...
You should complete a table as below to catalogue all the devices which will be sending logs.
| Name | Purpose | Logging System |
|---|---|---|
| Windows Event Manager | Event and Audit | Windows Event Logging |
| CentOS Linux 5.x | Event and Audit | syslog |
| CentOS Linux 6.x | Event and Audit | syslog |
| Cisco IOS Switches | Event and Audit | Cisco IOS syslog |
| Cisco IOS Routers | Event and Audit | Cisco IOS syslog |
Applications Sending Logs
The following applications logs need to be send centrally.
| Application Name | Purpose | File | Device |
|---|---|---|---|
| Monkey Auth System | Audit | C:\Program Files\MAS\logs\monkeyauth.log | Windows 2008 Servers |
| Elephant Financial | Audit | /data/elefin/log/app.log | CentOS Linux 6.8 |
Logging Protocol
syslog has proven to be a very robust protocol for large scale log management.
...
The requirement is to send level 6 and above.
| Value | Severity | Keyword |
|---|---|---|
| 0 | Emergency | emerg |
| 1 | Alert | alert |
| 2 | Critical | crit |
| 3 | Error | err |
| 4 | Warning | warn |
| 5 | Notice | notice |
| 6 | Informational | info |
| 7 | Debug | debug |
Full details for syslog severity levels https://en.wikipedia.org/wiki/Syslog#Severity_level
...
There are several good choices for Windows, but NXLOG has proven to meet all the requirements, almost all other systems include embedded syslog systems
Source | Method and Transport |
|---|---|
Windows 2003 Servers | nxlog monitoring Windows Event log, transport over syslog |
Windows 2008 Servers | nxlog monitoring Windows Event log, transport over syslog |
Windows 2012 Servers | nxlog monitoring Windows Event log, transport over syslog |
| CentOS Linux 5.x | rsyslog 3.x |
| CentOS Linux 6.x | rsyslog 7.6 |
Cisco IOS Switches | Native IOS syslog |
Cisco IOS Routers | Native IOS syslog |
Monkey Auth System | nxlog running on Windows. |
| Elephant Financials | rsyslog running on Linux |
syslog Facility
The best reference is: https://en.wikipedia.org/wiki/Syslog#Facility
We are primarily concerned with the facilities localX facilities. Logs will also grow at different rates and having them in separate files will allow for more granular control. The following table summarises which log files will end up in which files.
Device Type | syslog facility | Log file |
|---|
local0 | /data/log/local0.log | |
Log server to log server (future) | local1 | /data/log/local1.log |
Application logging e.g. MonkeyAuth | local2 | /data/log/local2.log |
Windows servers (nxlog default) | local3 | /data/log/local3.log |
Cisco ASA default (VMware ESXi default) | local4 | /data/log/local4.log |
local5 | /data/log/local5.log | |
Linux syslog | local6 | /data/log/local6.log |
Cisco Routers and Switches | local7 | /data/log/local7.log |
Alternate file naming can be supported if required, e.g. cisco.log instead of local7.log.
...
| Code Block |
|---|
$template LinuxMnemonic,"%timereported% %HOSTNAME% LINUX-%syslogfacility-text%-%syslogseverity%-%syslogtag%%msg%\n" |
Example Topology
...
In the example above all syslog messages received with a facility of local7 will be forwarded to the master server at 10.215.1.5. When this message is forwarded from the poller to the master, the poller will insert its own timestamp into the message.
| Code Block |
|---|
### syslog message from the node to the poller server 02:23:37.250516 IP 10.10.1.1.58415 > 10.215.1.7.syslog: SYSLOG local7.notice, length: 100 E....Y.....+ .. ..../...l./<189>90: *Feb 1 11:23:35.623: %SYS-5-CONFIG_I: Configured from console by hero on vty0 (10.215.1.5) ^C ### syslog message from the poller server to the master server 11:23:37.273514 IP 10.215.1.7.35902 > 10.215.1.5.syslog: SYSLOG local7.notice, length: 126 E.....@.?.#. ... ....>.....j<189>Feb 1 02:23:37 10.10.1.1 90: *Feb 1 11:23:35.623: %SYS-5-CONFIG_I: Configured from console by hero on vty0 (10.215.1.5) |
...
| Code Block |
|---|
### /usr/local/omk/config/opCommon.nmis
'opevents_max_action_queue_age' => 3600,
'opevents_max_event_age' => 7200,
'opevents_max_time_delta' => 1800,
'opevents_monthly_report_recipients' => [],
'opevents_monthly_report_title' => 'Monthly Summary Report', |
...
Setting the 'opevents_max_time_delta' to a value of 1800 seconds will instruct opEvents to do the following:
...