The Guru College
Home Network – Log Analysis
I’ve setup Splunk for my home network’s log analysis. Pretty sweet, if you ask me. It makes the watching and analysis of logs so much easier.
First – setup loghost and network logging. Remember – after these changes, you are going to have to restart syslogd. On each host sending in logs:
echo "*.err;kern.debug;daemon.notice;mail.crit @loghost" >> /etc/syslog.conf
And then, update the /etc/hosts files to have a loghost entry. This way, even if your local DNS server is down, syslogd can still find it’s log server.
On the Solaris 10 loghost:
svccfg -s svc:/system/system-log setprop config/log_from_remote = true<br />
svcadm restart svc:/system/system-log
That’s it. You will now have syslog traffic running to your loghost. Now, it gets really cool. Go to splunk.com and register to get the download link. They have packages for Solaris 8, 9, 10 (intel and x86) as well as Windows, Mac OS X, FreeBSD, Linux, etc. Unpack and install. The free license is good for up to 500 MB of uncompressed logs a day. I don’t think I can generate that much log data with the boxes at my house.
After you install the package, fire up http://loghost:8000 and go to town. The first thing to do is add a data source of /var/adm/messages , which is most likely where syslog is writing all the network log traffic to. It will load the log file, mine the data, and then keep an eye on it. All searchable, cross-referenced, and indexed for your viewing pleasure.
I’m not kidding. You too can watch your own logs with maybe an hour spent learning how to turn on network logging for your particular brand of *NIX, and then 10 minutes to install the package and configure it. And that’s being generous. It’s easy, and can save you a lot of pain down the road.
As a side note, you are going to want to make sure your time sync is correct on all your hosts, so the log event correlate properly. Perhaps now is time to setup a local time server?