Syslog-ng and cisco debugging information

Hello,
everybody knows that by default all cisco device debug messages (debug <something>) goes directly to the console. I am curious if it is possible to catch all these debug information also on the syslog server?
I have established debian with syslog-ng, but with my settings no debug messages are recorded. Cisco device is Cisco Catalyst 3020. Firewall allows port UDP 514.

/etc/syslog-ng/syslog-ng.conf
----------------
source s_udpmessages {udp(ip(192.168.1.60) port(514));};
destination d_mesg { file("/var/log/cisco"); };
filter f_filter7   { facility(local7) and level(emerg,alert,crit,err,warning,notice,info); };
log { source(s_udpmessages); filter(f_filter7); destination(d_mesg); };

Cisco switch
----------------
logging on
logging 192.168.1.60
logging trap debugging
logging monitor debugging
service timestamps debug datetime

I turned on CDP events debugging:
debug cdp events

But only these messages were recorded:
Aug 30 14:35:44 192.168.210.25 2474: *Mar  1 16:16:26: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 14:50:18 192.168.210.25 2520: *Mar  1 16:31:00: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 14:51:17 192.168.210.25 2524: *Mar  1 16:31:58: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 14:53:24 192.168.210.25 1233: *Apr 21 22:01:05: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 14:53:55 192.168.210.25 2531: *Mar  1 16:34:38: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 15:20:50 172.21.254.253 2613: *Mar  1 17:01:33: %SYS-5-CONFIG_I: Configured from console by spravca mistina on vty0 (192.168.10.26)

Michal
scientiasroAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
Can you post the 'logging' info from the Cisco?

Does your firewall allow remote UDP port 514 connections?

Have you run wireshark to see if the traffic is reaching the server?

And, this is what I would expect:

source s_udpmessages {udp(ip(192.168.1.60) port(514));};
destination d_cisco { file("/var/log/cisco"); };
filter f_filter7   { facility(local7) and level(emerg,alert,crit,err,warning,notice,info); };
log { source(s_udpmessages); filter(f_filter7); destination(d_cisco); };

Otherwise the data lands in the wrong file.
0
scientiasroAuthor Commented:
Here is the logging info (show logging) from the Cisco device:

=================================================
SwBay1#sh logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level debugging, 8445 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 8445 messages logged, xml disabled,
                     filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level debugging, 5711 message lines logged
        Logging to 192.168.1.60  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              5211 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

Log Buffer (4096 bytes):
and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 09:58:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 09:59:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 09:59:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 09:59:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:00:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:00:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:00:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:01:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:01:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:01:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:02:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:02:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:02:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:03:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:03:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:03:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:04:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:04:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:04:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:05:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:05:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:05:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:06:49: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
*Mar  2 10:06:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
*Mar  2 10:06:55: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
=================================================

Yes, firewall allows UDP traffic on port 514. The traffic flows from the Cisco switch through Microsoft Threat Management Gateway (TMG) to the syslog server (192.168.1.60). I can see allowed or blocked traffic in the TMG logging. Although I haven't tried to catch packets with the sniffer.

What filter should I apply on the wireshark (network monitor) and what should I expect?

The fact that the traffic reached SYSLOG server also supports the preview of the /var/log/cisco file:
=================================================
syslog:~# cat /var/log/cisco
Aug 30 15:57:41 192.168.210.25 2727: *Mar  1 17:38:23: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 15:57:46 192.168.210.25 2728: *Mar  1 17:38:27: %SYS-5-CONFIG_I: Configured from console by user on vty0 (192.168.21.26)
Aug 30 16:27:47 192.168.210.25 2819: *Mar  1 18:08:29: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 17:22:48 192.168.210.25 2985: *Mar  1 19:03:31: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 18:38:50 192.168.210.25 3214: *Mar  1 20:19:32: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 19:34:51 192.168.210.25 3383: *Mar  1 21:15:33: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 20:25:52 192.168.210.25 3537: *Mar  1 22:06:35: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 21:22:53 192.168.210.25 3709: *Mar  1 23:03:36: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 22:15:55 192.168.210.25 3869: *Mar  1 23:56:37: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 30 23:46:57 192.168.210.25 4143: *Mar  2 01:27:39: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 00:37:58 192.168.210.25 4297: *Mar  2 02:18:40: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 01:32:58 192.168.210.25 4463: *Mar  2 03:13:42: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 02:22:59 192.168.210.25 4614: *Mar  2 04:03:43: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 03:18:00 192.168.210.25 4780: *Mar  2 04:58:44: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 04:15:02 192.168.210.25 4952: *Mar  2 05:55:45: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 05:30:03 192.168.210.25 5178: *Mar  2 07:10:47: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 06:30:06 192.168.210.25 5360: *Mar  2 08:10:49: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
Aug 31 07:39:07 192.168.210.25 5568: *Mar  2 09:19:50: %HARDWARE-2-THERMAL_WARNING: Temperature has reached warning threshold
=================================================

According to your suggestion I changed the variable d_mesg to d_cisco. It didn't help. I'll leave it bit of a time and see what will happen.

Does somebody successfuly caught debug messages from the cisco device on the SYSLOG server?
0
Jan SpringerCommented:
On the server as root:

tshark host 192.168.210.25

I've been syslog cisco kit for years.  Specify the facility and level on the router and don't worry about identifying which level to capture on the syslog server.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

scientiasroAuthor Commented:
Hi Jesper,
it seems that debugging packets are correctly sent by host and received by the SYSLOG server, but I don't know why are not messages saved to the /var/log/cisco file as it is defined in the /etc/syslog-ng/syslog-ng.conf . There is a possibility that I have a mess in the syslog config file, because I just added following lines to the default config file. Probably something is filtering debug messages out.

source s_udpmessages {udp(ip(192.168.1.60) port(514));};
destination d_cisco { file("/var/log/cisco"); };
filter f_filter7   { facility(local7) and level(emerg,alert,crit,err,warning,notice,info); };
log { source(s_udpmessages); filter(f_filter7); destination(d_cisco); };

Output from tshark:
syslog:~# tshark host 192.168.210.25
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14687: *Mar  4 11:46:08: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
  0.000246 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14688: *Mar  4 11:46:09: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
 52.302180 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14689: *Mar  4 11:47:00: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
 60.003374 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14690: *Mar  4 11:47:08: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
 60.003615 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14691: *Mar  4 11:47:09: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
112.305222 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14692: *Mar  4 11:48:00: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
120.007467 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14693: *Mar  4 11:48:08: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
120.007849 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14694: *Mar  4 11:48:09: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
172.312516 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14695: *Mar  4 11:49:00: CDP-EV: Packet Received from SwBay1.blade.local with capability = 29 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20
180.009401 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14696: *Mar  4 11:49:08: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface FastEthernet0
180.009749 192.168.210.25 -> 192.168.1.55 Syslog LOCAL7.DEBUG: 14697: *Mar  4 11:49:09: CDP-EV: Packet Received from SwBay2.blade.local with capability = 28 and Platform string = cisco WS-CBS3020-HPQ on interface GigabitEthernet0/20


I attached my syslog config file.
0
scientiasroAuthor Commented:
Sorry for the IP addresses... should be 192.168.1.60... it is corrected.
0
scientiasroAuthor Commented:
But still receiving non of these debug messages by syslog log file. Any idea what could be wrong?
0
scientiasroAuthor Commented:
I have found that the issue was in the filter definition. The wrong idea was to add "and level(emerg,alert,crit,err,warning,notice,info)", so everything could be OK like this even if you edit default syslog-ng.config:

source s_udpmessages {udp(ip(192.168.1.60) port(514));};
destination d_cisco { file("/var/log/cisco"); };
filter f_filter7   { facility(local7); };
log { source(s_udpmessages); filter(f_filter7); destination(d_cisco); };
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software

From novice to tech pro — start learning today.