Sending Logging Messages to a Log Server

Problem

You want to collect and save system logging messages over long periods of time, but you don't want to constantly manage the disk space availability on your routers.

Solution

You can set up a log server on your network that has many gigabytes of storage space and then redirect the router's logging messages to that server.

	[edit system syslog]
	aviva@router1# set host 172.17.12.30 any info
	aviva@router1# set host 172.17.12.30 explicit-priority

 

Discussion

This configuration redirects all logging messages to the file server 172.17.12.30. You can also specify the hostname instead of the IP address. The file server must be running a standard syslogd utility. You find the system logging messages in the /var/log/messages file on the server, unless the server has been configured to save them some-place else:

	aviva-server1%: tail /var/log/messages
	Mar 23 09:27:29 server1 /kernel: linux: syscall mmap2 is obsoleted or not implemented
	(pid=12624)
	%INTERACT-5-UI_DBASE_LOGIN_EVENT: User 'aviva' entering configuration mode
	Mar 23 17:48:40 router1-fxp0.mycompany mgd[4098]: %INTERACT-5-UI_COMMIT: User 'aviva'
	performed commit: no comment
	Mar 23 17:48:44 router1-fxp0.mycompany xntpd[4860]: %NTP-5: ntpd 4.0.99b Sat Mar 12
	07:43:39 GMT 2005 (1)
	Mar 23 17:48:44 router1-fxp0.mycompany xntpd[4860]: %NTP-5: using kernel phase-lock
	loop 2001
	Mar 23 17:48:44 router1-fxp0.mycompany xntpd[4860]: %NTP-5: using kernel phase-lock
	loop 2041
	Mar 23 17:48:45 router1-fxp0.mycompany mgd[4098]: %INTERACT-5-UI_DBASE_LOGOUT_EVENT:
	User 'aviva' exiting configuration mode

The output shows both the server's and the router's logging messages intermixed in the logging file. You can identify the messages from the router because the field after the timestamp identifies the router by IP address and router port or, if the server can resolve the IP address, by its DNS name. The router messages in this output show router1-fxp0.mycompany. The router name is router1, and the messages were sent to the log server over port (or interface) fxp0, which is the router's out-of-band management interface. The JUNOS software has a tendency to send logging messages out the interface with the shortest path to the syslog server. This can cause all sorts of problems, depending on how your log server and firewall filters are set up. To circumvent these problems, specifically include the interface from which to send the messages:

	[edit system syslog]
	aviva@router1# set source-address 192.168.15.42/32

This command sets the messages to go out 192.168.15.42, which is the router's loopback address. You normally use the router's loopback address when sending system logging messages, but you can use any interface dedicated to management. With this configuration, logging messages from the router will include the resolved hostname of the IP address for lo0 (for example, lo.router1.mycompany.com) rather than showing router1-fxp0.mycompany.

Sometimes you want to have more information to identify the source of the message than just the router name. You can specify a text string that is also included in the logging message:

	[edit system syslog]
	aviva@router1# set host 172.17.12.30 log-prefix M20-JUNOS-cookbook

The messages from your router now contain this string:

	Mar 23 12:01:57 server1 named[45618]: zoneref: Masters for slave zone "mycompany.com"
	REFUSED transfer
	Mar 23 20:15:46 router1-fxp0.mycompany M20-JUNOS-cookbook: xntpd[5633]: %NTP-5: ntpd
	4.0.99b Sat Mar 12 07:43:39 GMT 2005 (1)

How you specify the router identifier string is a little bit different from how you specify other strings in JUNOS statements. You can use all alphanumeric and special characters except equals signs and colons, but you cannot include spaces, even if you enclose them in quotation marks.

The syslog utility running on your server understands just the standard syslog message facilities. Many of the JUNOS system logging facilities map to the standard syslog ones, but some are JUNOS specific. For example, the JUNOS ftp facility maps to LOG_FTP and kernel maps to LOG_KERNEL, but INTERACT and PFE don't map to anything in syslog. By default, the JUNOS software maps the facilities to a syslog alternate facility. Just as in the Unix syslog utility, the JUNOS software has eight alternate facilities, local0 through local7. Table 5-3 shows the default mappings of the JUNOS-specific facilities to alternate facilities.

Table 5-3. Mappings for JUNOS-specific system logging facilities

JUNOS facility

syslogd alternate facility

change-log

local6

conflict-log

local5

firewall

local3

interactive-commands

local7

pfe

local4

To have the server process messages from the JUNOS-specific logging facility, you direct messages having these alternate facilities to a file on the server. On a FreeBSD system, you define this mapping in the /etc/syslog.conf file. To place the interactive messages in a logging file, you could include the following line in the /etc/syslog.conf file:

	local7.* /var/log/router-command-messages

When you are collecting logs from a number of routers on the same server, the server cannot distinguish among the different routers and places all messages that have the same facility in the same file. This can get rather messy when you are trying to sort out which messages came from which routers, so you should send each router's messages to its own file. To set this up on the router, choose an alternate facility:

	[edit system syslog]
	aviva@router1# set host 172.17.12.30 facility-override local0

This command causes all messages sent to the remote host to be flagged with the standard local0 facility. On the server, you map to a file in the /etc/syslog.conf file:

	local0.* /var/log/M20-JUNOS-cookbook-messages

A check of the file shows the system log messages from the router:

	aviva-server1%: tail -4 M20-JUNOS-cookbook-messages
	Mar 24 00:45:40  router1-fxp0.mycompany M20-JUNOS-cookbook: mgd[5257]:
	%INTERACT-6-UI_CMDLINE_READ_LINE: User 'aviva', command 'edit system syslog '
	Mar 24 01:00:00  router1-fxp0.mycompany M20-JUNOS-cookbook: CRON[8784]:
	%CRON-6: (root) CMD (newsyslog)
	Mar 24 01:01:00  router1-fxp0.mycompany M20-JUNOS-cookbook: CRON[8787]:
	%CRON-6: (root) CMD (adjkerntz -a)
	Mar 24 01:08:04  router1-fxp0.mycompany M20-JUNOS-cookbook: mgd[5257]:
	%INTERACT-6-UI_CMDLINE_READ_LINE: User 'aviva', command 'edit host server1 '

You can run system logging management software on the central log server to help analyze the collected log messages. One widely used product is syslog-ng (http://www.balabit.com/products/syslog_ng), which filters logging messages based on source IP address and separates messages from different sources into different files instead of placing them into one file. This is particularly useful for network operators who aggregate messages from several devices. Another widely used tool is swatch (simple watcher; http://swatch.sourceforge.net), which actively scans logfiles entries as soon as syslogd receives them and reports what is happening in real time. swatch can also take action when it encounters certain log messages.


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net