Logical Solutions Secure Console Server portlogd HOWTO $Date: 2004/10/22 20:39:46 $ $Revision: 1.2 $ Introduction This HOWTO describes setting up and using the 'portlogd' program that is found on LSI's Secure Console Servers. I assume you have access to a LSI SCS, and need to configure the unit to use portlogd. Additional information can be found in the man pages located on the SCS. 1.1 Package Description portlogd is a daemon program that monitors the serial data coming from the attached devices, and can 1) log the data to a remote syslog server, 2) log the data to a remote NFS-mounted file 3) email the data when either a preset count is reached, or when a pattern is received. Any combination of the above modes can be selected, and each device port settings are independant of the other ports. There is a separate config file for each port. These config files are located in /lsi/config/ and the name has the format portlogd.conf.n, where n is the device port number. The man page for portlogd describes the entries in the config file. 1.2 Enabling portlogd portlogd runs as a service daemon. It can be manually started and stopped by the 'service' command. For example: service portlogd start To configure the SCS to run portlogd at startup, the 'chkconfig' command is used: chkconfig portlogd reset 2.1 logging to syslog portlogd can send data to the syslog. Because the SCS has limited disk space, the syslog should be redirected to a remote server. Refer to the man page for syslogd.conf for instructions on redirecting syslog. There are three settings in the portlogd config that are used for this mode: LOG_TO_SYSLOG, LOG_FACILITY, LOG_LEVEL LOG_TO_SYSLOG is set to either 'yes' or 'no'. This enables or disables this mode. LOG_FACILITY is set to the syslog facility portlogd should use when logging data. The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, news, syslog, user, uucp and local0 through local7. The factory default setting is user. LOG_LEVEL is set to the severity level of the message. The level is one of the following keywords, in ascending order: debug, info, notice, warning, err, crit, alert, emerg. The factory default setting is info. Defaults: LOG_TO_SYSLOG = no LOG_FACILITY = user LOG_LEVEL = info Example: configure syslog to log data to a server named scs.logger, with a facility setting of local2 and a severity level of notice, make the following changes: add this line to /etc/syslogd.conf: local2.notice @scs.logger modify these lines in portlogd.conf.n LOG_TO_SYSLOG = yes LOG_FACILITY = local2 LOG_LEVEL = notice 2.2 logging to a file File logging is also done to a remote file. This is accomplished by using NFS to access a remote file server. Other remote access means such as Samba can also be used. Setting up these protocols is beyond the scope of this HOWTO. There are two settings in the portlogd config that are used for this mode: LOG_TO_FILE, LOG_FILE_PATH LOG_TO_FILE is set to either 'yes' or 'no'. This enables or disables this mode. LOG_FILE_PATH names the directory where the log file is stored. The log file name is predefined and can not be changed. It's format is 'portlogd_n', where 'n' is the port number. The directory must exist; and the name must end with a '/'. The factory default is /var/log/ If the log file does not exist, it will be created. If it does exist, then new data will be appended to it. 2.3 logging to email Email logging has two possible modes, but only one may be active. These modes are: pattern matching or character count. Both modes have these settings in common: LOG_TO_EMAIL, EMAIL_ADDRESS, EMAIL_CC, EMAIL_SUBJECT, EMAIL_ALARM_TIMER_VALUE Only one of each line is permitted, any duplicate line is ignored. LOG_TO_EMAIL is set to either 'yes' or 'no'. This enables or disables this mode. EMAIL_ADDRESS has the email address of the user(s). Each address must be seperated by ';'. A maximum of 256 characters is allowed. The factory default is "". EMAIL_CC has the email cc address. Each address must be seperated by ';'. A maximum of 256 characters is allowed. The factory default is "". EMAIL_SUBJECT has the subject that appears in the email. A maximum of 256 characters is allowed. You may embed the port number and pattern matched in the email subject. Each %n in the subject will be replaced with the port number. If pattern matching is enabled, each %p in the subject will be replaced with the pattern that caused the email to be generated. The default subject is "System Alert Message". The following is an example: EMAIL_SUBJECT=ggscs320: pattern '%p' found on port %n EMAIL_SUBJECT=ggscs320: acitivity on port %n EMAIL_ALARM_TIMER_VALUE sets a time delay for additional data collection before an email is sent. Once the EMAIL_ALARM_COUNT has been reached or a pattern has been matched, this delay determines how long to collect data before generating an email. However, the email will be sent sooner if the internel 2K byte buffer fills before the timer expires. This value is specified in seconds. The factoty default is 0 seconds. NOTE: If email notification is chosen, then 'sendmail' must be running to forward the mail from the SCS. The sendmail daemon and it's configuration files are pre-configured to work from the factory. Use the service commnad to start sendmail, and chkconfig to automatically start sendmail during startup. Example: service sendmail start chkconfig sendmail reset Running out of room: If email is going to be used, I recommend changing the file /etc/aliases. You change the file by adding the email address of the user that should receive the SCS's root email (email generated by the SCS for root@localhost). If the is not done, you will eventually run out of room as the emails stack up. Run the following command to add the email address to the end of the file: echo "root: auser@somehere.com" >>/etc/alaises 2.3.1 email logging by count The following settings control the counting method: EMAIL_ALARM_COUNT, EMAIL_IGNORE_TIMER_VALUE EMAIL_ALARM_COUNT is the number of characters that have to be read from the port before an email is sent. The maximum is 2k. The factoty default is 20 characters. EMAIL_IGNORE_TIMER_VALUE sets the amount of the amount of time that must elapse before another email is sent. This value is specified in seconds. The factory default is 0 seconds. Example: EMAIL_ALARM_COUNT = 500 EMAIL_IGNORE_TIMER_VALUE = 30 Send an email after 500 characters have been received (these 500 characters are included in the email). After the email is sent, wait 30 seconds before sending another email. If this is set too high, data may be not be logged. 2.3.1 email logging by pattern matching The following settings control the patern matching method: EMAIL_PATTERN_MATCH_ENABLE, PATTERN EMAIL_PATTERN_MATCH_ENABLE is set to either 'yes' or 'no'. This enables or disables this mode. PATTERN defines the simple ASCII strings that will be matched. Each has a maximum of 80 characters. Although no maximum number of patterns is defined, you are limited by memory and search times. The following is an example: PATTERN=system reboot PATTERN=kernel panic PATTERN=session opened 3.1 debuging portlogd portlogd will write the configuration entries it is using to syslog during startup. A sample is given below. Apr 14 14:43:06 bf portlogd: port #1: LOG_TO_FILE=no Apr 14 14:43:06 bf portlogd: port #1: LOG_TO_SYSLOG=no Apr 14 14:43:06 bf portlogd: port #1: LOG_TO_EMAIL=yes Apr 14 14:43:06 bf portlogd: port #1: EMAIL_ADDRESS=root@localhost Apr 14 14:43:06 bf portlogd: port #1: EMAIL_CC=bill@yahoo.com Apr 14 14:43:06 bf portlogd: port #1: EMAIL_SUBJECT=Sys Message: port %n %p Apr 14 14:43:06 bf portlogd: port #1: EMAIL_ALARM_TIMER_VALUE=30 Apr 14 14:43:06 bf portlogd: port #1: EMAIL_PATTERN_MATCH_ENABLE=yes 4.1 Example This example will log data from port 5 to a file, in the directory /mnt/logs, and send an email if the pattern 'kernel panic' is found. The email will be sent to user@my.com and cc'd to you@xyz.com. contents of /lsi/config/portlogd.conf.5 LOG_TO_FILE=yes LOG_FILE_PATH=/mnt/logs/ LOG_TO_SYSLOG=no LOG_TO_EMAIL=yes EMAIL_PATTERN_MATCH_ENABLE=yes EMAIL_ADDRESS=user@my.com EMAIL_CC=you@xyz.com EMAIL_SUBJECT=System Alert Message: port %n pattern %p EMAIL_ALARM_TIMER_VALUE=3 PATTERN=kernel panic ### ### the following are not used because of the options turned on ### #### no logging to syslog LOG_FACILITY=user LOG_LEVEL=info #### no email logging by count (patern matching is enabled) EMAIL_ALARM_COUNT=20 EMAIL_IGNORE_TIMER_VALUE=600 Remember to turn on sendmail! ----------------------------------------------------------------------------- Appendix A. About this HOWTO A.1. Copyright The first edition of this document is copyright © 2004 Logical Solutions, Inc. and is distributed under the terms of the Linux Documentation Project (LDP) License, see Section A.1.1. ----------------------------------------------------------------------------- A.1.1. Linux Documentation Project License Unless otherwise stated, Linux HOWTO documents are copyrighted by their respective authors. Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the author would like to be notified of any such distributions. All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator at the address given below. In short, we wish to promote dissemination of this information through as many channels as possible. However, we do wish to retain copyright on the HOWTO documents, and would like to be notified of any plans to redistribute the HOWTOs. If you have any questions, please contact . ----------------------------------------------------------------------------- A.2. Disclaimer No liability for the contents of this documents can be accepted. Use the concepts, examples and other content at your own risk. As this is a new edition of this document, there may be errors and inaccuracies, that may of course be damaging to your system. Proceed with caution, and although this is highly unlikely, the author(s) do not take any responsibility for that. All copyrights are held by their by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements. You are strongly recommended to take a backup of your system before major installation and backups at regular intervals.