Solved

Syslog-ng and cisco debugging information

Posted on 2010-08-30
7
1,676 Views
Last Modified: 2013-12-12
Hello,
everybody knows that by default all cisco device debug messages (debug <something>) goes directly to the console. I am curious if it is possible to catch all these debug information also on the syslog server?
I have established debian with syslog-ng, but with my settings no debug messages are recorded. Cisco device is Cisco Catalyst 3020. Firewall allows port UDP 514.

/etc/syslog-ng/syslog-ng.conf
----------------
source s_udpmessages {udp(ip(192.168.1.60) port(514));};
destination d_mesg { file("/var/log/cisco"); };
filter f_filter7   { facility(local7) and level(emerg,alert,crit,err,warning,notice,info); };
log { source(s_udpmessages); filter(f_filter7); destination(d_mesg); };

Cisco switch
----------------
logging on
logging 192.168.1.60
logging trap debugging
logging monitor debugging
service timestamps debug datetime

I turned on CDP events debugging:
debug cdp events

But only these messages were recorded:
Aug 30 14:35:44 192.168.210.25 2474: *Mar  1 16:16:26: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 14:50:18 192.168.210.25 2520: *Mar  1 16:31:00: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 14:51:17 192.168.210.25 2524: *Mar  1 16:31:58: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 14:53:24 192.168.210.25 1233: *Apr 21 22:01:05: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 14:53:55 192.168.210.25 2531: *Mar  1 16:34:38: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 15:20:50 172.21.254.253 2613: *Mar  1 17:01:33: %SYS-5-CONFIG_I: Configured from console by spravca mistina on vty0 (192.168.10.26)

Michal
0
Comment
Question by:scientiasro
  • 5
  • 2
7 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33558799
Can you post the 'logging' info from the Cisco?

Does your firewall allow remote UDP port 514 connections?

Have you run wireshark to see if the traffic is reaching the server?

And, this is what I would expect:

source s_udpmessages {udp(ip(192.168.1.60) port(514));};
destination d_cisco { file("/var/log/cisco"); };
filter f_filter7   { facility(local7) and level(emerg,alert,crit,err,warning,notice,info); };
log { source(s_udpmessages); filter(f_filter7); destination(d_cisco); };

Otherwise the data lands in the wrong file.
0
 

Author Comment

by:scientiasro
ID: 33564663
Here is the logging info (show logging) from the Cisco device:

=================================================
SwBay1#sh logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level debugging, 8445 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 8445 messages logged, xml disabled,
                     filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level debugging, 5711 message lines logged
        Logging to 192.168.1.60  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              5211 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

Log Buffer (4096 bytes):
and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 09:58:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 09:59:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 09:59:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 09:59:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:00:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:00:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:00:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:01:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:01:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:01:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:02:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:02:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:02:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:03:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:03:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:03:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:04:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:04:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:04:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:05:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:05:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:05:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:06:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:06:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:06:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
=================================================

Yes, firewall allows UDP traffic on port 514. The traffic flows from the Cisco switch through Microsoft Threat Management Gateway (TMG) to the syslog server (192.168.1.60). I can see allowed or blocked traffic in the TMG logging. Although I haven't tried to catch packets with the sniffer.

What filter should I apply on the wireshark (network monitor) and what should I expect?

The fact that the traffic reached SYSLOG server also supports the preview of the /var/log/cisco file:
=================================================
syslog:~# cat /var/log/cisco
Aug 30 15:57:41 192.168.210.25 2727: *Mar  1 17:38:23: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 15:57:46 192.168.210.25 2728: *Mar  1 17:38:27: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 16:27:47 192.168.210.25 2819: *Mar  1 18:08:29: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 17:22:48 192.168.210.25 2985: *Mar  1 19:03:31: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 18:38:50 192.168.210.25 3214: *Mar  1 20:19:32: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 19:34:51 192.168.210.25 3383: *Mar  1 21:15:33: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 20:25:52 192.168.210.25 3537: *Mar  1 22:06:35: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 21:22:53 192.168.210.25 3709: *Mar  1 23:03:36: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 22:15:55 192.168.210.25 3869: *Mar  1 23:56:37: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 23:46:57 192.168.210.25 4143: *Mar  2 01:27:39: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 00:37:58 192.168.210.25 4297: *Mar  2 02:18:40: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 01:32:58 192.168.210.25 4463: *Mar  2 03:13:42: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 02:22:59 192.168.210.25 4614: *Mar  2 04:03:43: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 03:18:00 192.168.210.25 4780: *Mar  2 04:58:44: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 04:15:02 192.168.210.25 4952: *Mar  2 05:55:45: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 05:30:03 192.168.210.25 5178: *Mar  2 07:10:47: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 06:30:06 192.168.210.25 5360: *Mar  2 08:10:49: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 07:39:07 192.168.210.25 5568: *Mar  2 09:19:50: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
=================================================

According to your suggestion I changed the variable d_mesg to d_cisco. It didn't help. I'll leave it bit of a time and see what will happen.

Does somebody successfuly caught debug messages from the cisco device on the SYSLOG server?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 33566145
On the server as root:

tshark host 192.168.210.25

I've been syslog cisco kit for years.  Specify the facility and level on the router and don't worry about identifying which level to capture on the syslog server.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:scientiasro
ID: 33584502
Hi Jesper,
it seems that debugging packets are correctly sent by host and received by the SYSLOG server, but I don't know why are not messages saved to the /var/log/cisco file as it is defined in the /etc/syslog-ng/syslog-ng.conf . There is a possibility that I have a mess in the syslog config file, because I just added following lines to the default config file. Probably something is filtering debug messages out.

source s_udpmessages {udp(ip(192.168.1.60) port(514));};
destination d_cisco { file("/var/log/cisco"); };
filter f_filter7   { facility(local7) and level(emerg,alert,crit,err,warning,notice,info); };
log { source(s_udpmessages); filter(f_filter7); destination(d_cisco); };

Output from tshark:
syslog:~# tshark host 192.168.210.25
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14687: *Mar  4 11:46:08: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
  0.000246 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14688: *Mar  4 11:46:09: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
 52.302180 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14689: *Mar  4 11:47:00: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
 60.003374 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14690: *Mar  4 11:47:08: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
 60.003615 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14691: *Mar  4 11:47:09: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
112.305222 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14692: *Mar  4 11:48:00: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
120.007467 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14693: *Mar  4 11:48:08: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
120.007849 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14694: *Mar  4 11:48:09: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
172.312516 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14695: *Mar  4 11:49:00: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
180.009401 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14696: *Mar  4 11:49:08: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
180.009749 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14697: *Mar  4 11:49:09: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20


I attached my syslog config file.
0
 

Author Comment

by:scientiasro
ID: 33584510
Sorry for the IP addresses... should be 192.168.1.60... it is corrected.
0
 

Author Comment

by:scientiasro
ID: 33602376
But still receiving non of these debug messages by syslog log file. Any idea what could be wrong?
0
 

Accepted Solution

by:
scientiasro earned 0 total points
ID: 33610850
I have found that the issue was in the filter definition. The wrong idea was to add "and level(emerg,alert,crit,err,warning,notice,info)", so everything could be OK like this even if you edit default syslog-ng.config:

source s_udpmessages {udp(ip(192.168.1.60) port(514));};
destination d_cisco { file("/var/log/cisco"); };
filter f_filter7   { facility(local7); };
log { source(s_udpmessages); filter(f_filter7); destination(d_cisco); };
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

A list of useful business intelligence software.
In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
This video demonstrates basic masking and how to edit the mask to reveal the desired image.
The viewer will learn how to create multiple layers to apply various filters and how to delete areas from each layer’s filter.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now