Red Hat Ansible for Network Automation

Bookmark this page
P1234567AAAAAAA
PreviousNext

Guided Exercise: Aggregating Logged Events to Syslog

The robustness and reliability of managed network resources depends on good situational awareness: having the right information, at the right time, in the right place. One way to gather useful information is to forward event information from your network devices to a central syslog server. This makes it possible to construct rule-based alerting on suspicious event patterns.

In this exercise, you will send logged events to a syslog server.

Outcomes

You should be able to:

  • Add group variables that support template-driven configuration for sending logged event information to the workstation machine acting as a syslog server.

  • Update NOS-specific device configuration templates to provide parameterized configuration statements for sending logged event information to a syslog server.

  • Perform a multivendor play that configures network devices to send logged event information to a syslog server.

  • Monitor traffic on the syslog port on the workstation VM to confirm that log messages are arriving.

Open a terminal window on the workstation VM and change to the ~/proj directory.

  1. Add variables that support template-driven configuration for sending logged event information to a syslog server.

    1. Add a variable named syslog_ipv4 to the network group's variables file. Its value should be the IP address of the workstation machine, which has already been configured to accept syslog traffic. Modify group_vars/network/vars.yml to include the following content: 

      ansible_connection: network_cli
domain_name: lab.example.com
syslog_ipv4: 172.25.250.254
nameservers:
- 8.8.8.8
- 8.8.4.4

    2. Add a variable named vyos_loglevel to the vyos group's variables file. Modify group_vars/vyos/vars.yml to include the following content: 

      ansible_network_os: vyos
ansible_user: vyos
vyos_loglevel: info

    3. Add a variable named ios_loglevel to the ios group's variables file. Modify group_vars/ios/vars.yml to include the following content: 

      ansible_network_os: ios
ansible_user: admin
# level 6 = informational, level 7 = debug
ios_loglevel: 7

  2. Update NOS-specific device configuration templates to provide parameterized configuration statements for sending logged event information to a syslog server.

    1. Add a line to the device configuration Jinja2 template for VyOS devices and j2/vyos-config.j2. It should map appropriate variables to the VyOS statements that enable logging to the syslog server. 

      [student@workstation proj]$ cat j2/vyos-config.j2
set system host-name {{ inventory_hostname }}
set system domain-name {{ domain_name }}
{% for nameserver in nameservers %}
set system name-server {{ nameserver }}
{% endfor %}
set system syslog host {{ syslog_ipv4 }} facility local7 level {{ vyos_loglevel }}

    2. Add lines to the device configuration Jinja2 template for IOS devices, j2/ios-config.j2. It should map appropriate variables to the IOS statements that enable logging to the syslog server. 

      [student@workstation proj]$ cat j2/ios-config.j2
hostname {{ inventory_hostname }}
ip domain-name {{ domain_name }}
{% for nameserver in nameservers %}
ip name-server {{ nameserver }}
{% endfor %}
service timestamps log datetime
service timestamps debug datetime
logging {{ syslog_ipv4 }}
logging trap {{ ios_loglevel }}

  3. Perform a multivendor play that configures network devices to send logged event information to a syslog server.

    Perform the play found in the j2cfg.yml file. You already created playbook j2cfg.yml, which sources configuration statements from the VyOS and IOS Jinja2 templates. Limit the change to cs01. 

    [student@workstation proj]$ ansible-playbook -l cs01 j2cfg.yml

  4. Monitor traffic on the syslog port on the workstation VM to confirm that log messages are arriving.

    1. Run tcpdump, listening on eth0 port 514. 

      [student@workstation ~]$ sudo tcpdump -Xni eth0 port 514
[sudo] password for student: student
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

    2. Open another terminal window on the workstation machine. Use SSH to connect to cs01 as admin using student as the password. Generate a log message on cs01. 

      [student@workstation ~]$ ssh admin@cs01
Password: student

cs01#send log this is a test

    3. In your tcpdump terminal window, you should see a hex dump of the log message you generated on cs01. 

      [student@workstation ~]$ sudo tcpdump -Xni eth0 port 514
[sudo] password for student: student
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:56:23.721408 IP 172.25.250.195.53969 > 172.25.250.254.syslog: SYSLOG
local7.debug, length: 98
  0x0000: 4500 0076 0002 0000 ff11 6d7f ac19 fac3  E..v......m.....
  0x0010: ac19 fafe d2d1 0202 0062 96ce 3c31 3931  .........b..<191
  0x0020: 3e35 383a 202a 4a75 6c20 2033 2031 343a  >58:.*Jul..3.14:
  0x0030: 3531 3a30 323a 2025 5359 532d 372d 5553  51:02:.%SYS-7-US
  0x0040: 4552 4c4f 475f 4445 4255 473a 204d 6573  ERLOG_DEBUG:.Mes
  0x0050: 7361 6765 2066 726f 6d20 7474 7931 2875  sage.from.tty1(u
  0x0060: 7365 7220 6964 3a20 6164 6d69 6e29 3a20  ser.id:.admin):.
  0x0070: 7468 6973 2069 7320 6120 7465 7374       this.is.a.test
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

      Use Control+C to break out of the tcpdump session.

    4. If the message is not displayed in the terminal where tcpdump is running, make sure the syslog port is open on the firewall. 

      [student@workstation ~]$ sudo firewall-cmd --zone=trusted \
> --permanent --add-port=514/udp
[student@workstation ~]$ sudo firewall-cmd --reload
[student@workstation ~]$ sudo firewall-cmd --zone=trusted --list-ports

This concludes the guided exercise.

PreviousNext
Revision: do457-2.5-4693601