Archive and statistics » History » Version 14
Janez Barbic, 13.12.2010 02:02
| 1 | 1 | Aleksander Bešir | h1. Archive and statistics |
|---|---|---|---|
| 2 | 1 | Aleksander Bešir | |
| 3 | 2 | Aleksander Bešir | {{toc}} |
| 4 | 2 | Aleksander Bešir | |
| 5 | 5 | Janez Barbic | TBD - to be discussed |
| 6 | 5 | Janez Barbic | TODO - to do :) |
| 7 | 5 | Janez Barbic | Tole sem pustil zaenkrat not, da lahko hitro najdem stvari, ki jih moram se dopolnit oziroma jih moramo se predebatirat. V koncni verziji se bom teh kratic znebil in tudi tega komentarja v slovenscini :) |
| 8 | 1 | Aleksander Bešir | |
| 9 | 6 | Janez Barbic | h2. 1 Basic concept |
| 10 | 3 | Janez Barbic | |
| 11 | 11 | Janez Barbic | TODO Why syslog |
| 12 | 3 | Janez Barbic | |
| 13 | 11 | Janez Barbic | p. Eneraptor is designed in a way that it could communicate with any device regardless of its operating system. Syslog, system for logging program messages offers a quick and easy solutions for such communications, because it allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. |
| 14 | 1 | Aleksander Bešir | |
| 15 | 11 | Janez Barbic | TODO malo nerodno zapisano? |
| 16 | 11 | Janez Barbic | |
| 17 | 3 | Janez Barbic | h3. 1.1 Hardware |
| 18 | 1 | Aleksander Bešir | |
| 19 | 11 | Janez Barbic | p. We will be using syslog-ng (syslog from now on), which has a few advantages over conventional syslog. Most basic setup , originator - collector, suits our needs just fine so far, but it can also be extended in the future. Syslog daemon (collector) will run on proxy server, syslog client (originator) will run on FRI-SMS system. |
| 20 | 1 | Aleksander Bešir | |
| 21 | 11 | Janez Barbic | TBD collector will be listening to a certain port (5140 - most commonly used) for incoming messages from client(s). |
| 22 | 11 | Janez Barbic | |
| 23 | 5 | Janez Barbic | Client mode operation: |
| 24 | 1 | Aleksander Bešir | |
| 25 | 5 | Janez Barbic | !https://lusy.fri.uni-lj.si/redmine/attachments/11/client_server_syslog.png! |
| 26 | 1 | Aleksander Bešir | |
| 27 | 1 | Aleksander Bešir | p. In client mode, syslog-ng collects the local logs generated by the host and forwards them through a network connection to the central syslog-ng server. Clients can also log the messages locally into files. |
| 28 | 5 | Janez Barbic | |
| 29 | 1 | Aleksander Bešir | |
| 30 | 11 | Janez Barbic | TODO more details on syslog-ng advantages over conventional syslog? |
| 31 | 5 | Janez Barbic | |
| 32 | 1 | Aleksander Bešir | h3. 1.2 Syslog message format |
| 33 | 11 | Janez Barbic | |
| 34 | 12 | Janez Barbic | TODO Mogoce tega sploh ne bo treba vedet, program() |
| 35 | 11 | Janez Barbic | |
| 36 | 5 | Janez Barbic | TBD TCP/IP vs UDP |
| 37 | 5 | Janez Barbic | TBD How do we plan to send messages to our daemon, via client (not always possible) or do we generate them ourselves? |
| 38 | 5 | Janez Barbic | TBD Using logfiles vs logging into database |
| 39 | 5 | Janez Barbic | |
| 40 | 5 | Janez Barbic | h3. 1.3 Development steps |
| 41 | 5 | Janez Barbic | |
| 42 | 5 | Janez Barbic | # Installing and configuring Syslog-ng daemon on proxy |
| 43 | 5 | Janez Barbic | # Installing and configuring Syslog-ng client on FRI-SMS |
| 44 | 5 | Janez Barbic | # TBD Designing Statistical Data Analysis Software to work with data collected by syslog daemon |
| 45 | 5 | Janez Barbic | # TBD Implementing SDA software |
| 46 | 1 | Aleksander Bešir | # TBD Testing? |
| 47 | 6 | Janez Barbic | |
| 48 | 6 | Janez Barbic | |
| 49 | 6 | Janez Barbic | h2. 2 Installing and configuring syslog-ng daemon on proxy |
| 50 | 7 | Janez Barbic | |
| 51 | 7 | Janez Barbic | p. Syslog-ng supports wide variety of Operating Systems so we aren't really restricted here. Since our proxy and FRI-SMS both run Linux 2.6 our obvious choce is syslog-ng for Linux. |
| 52 | 9 | Janez Barbic | |
| 53 | 1 | Aleksander Bešir | h3. 2.1 syslog-ng daemon on proxy |
| 54 | 9 | Janez Barbic | |
| 55 | 7 | Janez Barbic | Configuration file location: |
| 56 | 7 | Janez Barbic | /opt/syslog-ng/etc/syslog-ng.conf |
| 57 | 7 | Janez Barbic | |
| 58 | 8 | Janez Barbic | Basic syslog configuration: |
| 59 | 8 | Janez Barbic | TODO add filters |
| 60 | 7 | Janez Barbic | <pre><code class="ruby"> |
| 61 | 7 | Janez Barbic | @version: 3.2 |
| 62 | 7 | Janez Barbic | #Default configuration file for syslog-ng. |
| 63 | 7 | Janez Barbic | # |
| 64 | 7 | Janez Barbic | # For a description of syslog-ng configuration file directives, please read |
| 65 | 7 | Janez Barbic | # the syslog-ng Administrator's guide at: |
| 66 | 7 | Janez Barbic | # |
| 67 | 7 | Janez Barbic | # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html |
| 68 | 7 | Janez Barbic | # |
| 69 | 1 | Aleksander Bešir | |
| 70 | 1 | Aleksander Bešir | options { |
| 71 | 8 | Janez Barbic | time_reap(30); |
| 72 | 8 | Janez Barbic | mark_freq(10); |
| 73 | 8 | Janez Barbic | keep_hostname(yes); |
| 74 | 8 | Janez Barbic | }; |
| 75 | 7 | Janez Barbic | |
| 76 | 7 | Janez Barbic | ###### |
| 77 | 7 | Janez Barbic | # sources |
| 78 | 7 | Janez Barbic | source s_local { |
| 79 | 7 | Janez Barbic | }; |
| 80 | 7 | Janez Barbic | |
| 81 | 7 | Janez Barbic | source s_net { |
| 82 | 8 | Janez Barbic | tcp(ip("SERVER_ADDRESS") port(5140) keep-alive(yes)); |
| 83 | 7 | Janez Barbic | }; |
| 84 | 7 | Janez Barbic | |
| 85 | 7 | Janez Barbic | ###### |
| 86 | 7 | Janez Barbic | # destinations |
| 87 | 8 | Janez Barbic | # should be able to point syslog to a database here |
| 88 | 7 | Janez Barbic | destination net_messages { file("/var/log/net_messages"); }; |
| 89 | 7 | Janez Barbic | |
| 90 | 7 | Janez Barbic | log { |
| 91 | 7 | Janez Barbic | source(s_net); |
| 92 | 7 | Janez Barbic | destination(net_messages); |
| 93 | 7 | Janez Barbic | }; |
| 94 | 7 | Janez Barbic | </code></pre> |
| 95 | 6 | Janez Barbic | |
| 96 | 6 | Janez Barbic | h3. 2.2 syslog-ng client on FRI-SMS |
| 97 | 9 | Janez Barbic | |
| 98 | 9 | Janez Barbic | Configuration file location: |
| 99 | 9 | Janez Barbic | /opt/syslog-ng/etc/syslog-ng.conf |
| 100 | 9 | Janez Barbic | |
| 101 | 9 | Janez Barbic | Basic syslog client configuration: |
| 102 | 9 | Janez Barbic | TODO add filters |
| 103 | 9 | Janez Barbic | |
| 104 | 9 | Janez Barbic | <pre><code class="ruby"> |
| 105 | 9 | Janez Barbic | @version: 3.2 |
| 106 | 9 | Janez Barbic | #Default configuration file for syslog-ng. |
| 107 | 9 | Janez Barbic | # |
| 108 | 9 | Janez Barbic | # For a description of syslog-ng configuration file directives, please read |
| 109 | 9 | Janez Barbic | # the syslog-ng Administrator's guide at: |
| 110 | 9 | Janez Barbic | # |
| 111 | 9 | Janez Barbic | # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html |
| 112 | 9 | Janez Barbic | # |
| 113 | 9 | Janez Barbic | |
| 114 | 9 | Janez Barbic | options { |
| 115 | 9 | Janez Barbic | }; |
| 116 | 9 | Janez Barbic | |
| 117 | 9 | Janez Barbic | ###### |
| 118 | 9 | Janez Barbic | # sources |
| 119 | 9 | Janez Barbic | source s_local { |
| 120 | 9 | Janez Barbic | # TBD what triggers our messages |
| 121 | 9 | Janez Barbic | # message generated by Syslog-NG |
| 122 | 9 | Janez Barbic | internal(); |
| 123 | 9 | Janez Barbic | # standard Linux log source (this is the default place for the syslog() |
| 124 | 9 | Janez Barbic | # function to send logs to) |
| 125 | 9 | Janez Barbic | unix-stream("/dev/log"); |
| 126 | 9 | Janez Barbic | # messages from the kernel |
| 127 | 9 | Janez Barbic | file("/proc/kmsg" program_override("kernel")); |
| 128 | 9 | Janez Barbic | }; |
| 129 | 9 | Janez Barbic | |
| 130 | 9 | Janez Barbic | |
| 131 | 9 | Janez Barbic | ###### |
| 132 | 9 | Janez Barbic | # destinations |
| 133 | 9 | Janez Barbic | # local |
| 134 | 9 | Janez Barbic | # destination d_messages { file("/var/log/messages"); }; |
| 135 | 9 | Janez Barbic | # net |
| 136 | 9 | Janez Barbic | destination host { tcp("SERVER_ADDRESS" port(5140)); }; |
| 137 | 9 | Janez Barbic | |
| 138 | 9 | Janez Barbic | # logging locally |
| 139 | 9 | Janez Barbic | # log { |
| 140 | 9 | Janez Barbic | # source(s_local); |
| 141 | 9 | Janez Barbic | # destination(d_messages); |
| 142 | 9 | Janez Barbic | #}; |
| 143 | 9 | Janez Barbic | |
| 144 | 9 | Janez Barbic | # sending log messages |
| 145 | 9 | Janez Barbic | log { |
| 146 | 9 | Janez Barbic | source(s_local); |
| 147 | 9 | Janez Barbic | destination(host); |
| 148 | 9 | Janez Barbic | }; |
| 149 | 10 | Janez Barbic | </code></pre> |
| 150 | 1 | Aleksander Bešir | |
| 151 | 13 | Janez Barbic | syslog-ng restart command: |
| 152 | 13 | Janez Barbic | |
| 153 | 14 | Janez Barbic | <pre><code class="ruby"> |
| 154 | 14 | Janez Barbic | /etc/init.d/syslog-ng restart |
| 155 | 14 | Janez Barbic | </code></pre> |
| 156 | 13 | Janez Barbic | |
| 157 | 1 | Aleksander Bešir | h2. Statistical Data Analysis Software |
| 158 | 1 | Aleksander Bešir | |
| 159 | 10 | Janez Barbic | TODO |
| 160 | 10 | Janez Barbic | |
| 161 | 10 | Janez Barbic | h2. References |
| 162 | 10 | Janez Barbic | |
| 163 | 11 | Janez Barbic | "Syslog protocol, RFC 5424":http://tools.ietf.org/html/rfc5424 |
| 164 | 11 | Janez Barbic | "Syslog-ng homepage":http://www.balabit.com/network-security/syslog-ng |
| 165 | 11 | Janez Barbic | "Syslog-ng administrator guide":http://www.balabit.com/support/documentation/syslog-ng-ibm-agent-guide-admin-en.pdf |