SDB:Enterprise Syslog Server

From openSUSE

Version: 10 - Perpetual Relevance from V10

Notes

This procedure is starkly written to use openSuse GUI interface to establish its goals. The author could have shortened the procedure considerably using command line entries, however openSuse has been created as a GUI interface for Linux and not to use this interface is in complete conflict with the products design and purpose

Purpose

The purpose of this procedure is to enable an administrator to monitor the individual System Logs from all PC's on the Network Enterprise, from one PC. This is a very easy procedure to follow and large amounts of syntax reproduced here are already present in various other forms.

The total amount of information from each PC can be vast and contain the current temperature of local HDD, HDD misreads,service modules not load as condition x is present, security daily, print queue data, HTTP, DNS, FTP, SCSI HDD, NFS real time reporting and weekly security reports; apparmour reports and notifications, missed attempts in User and Root Login and the list just goes on.

If you multiply this list coming from all PC's on the LAN you can use 'ksystemlog' to view these events, but in reality serious Event Management is requited.

If you do elect, not only to create an Enterprise Syslog Server, and undertake the modifications to client PC's you should consider very seriously how you are going to manage this information and how you can elect automated responses to certain conditions.

Complex Event Processing

World Class Event Management Software is required to fulfill this need. The only Complex Event Processing Software capable of managing this amount of information I would suggests can be found at the following links with everything from a Free to various License types can be found

http://eventgnosis.com/index.php?option=com_content&task=view&id=25&Itemid=76

http://eventgnosis.com/index.php?option=com_content&task=view&id=45&Itemid=69

The value of modifying all Client PC's within an Enterprise needs to be considered before any modifications is initiated. Serious decisions about managing this data is, in reality, is a bigger issue than gathering it. Serious Event Management which can be found at this link. Users should consider carefully the enormous advantages of complete monitoring of all Enterprise PC's.

The link above is a simple 1 only .RPM install file where a Free and License versions are available and you should contact support@eventgnosis.com for Suse Linux specific execution and auto start scripts.This software is perfectly stable on an X_64 PC, however you will need to initiate the start script in a 32bit X-Term

CEP or - 'Complex Event Processing' is one way of managing the abundance of information from an Enterprise and Suse Linux IBM Z/Series Installations demand this quality of Event Management.

In the event if you chose any Complex Event Management software NO modifications should be made to its host. This type of software comes ready to listen to UPD 514 AND every text file created 'event condition'

Procedure Notes

This Procedure will allow an administrator to view the health and watch for warnings from each PC to an Enterprise System Log Server on the Network. It will not preclude the individual PC's from creating system log files or viewing the system Log of an individual PC, nor will it preclude log rotate as currently maintained by each PC.

This procedure is lengthy because it does NOT make use of console commands only. The author considers publishing procedures that do NOT make use of the GUI to be in conflict with the software's design principals in that openSuse is a Graphical User Interface.

The information in this procedure can collect and forward System Log information from a PC that is even on different LAN routes with or without a different subnet. Choosing to attempt to send System Log information from a PC on a DMZ route is unknown but theoretically possible.

The modifications to the rest of the networks PCs MUST be done on an individual basis. A standard syslog-ng.conf file with the prescribed alterations should NOT be created and copied on mass to all PC's. The nature of each PCs syslog-ng file is constantly changing dependent on Network Services running on the individual PC. It is therefore, strongly recommended that the modifications to syslog-ng files be done on an individual edit basis and a copy of the original syslog-ng file should be maintained. This recommendation should NOT be considered to be one of a file replacement on a blind global change basis.

To effect a 'Search and Replace', rather than a user using a Blind "replace all" , a much more suitable substitution can be done on a NON-Blind 'Search and Replace' where the search string is part of the current contents of a file and the Replace is the found string with the additional modifications below.

The best way of distributing Enterprise wide modifications is via AutoYast. A wise administrator will manually make a copy of the original file before editing takes place.

Procedure

1. Log Software Required

Firstly Ksystemlog software must be installed from your openSuse source software . If you are running openSuse 11.0 or have KDE4 your version of Ksystemlog will be greatly improved over the default version available in openSuse 10.2 and above. The file Ksystemlog to view is found on any PC at /var/log/messages. For our purposes the Enterprise System Log Display PC will require 1 change to the syslog-ng.conf file on the server and a different change to all other PCs syslog-ng.conf file on the network.

2. Selecting the PC to be the Enterprise System Log Display PC

The PC selected to be the Enterprise System Log Display PC must have a static IP. This may be deliberately configured in openSuse version below 10.3. Version 10.3 and above provide the facility to configure a static IP from a DHCP Server using the option DHCP + Zero config in the Network Card Setup.

3. Changes to Syslog-ng on the Enterprise System Log Display PC

This procedure is dependent on no other monitoring software being installed on the chosen Enterprise System Log Display PC, however if this is not possible you will need to read and understand a yet to be written guide to using alternate default listening ports.

Open your favourite text editor as the user ROOT and edit the file /etc/syslog-ng/syslog-ng.conf as follows. Towards the beginning just after the 'acpid messages' of the file insert the following.

1. UN-NUMBER and insert line 3 to listen for system log formatted information which will be sent by every other PC on the Network to the designated Enterprise System Log Display PC via UPD 514.
2. Note as the destination is not specified the destination log will be the system log file "messages"
3. source src {internal();udp(ip("0.0.0.0") port(514));};

After saving the file, open a console Window and as ROOT enter the two commands 'rcsyslog stop' followed by 'rcsyslog start' The response on both occasions should be a green text 'done' .If you receive a red text failure of syntax on line 'x' check the syntax very carefully of the line indicated and try to restart the syslog service until you receive a green text 'done' response.

4. Changes to the Firewall on the Receiving PC

You will need to change the openSuse firewall and in the category 'allowed services' click 'advanced' and open UDP 514 by inserting the number 514 on the UDP line. Under NO circumstances should TCP 514 be opened. TCP 514 permits remote console entries and although this is unlikely and further unlikely that someone else has the root password, opening TCP 514 is NOT a good security measure.

Because this procedure allows for messages coming from possibly different LAN routes the above firewall procedure is recommended. Advanced users may take advantage of the 'Custom Rules' available on openSuse 10.3 and above where there are more than 1 subnet covering all IP allocations.

5. Changes to Every other PC on the Network

All other PC's on the network will require the following changes to their /etc/syslog-ng/syslog.conf files. At this stage you may elect to uncomment default syslog-ng.conf files of a 10.3 installation OR you may copy the following which is a copy of the commented out settings as discussed. If anyone does create a shell script to perform the changes below in an automated manner - Please share this with the author, who's email will appear in 'edit mode' of title page. If you do this, please do not save any changes whilst in 'edit' mode - Just copy the address.

1. UN_NUMBER ans Insert the following lines 2 and 3 to enable sending log messages to an IP of the log server at the END of the file.
2. destination logserver { udp("10.10.10.10" port(514)); };
3. log { source(src); destination(logserver); };

Where: 10.10.10.10 should be replaced with the static IP of the Administrative Display PC you have already chosen above.

Again after each PC has been modified and the syslog-ng.conf saved, open a console Window and as ROOT enter the two commands 'rcsyslog stop' followed by 'rcsyslog start'

The response on both occasions should be a green text 'done' . If you receive a red text failure on line 'x' check the syntax very carefully of the line indicated and try to restart the syslog service until you receive a green text 'done' response No changes to the firewall of the sending PCs on the network as the firewall in openSuse is a Statefull Packet Inspection Firewall only concerned with opening critical ports with an INBOUND direction.

Links

http://eventgnosis.com/index.php?option=com_content&task=view&id=25&Itemid=76

http://eventgnosis.com/index.php?option=com_content&task=view&id=45&Itemid=69

http://en.opensuse.org/SDB:Syslog_server