Friday, May 13, 2011

i like to see what others type + syslog-ng

Once you've gone through the trouble of patching bash to send output to local5, you might find that you're not using syslog, as assumed in a previous post. Instead, you're using syslog-ng. That's cool.

In your syslog-ng.conf file, you'll need to edit some stanzas, filters and destinations.

Set local5 (bash output) destination, if you want it to go to a file.
# bash destination 
destination d_local5 { file("/var/log/local5"); }; 

# bash filters 
filter f_local5 { facility(local5); }; 

and in messages filter, add local5
filter f_messages {
        level(info,notice,warn)
            and not facility(auth,authpriv,cron,daemon,mail,news,local5);
};
and finally, set the log destination:
# local5
log {
        source(s_all); 
        filter(f_local5);
        destination(d_bash);
};

If you have a remote syslog daemon or logger such as loggly or splunk set up, drop their destination definitions in the log stanza for "local5". e.g.:

# loggy
#
destination d_loggly { tcp("logs.loggly.com" port(XXXXXX)); };

# local5
log {
        source(s_all); 
        filter(f_local5);
        destination(d_local5);
        destination(d_loggly); 
};

On loggly (if you've allowed the destination in your remote device list) or splunk, you should see something akin to:
2011 May 13 16:09:19.000 s_all@host1 bash-ub610: history: [pid:5379 uid:0] exit
2011 May 13 16:09:50.000 s_all@host1 bash-ub610: history: [pid:5584 uid:0] ls -la
2011 May 13 16:09:52.000 s_all@host1 bash-ub610: history: [pid:5584 uid:0] cd /opt/
In your old /etc/syslog.conf or /etc/rsyslog.d/50-default.conf add the following:
auth,authpriv.*;local5.*        @syslogserver
auth,authpriv.*;local5.*        @logs.loggly.com:yourportno

Thursday, May 12, 2011

microsoft dhcp and me

I like to use dhcpd on a Linux box because I can set all kinds of options, like giving search suffixes to my DHCP clients. Microsoft Windows Server iterations have no such option - or so you're told. By default, yes, this isn't an option, but at least in Server 2008, you can add new DHCP options to include the DHCP-supplied option. To do as such:

1.  Open the DHCP mmc
2.  Expand DHCP, select DHCP server name.
3.  Right Click IPv4
4.  Select "Set Predefined Options"
5.  Click Add.

A new window appears

6.  Enter the following:
Name: "Domain suffix search order" (without quotation marks)
Data Type: String
Code: "135" (without the quotation marks)
Description: "List of domain suffixes in order" (without the quotation marks)
String: Enter search suffixes separated by comma with no spaces
 
7.  Click OK.
8.  Close DHCP MMC and restart DHCP Server Service.

Now, re-open the DHCP mmc, scroll to the end of the DHCP options, and the newly created option will appear.