Link to home
Start Free TrialLog in
Avatar of Steven Vona
Steven VonaFlag for United States of America

asked on

Using redhat rsyslog to log remote cisco devices

We have about 15 different cisco devices that we want to log all to the same log server.  I have installed rhel5 and configured rsyslog to accept remote messages.

I added the following to rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerAddress x.x.x.x
$UDPServerRun 514
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514

*.* -?DynaFile

I also added this to /etc/sysconfig/rsyslog:
 
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -rPortNumber Enables logging from remote machines. The listener will listen to the specified port.
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r514"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

I tested this with another linux box (redhat desktop 6) and I am receiving the log messages fine and it also made  a dir in /var/log/rsyslog for the device and all works great.


I am not a cisco guy but I had the cisco folks here add the ip address of this machine to their config for logging.  They are telling me the cisco is configured correctly but I am not receiving anything from them.


Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image

Is iptables allowing the packets in?

Have you run wireshark for that particular cisco host ip to see what is going on?
Avatar of Steven Vona

ASKER

iptables is set to allow 514 from anywhere, it has been tested by adding new linux machines without any problem.

I have done a tcpdump, and I do not see any traffic from the cisco devices.  I am assuming its a setting on the cisco device that is why I added this question to the cisco zone as well.



Ask the person configuring the cisco to do a:
 
   sho run | i log
@_jesper_

I asked the cisco guy to send me the output of show run | i log and this is what I was sent.  Some info has been changed for security purposes (ip/usernames)



CISCO-SW2#sho run | i log
service timestamps log datetime msec localtime show-timezone aaa authentication login default group tacacs+ local aaa authentication login console group

tacacs+ local  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status logging trap debugging logging facility local0 logging X.X.16.54  login authentication console CISCO-SW2#

 

CISCO-SW2#sho log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


    Console logging: level debugging, 84 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 84 messages logged, xml disabled,
                     filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level debugging, 98 message lines logged
        Logging to X.X.16.54  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              19 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

Log Buffer (4096 bytes):
: Feb 28 12:34:04.045 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000046: Feb 28 12:35:59.237 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000047: Feb 28 12:55:44.442 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000048: Mar  1 06:49:35.640 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000049: Mar  1 13:33:29.778 est: %SYS-5-CONFIG_I: Configured from console by grugantj on vty0 (X.X.29.6)
000050: Mar  2 16:07:31.375 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000051: Mar  2 16:13:45.674 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty1 (X.X.30.48)
000052: Mar  2 16:24:23.549 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty2 (X.X.30.48)
000053: Mar  2 16:26:50.945 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000054: Mar  2 16:33:23.790 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty2 (X.X.30.48)
000055: Mar  2 16:34:10.674 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000056: Mar  2 16:40:55.809 est: %SYS-5-CONFIG_I: Configured from console by lliu on vty1 (X.X.30.48)
000057: Mar  2 16:41:35.185 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000058: Mar  2 16:46:52.885 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty1 (X.X.30.48)
000059: Mar  2 16:55:00.446 est: %SYS-5-CONFIG_I: Configured from console by lliu on vty2 (X.X.30.48)
000060: Mar  7 13:15:42.226 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000061: Mar  8 07:16:56.408 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000062: Mar 10 09:30:40.333 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.6 port 514 stopped - CLI initiated
000063: Mar 10 09:30:40.383 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000064: Mar 10 09:30:40.450 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000065: Mar 10 09:30:42.287 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.54 Port 514 started - CLI initiated
000066: Mar 10 09:31:17.922 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000067: Mar 10 09:50:53.002 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000068: Mar 10 09:50:53.975 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000069: Mar 10 09:54:45.710 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000070: Mar 10 10:14:18.131 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000071: Mar 10 10:14:19.020 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000072: Mar 10 10:15:44.567 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000073: Mar 10 10:15:45.699 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000074: Mar 10 10:17:06.750 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000075: Mar 10 10:17:07.563 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000076: Mar 10 10:17:53.373 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.54 port 514 stopped - CLI initiated
000077: Mar 10 10:17:57.979 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000078: Mar 10 10:32:27.304 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000079: Mar 10 10:33:04.121 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000080: Mar 10 10:44:48.317 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196) CISCO-SW2#




ASKER CERTIFIED SOLUTION
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@ _jesper_

I am not using facility numbers for my other linux boxes, is it absolutely necessary with rsyslog?

I was under the impression that the following line in the conf file would create a directory and log file for each incoming host:

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.* -?DynaFile




You need to define a facility even if that facility is 'syslog'
Im sorry jesper, I dont under your last statement, can you explain a little deeper? or maybe give me an example?

On the cisco devices, the 'logging facility <put something here>' needs to be configured.
I see, does that have to match what I have in my /etc/rsyslog.conf ??

Here is what I have in my /etc/rsyslog.conf file:

$ModLoad imuxsock.so      # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)

$ModLoad imudp.so
$UDPServerAddress 157.187.16.54
$UDPServerRun 514
$ModLoad imtcp.so  
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

*.* -?DynaFil
I believe 'syslog' is a valid keyword.  

I keep all of my router logs consolidated in their own syslog file.  Dumping everything into the default syslog configuration file can make for some awfully long parsing.

quote jesper
"I keep all of my router logs consolidated in their own syslog file.  Dumping everything into the default syslog configuration file can make for some awfully long parsing."

I agree, but using the below in your rsyslog.conf file will make a directory for each device, then create a new file every day for each device within its own directory.

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.* -?DynaFile
Yes, understood.  I meant if you specify an existing facility ...