Introduction
This document describes how to configure syslog-servers for Network Services Orchestrator (NSO) 5.x.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Configuration Requirements
Once the installation is completed, these files are needed:
- Configuration file is
/etc/rsyslog.conf
.
- Directory defined with specific configuration file(s) is
/etc/rsyslog.d/
.
For this configuration, use the rsyslog service which is available by default in several Linux distributions. In case it is not available on the server, download it as follows (RHEL/CentOS):
yum install rsyslog
With NSO 5.1, the syslog-server elements which were a part of the ncs.conf
file that was made obsolete.
Note: Support for the syslog via UDP has been removed in order to comply with Cisco security requirements. The default syslog
functionality via the libc syslog(3)
is still available.
In order to redirect NSO logs to a remote server, refer to NSO Syslog Relay Readme file and use the syslog daemon relay configuration.
Configuration
Two sets of configuration files are needed for configuration. One is on the server where NSO is run, the sender in this case, and the other is on the receiver (remote-server) which stores all the logs.
Step 1: Check that the ncs.conf
file has this section:
<logs>
<syslog-config>
<facility>daemon</facility>
</syslog-config>
...
</logs>
Step 2: Configure the /etc/rsyslog.conf
as follows:
- Under
#### RULES ####
; section add:
*.* @remote_ip
For example:
*.* @10.127.200.61
This line directs the rsyslog service to also redirect 'all' daemon logs to the remote host at the specified IP.
Step 3: Add a new file in the /etc/rsyslog.d/
path as shown in the next example.
- The new file is a configuration file to tell the r
syslog daemon
details about which files to be sent over the network to the remote server.
For example:
$ModLoad imfile
$InputFileName /var/log/ncs/devel.log
$InputFileTag devel:
$InputFileStateFile stat-devel
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
...
- Once all the files are defined and contain details, you can specify where the files are sent via the protocol:
# Send over UDP
local6.* @remote_ip:port
For example:
local6.* @10.127.200.61:514
Step 4: Restart the rsyslog
service:
service rsyslog restart
Note: Steps 2 to 4 must be executed on the sender, that is, the server where NSO service is up.
Step 5: Uncomment the section for UDP/TCP based on your requirement in the /etc/rsyslog.conf
file:
$ModLoad imudp
$UDPServerRun 514
Note: 514 is the port used for this transfer.
Step 6: Modify the /etc/rsyslog.conf
file. Add the lines under ###MODULES###
section:
$template FileTemplate,"/var/log/ncs-server/%programname%.log"
if $programname startswith 'devel' then -?FileTemplate
if $programname startswith 'audit' then -?FileTemplate
if $programname startswith 'ncs' then -?FileTemplate
if $programname startswith 'ncs-java-vm' then -?FileTemplate
if $programname startswith 'ncserr' then -?FileTemplate
Note: You can use the name ncs-server for your directory.
In this step, the rules are defined to store the logs specifically to NSO in designated location.
Step 7: Restart the rsyslog
service:
service rsyslog restart
Note: Steps 5 to 7 must be executed on the receiver, the remote server, where the logs are intended to be stored.
Additional Configurations
The syslog daemon relay functionality must be setup with these steps. However, in a production environment the Firewall service and SELinux are usually enabled. If they are enabled, the logs are not stored remotely. To ensure this does not cause any issues, you need to add these configurations on both servers:
semanage port -a -t syslogd_port_t -p udp 514
firewall-cmd --add-port=514/udp --permanent
firewall-cmd --reload
Verification
If the steps have been followed correctly, the syslog
server is setup remotely. To verify this:
On the remote-server:
nc -l -u -p 514
From the sender:
logger "Message from client"
The remote server must have received this message:
May 11 22:12:10 nso-recreate root: Message from client
Troubleshoot
In situations where the relay is not successful, you need to check the config files again.
It is also useful to confirm the status of NSO and rsyslog
:
systemctl status ncs.service
Expected output:
[root@nso-recreate ncs]# systemctl status ncs.service
● ncs.service - LSB: NCS
Loaded: loaded (/etc/rc.d/init.d/ncs; bad; vendor preset: disabled)
Active: active (runnin) since Tue 2022-05-10 21:55:59 EDT; 24h ago
...
No other lines in red in the status output.
service rsyslog status
Expected output:
[root@nso-recreate ncs]# service rsyslog status
Redirectin to /bin/systemctl status rsyslog.service
● rsyslog.service - System Loggin Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (runnin) since Wed 2022-05-11 01:12:08 EDT; 21h ago
...
No other lines in red in the status output.
You can check for Firewall rules or SELinux configurations. These can block the log transfer to the remote destination.
systemctl status firewalld.service
sestatus