Configuring Syslog by Octavio


Published on

A powerpoint presentation from San Diego Cisco User Group created and presented by Octavio.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Configuring Syslog by Octavio

  1. 1. Introduction to Syslog Octavio Alvarez alvarezp@alvarezp.ods.orgSan Diego Cisco User Group July 19th, 2012
  2. 2. Overview● Problems to solve● The Syslog protocol● Technicalities – Protocol content, RFCs, etc.● Example of topologies – A simple one and one a bit more complex.● Simple demonstration Feel free to interrupt me at any time!
  3. 3. Problems to solve● Having to look in each device separately for information collection.● Having the clocks not exactly synchronized.● Hard to search in devices without search support (like "include" or "grep").● Having to look for past events (more than N-bytes ago).
  4. 4. Introducing Syslog● A protocol.● A de-facto standard...● ... a documented de-facto standard (RFC 3164)● ... and is being standardized (RFC 5424, obsoletes RFC 3164).
  5. 5. The simplest possible logging implementation with Syslog
  6. 6. Content (obsolete, RFC 3164)● Priority = 8 * Facility + Severity – Severity (0-7) – Facility (0-23)● Header – Timestamp (RFC3339 with restrictions) – Hostname (a.k.a. Ciscos "origin") (FQDN, IP, hostname)● Message
  7. 7. Content (new, RFC 5424)● Version● Application● Process ID● Message ID● Structured data (Element, ID, Param) – Elements: timeQuality, origin, meta
  8. 8. Severities● 0: Emergency: system is unusable● 1: Alert: action must be taken immediately● 2: Critical: critical conditions● 3: Error: error conditions● 4: Warning: warning conditions● 5: Notice: normal but significant condition● 6: Informational: informational messages● 7: Debug: debug-level messages
  9. 9. Facilities (part 1)● 0: kernel messages● 1: user-level messages● 2: mail system● 3: system daemons● 4: security/authorization messages● 5: messages generated internally by syslogd● 6: line printer subsystem● 7: network news subsystem (maybe: RSS, Google group...)
  10. 10. Facilities (part 2)● 8: UUCP subsystem (maybe: backup, rsync...)● 9: clock daemon● 10: security/authorization messages● 11: FTP daemon● 12: NTP subsystem● 13: log audit● 14: log alert● 15: clock daemon● 16-23: local use 0-7 (local0-7)
  11. 11. A slightly more complex Syslog usage
  12. 12. Syslog application-layer "components" (as per the RFC)● Originator (application-layer) – Cisco router, Apache Server● Collector (application-layer) – rsyslog, dsyslog, syslog-ng – Solarwinds Kiwi Syslog Server● Relay (application-layer)
  13. 13. Syslog application-layer "components" (as per the RFC)
  14. 14. An extra component: the front-end● Depends on the storage method.● Text processors: grep, gawk● FOSS: php-syslog-ng, Adiscons Log Analyzer (PhpLogCon), Logzilla, logtool, petit...● Gratis: Kiwi (basic), WhatsUp Golds Syslog Server● Commercial: Splunk, LogRhythm, LogClarity, Logalot, Kiwi (full), XLog-Server, SyslogAppliance, WinSyslog
  15. 15. Simple demo: configuring a Cisco router as an originator● Some IOS versions: – logging host A.B.C.D <level> – logging origin <origin-type> – logging on● Some other IOS versions: – logging host A.B.C.D – logging on – logging trap <level>
  16. 16. Simple demo: configuring an Ubuntu box as a text collector● rsyslog already installed● Edition of /etc/rsyslog.conf
  17. 17. Thanks! Any questions? a /categorias/por-idioma/english @alvarezp2000 The only legal wayto burn a Windows disc