2. Sysadmin: Syslog, Email, time sync, etc.

Posted août 20th, 2007 by sean

Syslog: Main server

The NAC main server needs to have a syslog server to collect messages locally, and from any secondary servers. The secondaries are configured to send a copy.

Its also useful, though not mandatory, for switches to send a copy of their events via syslog too.

Configure the syslog daemon to listen to the network interface for messages, e.g. by starting with the "-r" option. Syslog-ng needs a directive for the network interface. Some examples are:

  • On Suse Linux, set SYSLOGD_PARAMS="-r" in /etc/sysconfig/syslog, and possibly also "udp(ip("0.0.0.0") port(514));" in 'source src' of /etc/syslog-ng/syslog-ng.conf .
  • With Ubuntu, the default is sysklogd. For sysklogd, modify the line
    			SYSLOGD=""

    for 

    			SYSLOGD="-u syslog -r"

    in /etc/init.d/sysklogd. If you install syslog-ng in Ubuntu, locate the line

    			# udp();

    in syslog-ng.conf and uncomment it.

    Create a symlink pointing to your syslog startup file, so if for example you are using sysklogd, do:

    			ln -s /etc/init.d/sysklogd /etc/init.d/syslog

    or in case you are using syslog-ng

    			ln -s /etc/init.d/syslog-ng /etc/init.d/syslog

    We assume that /etc/init.d/syslog is a valid link to your syslog, for the rotate scripts mentioned below.

Syslog: Secondary servers

Configure a syslog client to send a copy of messages to the server.

First add a 'loghost' alias to /etc/hosts, then configure syslog:

1. Classical syslog: Add the following to the bottom of /etc/syslog.conf, note that there is a tab (not a space) between the two fields. 

*.info  @loghost

2. Syslog-ng: Add the following to /etc/syslog-ng/syslog-ng.conf (example for Ubuntu 7.10) 

## Forward *.info to loghost
filter f_info        { level(info) ; };
destination network  { udp("loghost" port(514)); };
log { source(s_all); filter(f_info); destination(network); };

Syslog: rotation & testing

Secondary servers: use the default Linux log rotation mechanisms, or optionally, the mechanisms below.

Main server: Its important to ensure logs are regularly archived, rotated and that syslog is working as expected.

Syslog-ng: Add the following to /etc/syslog-ng/syslog-ng.conf (example for Ubuntu 7.10)

Find the following section in syslog-ng.conf 

# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
level(info,notice,warn)
and not facility(auth,authpriv,cron,daemon,mai
};

and change it as follows 

# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
level(info..emerg)
and not facility(auth,authpriv,cron,mail,news);
}

and comment out the following sections:

log {
source(s_all);
filter(f_syslog);
destination(df_syslog);
}; 

log {
source(s_all);
filter(f_daemon);
destination(df_daemon);
};

A log pruning configuration file is provided with FreeNAC, which focusses on /var/log/messages. This file is rotated weekly, archived for one year, two scripts /opt/nac/logcheck/logcheck.sh and /opt/nac/bin/monitor_allows_count.sh are run before-hand and all FreeNAC daemons restarted afterwards.

So, review the logrotate config file, copy it to /etc, activate and test:

a) syslog-ng (preferred) 

mv /etc/logrotate.d/syslog-ng /etc/syslog-ng.$$  
cp /opt/nac/contrib/logrotate.d/syslog-ng /etc/logrotate.d/syslog-ng
/usr/sbin/logrotate -d --force /etc/logrotate.conf

b) classical syslog 

mv /etc/logrotate.d/syslog /etc/syslog.$$  
cp /opt/nac/contrib/logrotate.d/syslog /etc/logrotate.d/syslog
/usr/sbin/logrotate -d --force /etc/logrotate.conf

Add a cron entry to prune syslog, for example on weekday mornings: 

# Force Log pruning check each morning

0 6 * * 1-5            /usr/sbin/logrotate /etc/logrotate.conf | logger

Activate the syslog configuration above, and test: 

		/etc/init.d/syslog restart
	
		echo test_syslog | logger -p local3.info -t daemon 
	
		grep test_syslog /var/log/messages

Email

FreeNAC tools send notifications by default to the 'nac' and 'root' user. In the file /etc/aliases there should be an alias for nac and root that point to a sysadmin.

To delivery email beyond a local user, the mail daemon (postfix, exim, sendmail, etc.) will have to be configured to send emails via your gateways.
On Ubuntu 7.10 for example, we deinstall exim and install postfix (personal preference) and configure it: 

apt-get install postfix
dpkg-reconfigure postfix    (Internet site with mailhost is probably what you want)

To test email delivery: 

echo test | mailx -v -s "test" root
tail /var/log/mail.info

Change the root GECOS field in /etc/passwd to "root MACHINE", this makes email from headers easier to read.

Time Sync

Adjust the root crontab to update the current time from an NTP server

0,30 * * * * /usr/sbin/ntpdate -s A.B.C.D X.Y.Z.Z; /sbin/hwclock --systohc

where A.B.C.D X.Y.Z.Z are NTP servers to synchronize from.

Other optional sysadmin settings

Create the file /etc/mods where you'll store the changes made to your system 

touch /etc/mods
chmod 600 /etc/mods

Setup SSH trusts if needed: /root/.ssh/authorized_keys

‹ 1. MySQL replicationhaut3. PHP settings ›