Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Configuring Syslog by Octavio

1,690 views

Published on

A powerpoint presentation from San Diego Cisco User Group created and presented by Octavio.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Configuring Syslog by Octavio

  1. 1. Introduction to Syslog Octavio Alvarez alvarezp@alvarezp.ods.orgSan Diego Cisco User Group July 19th, 2012
  2. 2. Overview● Problems to solve● The Syslog protocol● Technicalities – Protocol content, RFCs, etc.● Example of topologies – A simple one and one a bit more complex.● Simple demonstration Feel free to interrupt me at any time!
  3. 3. Problems to solve● Having to look in each device separately for information collection.● Having the clocks not exactly synchronized.● Hard to search in devices without search support (like "include" or "grep").● Having to look for past events (more than N-bytes ago).
  4. 4. Introducing Syslog● A protocol.● A de-facto standard...● ... a documented de-facto standard (RFC 3164)● ... and is being standardized (RFC 5424, obsoletes RFC 3164).
  5. 5. The simplest possible logging implementation with Syslog
  6. 6. Content (obsolete, RFC 3164)● Priority = 8 * Facility + Severity – Severity (0-7) – Facility (0-23)● Header – Timestamp (RFC3339 with restrictions) – Hostname (a.k.a. Ciscos "origin") (FQDN, IP, hostname)● Message
  7. 7. Content (new, RFC 5424)● Version● Application● Process ID● Message ID● Structured data (Element, ID, Param) – Elements: timeQuality, origin, meta
  8. 8. Severities● 0: Emergency: system is unusable● 1: Alert: action must be taken immediately● 2: Critical: critical conditions● 3: Error: error conditions● 4: Warning: warning conditions● 5: Notice: normal but significant condition● 6: Informational: informational messages● 7: Debug: debug-level messages
  9. 9. Facilities (part 1)● 0: kernel messages● 1: user-level messages● 2: mail system● 3: system daemons● 4: security/authorization messages● 5: messages generated internally by syslogd● 6: line printer subsystem● 7: network news subsystem (maybe: RSS, Google group...)
  10. 10. Facilities (part 2)● 8: UUCP subsystem (maybe: backup, rsync...)● 9: clock daemon● 10: security/authorization messages● 11: FTP daemon● 12: NTP subsystem● 13: log audit● 14: log alert● 15: clock daemon● 16-23: local use 0-7 (local0-7)
  11. 11. A slightly more complex Syslog usage
  12. 12. Syslog application-layer "components" (as per the RFC)● Originator (application-layer) – Cisco router, Apache Server● Collector (application-layer) – rsyslog, dsyslog, syslog-ng – Solarwinds Kiwi Syslog Server● Relay (application-layer)
  13. 13. Syslog application-layer "components" (as per the RFC)
  14. 14. An extra component: the front-end● Depends on the storage method.● Text processors: grep, gawk● FOSS: php-syslog-ng, Adiscons Log Analyzer (PhpLogCon), Logzilla, logtool, petit...● Gratis: Kiwi (basic), WhatsUp Golds Syslog Server● Commercial: Splunk, LogRhythm, LogClarity, Logalot, Kiwi (full), XLog-Server, SyslogAppliance, WinSyslog
  15. 15. Simple demo: configuring a Cisco router as an originator● Some IOS versions: – logging host A.B.C.D <level> – logging origin <origin-type> – logging on● Some other IOS versions: – logging host A.B.C.D – logging on – logging trap <level>
  16. 16. Simple demo: configuring an Ubuntu box as a text collector● rsyslog already installed● Edition of /etc/rsyslog.conf
  17. 17. Thanks! Any questions? a blog.alvarezp.org /categorias/por-idioma/english @alvarezp2000 alvarezp@alvarezp.com The only legal wayto burn a Windows disc superkb.sf.net

×