Project

General

Profile

Archive and statistics » History » Version 12

Janez Barbic, 13.12.2010 01:56

1 1 Aleksander Bešir
h1. Archive and statistics
2
3 2 Aleksander Bešir
{{toc}}
4
5 5 Janez Barbic
TBD - to be discussed
6
TODO - to do :)
7
Tole sem pustil zaenkrat not, da lahko hitro najdem stvari, ki jih moram se dopolnit oziroma jih moramo se predebatirat. V koncni verziji se bom teh kratic znebil in tudi tega komentarja v slovenscini :)
8 1 Aleksander Bešir
9 6 Janez Barbic
h2. 1 Basic concept
10 3 Janez Barbic
11 11 Janez Barbic
TODO Why syslog
12 3 Janez Barbic
13 11 Janez Barbic
p. Eneraptor is designed in a way that it could communicate with any device regardless of its operating system. Syslog, system for logging program messages offers a quick and easy solutions for such communications, because it allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them.
14 1 Aleksander Bešir
15 11 Janez Barbic
TODO malo nerodno zapisano?
16
17 3 Janez Barbic
h3. 1.1 Hardware
18 1 Aleksander Bešir
19 11 Janez Barbic
p. We will be using syslog-ng (syslog from now on), which has a few advantages over conventional syslog. Most basic setup , originator - collector, suits our needs just fine so far, but it can also be extended in the future. Syslog daemon (collector) will run on proxy server, syslog client (originator) will run on FRI-SMS system.
20 1 Aleksander Bešir
21 11 Janez Barbic
TBD collector will be listening to a certain port (5140 - most commonly used) for incoming messages from client(s).
22
23 5 Janez Barbic
Client mode operation:
24 1 Aleksander Bešir
25 5 Janez Barbic
!https://lusy.fri.uni-lj.si/redmine/attachments/11/client_server_syslog.png!
26 1 Aleksander Bešir
27
p. In client mode, syslog-ng collects the local logs generated by the host and forwards them through a network connection to the central syslog-ng server. Clients can also log the messages locally into files.
28 5 Janez Barbic
29 1 Aleksander Bešir
30 11 Janez Barbic
TODO more details on syslog-ng advantages over conventional syslog?
31 5 Janez Barbic
32 1 Aleksander Bešir
h3. 1.2 Syslog message format
33 11 Janez Barbic
34 12 Janez Barbic
TODO Mogoce tega sploh ne bo treba vedet, program()
35 11 Janez Barbic
36 5 Janez Barbic
TBD TCP/IP vs UDP
37
TBD How do we plan to send messages to our daemon, via client (not always possible) or do we generate them ourselves?
38
TBD Using logfiles vs logging into database
39
40
h3. 1.3 Development steps
41
42
# Installing and configuring Syslog-ng daemon on proxy
43
# Installing and configuring Syslog-ng client on FRI-SMS
44
# TBD Designing Statistical Data Analysis Software to work with data collected by syslog daemon
45
# TBD Implementing SDA software
46 1 Aleksander Bešir
# TBD Testing?
47 6 Janez Barbic
48
49
h2. 2 Installing and configuring syslog-ng daemon on proxy
50 7 Janez Barbic
51
p. Syslog-ng supports wide variety of Operating Systems so we aren't really restricted here. Since our proxy and FRI-SMS both run Linux 2.6 our obvious choce is syslog-ng for Linux.
52 9 Janez Barbic
53 1 Aleksander Bešir
h3. 2.1 syslog-ng daemon on proxy
54 9 Janez Barbic
55 7 Janez Barbic
Configuration file location:
56
/opt/syslog-ng/etc/syslog-ng.conf
57
58 8 Janez Barbic
Basic syslog configuration:
59
TODO add filters
60 7 Janez Barbic
<pre><code class="ruby">
61
@version: 3.2
62
#Default configuration file for syslog-ng.
63
#
64
# For a description of syslog-ng configuration file directives, please read
65
# the syslog-ng Administrator's guide at:
66
#
67
# http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
68
#
69 1 Aleksander Bešir
70
options {
71 8 Janez Barbic
   time_reap(30);
72
   mark_freq(10);
73
   keep_hostname(yes);
74
};
75 7 Janez Barbic
76
######
77
# sources
78
source s_local {
79
};
80
81
source s_net {
82 8 Janez Barbic
   tcp(ip("SERVER_ADDRESS") port(5140) keep-alive(yes)); 
83 7 Janez Barbic
};
84
85
######
86
# destinations
87 8 Janez Barbic
# should be able to point syslog to a database here
88 7 Janez Barbic
destination net_messages { file("/var/log/net_messages"); };
89
90
log {
91
source(s_net);
92
destination(net_messages);
93
};
94
</code></pre>
95 6 Janez Barbic
96
h3. 2.2 syslog-ng client on FRI-SMS
97 9 Janez Barbic
98
Configuration file location:
99
/opt/syslog-ng/etc/syslog-ng.conf
100
101
Basic syslog client configuration:
102
TODO add filters
103
104
<pre><code class="ruby">
105
@version: 3.2
106
#Default configuration file for syslog-ng.
107
#
108
# For a description of syslog-ng configuration file directives, please read
109
# the syslog-ng Administrator's guide at:
110
#
111
# http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
112
#
113
114
options {
115
};
116
117
######
118
# sources
119
source s_local {
120
   # TBD what triggers our messages
121
   # message generated by Syslog-NG
122
   internal();
123
   # standard Linux log source (this is the default place for the syslog()
124
   # function to send logs to)
125
   unix-stream("/dev/log");
126
   # messages from the kernel
127
   file("/proc/kmsg" program_override("kernel"));
128
};
129
130
131
######
132
# destinations
133
# local
134
# destination d_messages { file("/var/log/messages"); };
135
# net
136
destination host { tcp("SERVER_ADDRESS" port(5140)); };
137
138
# logging locally
139
# log {
140
#   source(s_local);
141
#   destination(d_messages);
142
#};
143
144
# sending log messages
145
log {
146
   source(s_local);
147
   destination(host);
148
};
149 10 Janez Barbic
</code></pre>
150 1 Aleksander Bešir
151
h2. Statistical Data Analysis Software
152
153 10 Janez Barbic
TODO
154
155
h2. References
156
157 11 Janez Barbic
"Syslog protocol, RFC 5424":http://tools.ietf.org/html/rfc5424
158
"Syslog-ng homepage":http://www.balabit.com/network-security/syslog-ng
159
"Syslog-ng administrator guide":http://www.balabit.com/support/documentation/syslog-ng-ibm-agent-guide-admin-en.pdf