Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.

Slides:



Advertisements
Similar presentations
CIS Lesson 12 System Monitoring 1. CIS Lesson 12 System Monitoring Monitoring Log Files /var/log ‒ Can be used as indication of systematic.
Advertisements

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
NetComm Wireless Logging Architecture Feature Spotlight.
Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.
CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.
Implementing a Highly Available Network
Netprog: daemons and inetd1 Daemons & inetd Refs: Chapter 13.
Intrusion Detection Systems and Practices
Chapter 11 Monitoring and Analyzing the Web Environment.
Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.
Unix Network Programming Chapter 13: Daemon processes and the inetd superserver Jani Peusaari.
Daemon Processes and inetd Superserver
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
Centralized System Logging With A Database Manitoba UNIX User Group Kevin McGregor February 13, 2007.
NOC TOOLS syslog AfNOG Cairo, SI-E, 2 of 5 Sunday Folayan.
Introduction to SNMP AfNOG 11, Kigali/Rwanda.
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.
Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Log management.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Services, logging, accounting Todd Kelley CST8177– Todd Kelley1.
Syslog and log files Ameera Jaradat.
New SA Training Topic 9: Logging, Monitoring, and Performance  Logging  Windows – “Auditing”  Linux – syslog  Monitoring  MRTG  Big Brother  Performance.
Partner Logo German Cancio – WP4-install LCFG HOW-TO - n° 1 WP4 hands-on workshop: EDG LCFGng exercises
NOC TOOLS rancid AfNOG Cairo, SI-E, 4 of 5 Sunday Folayan.
CIS 218 Advanced UNIX 1 User and System Information CIS 218.
System Monitoring and Automation CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.
7 November 2005 Sebastian Büttrich ItrainOnline MMTK 1 Linux logging and logfiles monitoring with swatch Sebastian Büttrich, wire.less.dk.
A few Linux basics Network Monitoring & Management.
System logging and monitoring
Vodafone MachineLink 3G
System Monitoring and Automation. 2 Section Overview Automation of Periodic Tasks Scheduling and Cron Syslog Accounting.
TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:
Day 11 SAMBA NFS Logs Managing Users. SAMBA Implements the ability for a Linux machine to communicate with and act like a Windows file server. –Implements.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Backups, Logging, Troubleshooting. Dates for Last Week of Class Homework 7 – Due Tuesday 5/1 by midnight Labs 7 & 8 – 8 is extra credit – Due Thursday.
CIS 290 LINUX Security Tripwire file integrity and change management tool and log monitoring.
RANCID / Version Control AfNOG 11, Kigali/Rwanda.
Generating Reports and Analyzing Logs 黃雁亭 陳麗雯 廖榆恬 1.
CENT 305 Information Systems Security Overview of System Logging syslog 1.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
Security monitoring boxes Andrew McNab University of Manchester.
These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (
Ch11: Syslog and Logfiles Presented by: Apichana Thiantanawat 06/11/02.
1 Periodic Processes and the cron Daemon The cron daemon is where all timed events are initiated. The cron system is serviced by the cron daemon. What.
System Administration HW2 Shell Script xclin. Computer Center, CS, NCTU 2 Requirements  Xferlog statistics (15%) use one-line command to show FTP transfer.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Project Requirements (NetFlow Generator) 정승화 분산 처리 및 네트워크 관리 연구실 포항 공과 대학교
1 Daemons & inetd Refs: Chapter Daemons A daemon is a process that: –runs in the background –not associated with any terminal Unix systems typically.
Sniffer, tcpdump, Ethereal, ntop
Cosc 4750 Log files Logging policies Throw away all data immediately Reset log files at periodic intervals Rotate logs files, keeping data for a fixed.
Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:
January 9, 2001 Router Plugins (Crossbow) 1 Washington WASHINGTON UNIVERSITY IN ST LOUIS Exercises.
These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (
Web Server Administration Chapter 11 Monitoring and Analyzing the Web Environment.
Network Management Tutorial Log management. Log management and monitoring ■ What is log management and monitoring ? ■ It's about keeping your logs in.
COP 4343 Unix System Administration
Cosc 4750 Log files.
APRICOT 2008 Network Management Taipei, Taiwan February 20-24, 2008
ITIS 3110 IT Infrastructure II
LINUX ADMINISTRATION 1
Log management AfNOG 2008 Rabat, Morocco.
CIT 485: Advanced Cybersecurity
CIT 470: Advanced Network and System Administration
Daemons & inetd Refs: Chapter 12.
Firewalls Chapter 8.
Monitoring with logging
Presentation transcript:

Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda

What is log management? Keeping your logs central + backed up Monitoring your logs regularly Filter your logs for important stuff o Important for you might be something different then for other people/the vendor o Most of the time, you want to keep some data for searching through, but be notified of some logs immediately

Example logs Cisco routers Apr 18 03:28: UTC: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to down Apr 18 03:29: UTC: %SEC-6-IPACCESSLOGP: list 112 denied tcp (23) -> (11004), 1 packet Apr 18 03:42: UTC: %FAN-3-FAN_FAILED: Fans had a rotation error reported. Juniper routers Apr 18 08:36:46 kigali mib2d[152]: SNMP_TRAP_LINK_DOWN: ifIndex 79, ifAdminStatus down(2),ifOperStatus down(2), ifName fe-3/0/0 Apr 18 08:40:43 kigali mgd[4334]: UI_COMMIT: User 'jens' requested 'commit' operation (comment: test) Apr 18 08:45:56 Modifying fan speed as high temp is now 53 C Unix Servers Apr 18 09:19:44 ubuntu sudo: pam_unix(sudo:session): session opened for user root by jens(uid=0) Apr 18 09:33:45 ubuntu nagios3: caught SIGTERM, shutting down..

Centralize logs Syslog server collects all logs, splits them up in files, but groups several devices in files All routers/switches and Unix boxes can use Syslog, Windows can with extra tools Uses UDP Port 514 by default, some implementations can do TCP Because UDP is unreliable, best to keep local logs as well - in times of failures, you might not be able to send out messages

Syslog packet format Syslog protocol is very simple: PRI, HEADER, MSG PRI: Severity and Facility o Severities: Emergency(0), Alert(1), Critical(2), Error(3), Warning(4), Notice(5), Info(6), Debug(7) o Facilities: Kern, User, Mail, Daemon, Auth, Syslog, Lpr, News, Uucp, Cron, Authpriv, Ftp, Local0-7 HEADER: Timestamp and Hostname MSG: The real message Packet must be <1024 bytes

How to send logs From Cisco: logging From UNIX/Ubuntu: Edit /etc/syslog.conf - add: Restart the syslog server Other devices are similarly easy. You can sometimes specify facility and priority levels

How to receive logs Login to machine which receives the syslog Install syslog-ng (apt-get install syslog-ng) Reconfigure the syslog-ng daemon to listen. Edit /etc/syslog- ng/syslog-ng.conf and uncomment the line: # udp(); it should look like udp(); If you use old syslogd, you need to start it with the -r command

How to receive logs (2) Tell the facility mapping to files. Syslog-ng uses filters and destinations. Edit /etc/syslog-ng/syslog-ng.conf filter f_routers { facility(local5); }; destination df_routers { file("/var/log/routers.log"); }; log { source(s_all); filter(f_routers); destination(df_routers); } In old syslogd configuration file this is simpler: local5.* /var/log/routers.log Restart syslog-ng

Reading / sorting logs You can add more complicated rules to add one logfile per router/day or similar. You can split up by facilities Many people use standard UNIX tools, like grep and sed to filter out log messages they might like or not like and then watch the files (with tail -f). Something like: tail -f mylogfile | egrep -v "(list 337 denied|rate-limited)" This can get very complicated very quickly - solution?

Use a tool SWATCH (Simple log Watcher) does this for you. Monitors incoming logs, searches for specific expressions Written in perl Takes action if pattern is found. Sample config: ignore /my-test-router/ watchfor /FAN_FAILED/ mail=root,subject=Fan error again threshold type=limit,count=1,seconds=3600

References Syslog-NG: ng/ ng/ SWATCH: Sample configs: General sites:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.