item 5

Item 4Item 3Item 2

Item 1

3 Line FIFO Buffer


6/47

Getting Started...

Ubuntu 6.06 Server Base Install


7/47

Installing Syslog...

Update The Repository


8/47

Upgrade the OS

We need to upgrade the OS to current.


9/47

Install Syslog-NG

Syslog-NG will remove klogd, this is normal.


10/47

Reconfiguring Syslog-ng

Configuration depends on networkenvironment.

Windows Hosts Cisco Devices Linux Hosts Other Devices and Gear


11/47

First off...Global!

/etc/syslog-ng/syslog-ng.confoptions {

chain_hostnames(0);

time_reopen(10);time_reap(360);log_fifo_size(2048);create_dirs(yes);group(admin);perm(0640);

dir_perm(0755);use_dns(no);stats_freq(0);

};

Disable Hostname Chaining Time to wait before re-establishing a dead connection Time to wait before an idle file is closed FIFO Bufer size Create Directories

Permissions Disable DNS Disable Statistic Lo in


12/47

Next, The Source

source s_all {internal();unix-stream("/dev/log");file("/proc/kmsg" log_prefix("kernel: "));udp();

};

/etc/syslog-ng/syslog-ng.conf


13/47

Defining Filters

Windows Filter Cisco Filter


14/47

Windows Filter

filter f_windows {program(MSWinEventLog);

};



15/47

Cisco Filter

filter f_cisco_pix {host(IP.OF.PIX.DEVICE);

};



16/47

General Filter

filter f_not_others {not host(IP.OF.PIX.DEVICE)and not program(MSWinEventLog);

};



17/47

Destinations

FIFO Buffers One Large File


18/47

Windows FIFO

destination d_windows {pipe(/var/log/buffers/windows);

};



19/47

Cisco FIFO

destination d_cisco {pipe(/var/log/buffers/cisco);

};



20/47

General FIFO


destination d_gen_fifo {pipe(/var/log/buffers/syslog);

};


21/47

...And the Archive

destination d_all {file(/var/log/arch/$MONTH$DAY$YEAR);

};



22/47

Tying it all Together!

Now we tell syslog to handle the configs. ;)


23/47

Windows Log

log {source(s_all);filter(f_windows);destination(d_windows);

};



24/47

Cisco Log

log {source(s_all);filter(f_cisco_pix);destination(d_cisco);

};



25/47

General FIFO

log {source(s_all);filter(f_not_others);destination(d_gen_fifo);

};



26/47

Archive Log

log {source(s_all);destination(d_all);

};



27/47

Finishing up...

Making the FIFO buffers Creating the directory structure


28/47

Run me :)

$ sudo mkdir /var/log/arch

$ sudo mkdir /var/log/buffers

$ sudo mkfifo /var/log/buffers/windows$ sudo mkfifo /var/log/buffers/cisco$ sudo mkfifo /var/log/buffers/syslog


29/47

Restart Syslog-ng

$ sudo /etc/init.d/syslog-ng restart


30/47

Is it working?

Check your Logfiles (/var/log/arch/*)

Check your FIFO Buffers cat /var/log/buffers/windows

cat /var/log/buffers/cisco

cat /var/log/buffers/syslog


31/47

Awsome! Wait....

How are we gonna view this data?


32/47

splunk

Web-based Interface

Indexes arbitrary data Searchable

Reporting

>


33/47

No, I dont work for them...I just really liketheir product.

splunk>


34/47

Download The latest version (3.0b3 as ofwriting)

Extract the tarball Run the application

Make it startup with a system boot

Installing splunk>


35/47

$ wget 'http://www.splunk.com/index.php/download_track?file=/3.0b3/linux/splunk-3.0b3-20872-Linux-

i686.tgz&ac=&wget=true&name=wget'

$ sudo mkdir /opt;cd /opt

$ sudo tar xzvf ~/splunk-3.0b3-20872-Linux-

i686.tgz

$ sudo /opt/splunk/bin

Installing splunk>


36/47

Configuring splunk>


37/47

Configuring splunk>


38/47

Configuring splunk>

C fi l k


39/47

Configuring splunk>

C fi l k


40/47

Configuring splunk>

l k


41/47

splunk>

S l A


42/47

Syslog Agents

Windows Agents UNIX Agents Other Devices

Wi d L ?


43/47

Windows Logs?

SNARE Agent Converts Event Logs to Syslog Free

UNIX A t


44/47

UNIX Agents

Use the syslog service! *.* @Syslog Server

Oth D i


45/47

Other Devices

Various systems can be configured Cisco, Juniper, Lotus Domino, Apache, IIS,

etc. are just a few examples.

R


46/47

Recap

What is Syslog

What is FIFO Installing and Configuring Syslog-NG Installing and Configuring Splunk

Agents


47/47

Questions?

Building Centralized Logging: Syslog

Documents

Transcript of Building Centralized Logging: Syslog