[Unixcert] How to do off machine (syslog) lab out of the office

[Glen Jarvis]

OFF MACHINE LOGS LAB
====================

Purpose: These notes are designed to help you continue with the "Off
Machine Logs" portion of our lab without having the classroom resources. As
two computers are necessary, I have made these resources available for you
during our exercise today.


Note: When I did this lab, I did this with a CentOS distribution.
Therefore, because I know I can build an exact environment that works, I
have created CentOS distributions. If you wish to do this with SuSE only, I
can destroy and rebuild these instances with SuSE. You may want to follow
these instructions first, get this to work, and then later try again with
SuSE. At least we know this will work. These machines have also been
patched with all security patches.

Instructions:

There are two machines set up. I have many pairs of machines for each
student. For example, for student 01 (whoever claims student 01), I have
two machines:

syslog_server_01.glenjarvis.com
syslog_client_01.glenjarvis.com

I have a second set for another student:

syslog_server_02.glenjarvis.com
syslog_client_02.glenjarvis.com

etc.


1. Obtain the student number and access key from Glen Jarvis. For student
01 above, the key will have this name 'syslog01.pem.' If you are student
02, the key will be 'syslog02', etc.

2. Make certain the key is on your computer so you can access it. And, make
certain the permissions are as follows (ssh WILL NOT WORK if you have too
many permissions on this file):
prompt> ls -l syslog01.pem
-r--------@ 1 gjarvis_old  staff  1692 Aug 18 10:20 syslog01.pem

3. Connect to the client and the server in different windows (notice the
username is ec2-user):

ssh -i syslog01.pem ec2-user at syslog_server_01.glenjarvis.com

ssh -i syslog01.pem ec2-user at syslog_client_01.glenjarvis.com

4. Proceed with the instructions in class, but notice that the
configuration file is rsyslog.conf instead of syslog.conf (this is similar
for the server)

/etc/rsyslog.conf

Here is an example:
# Sample entry
*.debug                                           @
syslog_server_01.glenjarvis.com
local0.warning                                    /var/log/local0.messages


5. The pid id  file is actually located in a different place. It is in
/var/run/syslogd.pid
    If you think the instructor will be cool with using the start-up
script, you can simply do this:
sudo /etc/rc.d/init.d/rsyslog restart


6. Step six of our lab WILL NOT WORK, unless you know to load these modules
ON THE SERVER machine. These need to be uncommented in the server
/etc/rsyslog.conf and then restarted:

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


If you get stuck, let me know. I have successfully done this and a few
others are trying these instructions as well. If something's not clear or
not working, let's fix it so we can successfully nail this lab down.



Cheers,


Glen
-- 

"Pursue, keep up with, circle round and round your life as a dog does his
master's chase. Do what you love. Know your own bone; gnaw at it, bury it,
unearth it, and gnaw it still."

--Henry David Thoreau
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/unixcert/attachments/20120818/2a9028a8/attachment-0002.html>