Solved

Using redhat rsyslog to log remote cisco devices

Posted on 2011-03-10
13
2,197 Views
Last Modified: 2012-05-11
We have about 15 different cisco devices that we want to log all to the same log server.  I have installed rhel5 and configured rsyslog to accept remote messages.

I added the following to rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerAddress x.x.x.x
$UDPServerRun 514
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514

*.* -?DynaFile

I also added this to /etc/sysconfig/rsyslog:
 
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -rPortNumber Enables logging from remote machines. The listener will listen to the specified port.
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r514"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

I tested this with another linux box (redhat desktop 6) and I am receiving the log messages fine and it also made  a dir in /var/log/rsyslog for the device and all works great.


I am not a cisco guy but I had the cisco folks here add the ip address of this machine to their config for logging.  They are telling me the cisco is configured correctly but I am not receiving anything from them.


0
Comment
Question by:savone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 35095910
Is iptables allowing the packets in?

Have you run wireshark for that particular cisco host ip to see what is going on?
0
 
LVL 23

Author Comment

by:savone
ID: 35096048
iptables is set to allow 514 from anywhere, it has been tested by adding new linux machines without any problem.

I have done a tcpdump, and I do not see any traffic from the cisco devices.  I am assuming its a setting on the cisco device that is why I added this question to the cisco zone as well.



0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 35096065
Ask the person configuring the cisco to do a:
 
   sho run | i log
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 23

Author Comment

by:savone
ID: 35096802
@_jesper_

I asked the cisco guy to send me the output of show run | i log and this is what I was sent.  Some info has been changed for security purposes (ip/usernames)



CISCO-SW2#sho run | i log
service timestamps log datetime msec localtime show-timezone aaa authentication login default group tacacs+ local aaa authentication login console group

tacacs+ local  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status logging trap debugging logging facility local0 logging X.X.16.54  login authentication console CISCO-SW2#

 

CISCO-SW2#sho log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


    Console logging: level debugging, 84 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 84 messages logged, xml disabled,
                     filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level debugging, 98 message lines logged
        Logging to X.X.16.54  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              19 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

Log Buffer (4096 bytes):
: Feb 28 12:34:04.045 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000046: Feb 28 12:35:59.237 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000047: Feb 28 12:55:44.442 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000048: Mar  1 06:49:35.640 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000049: Mar  1 13:33:29.778 est: %SYS-5-CONFIG_I: Configured from console by grugantj on vty0 (X.X.29.6)
000050: Mar  2 16:07:31.375 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000051: Mar  2 16:13:45.674 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty1 (X.X.30.48)
000052: Mar  2 16:24:23.549 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty2 (X.X.30.48)
000053: Mar  2 16:26:50.945 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000054: Mar  2 16:33:23.790 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty2 (X.X.30.48)
000055: Mar  2 16:34:10.674 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000056: Mar  2 16:40:55.809 est: %SYS-5-CONFIG_I: Configured from console by lliu on vty1 (X.X.30.48)
000057: Mar  2 16:41:35.185 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000058: Mar  2 16:46:52.885 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty1 (X.X.30.48)
000059: Mar  2 16:55:00.446 est: %SYS-5-CONFIG_I: Configured from console by lliu on vty2 (X.X.30.48)
000060: Mar  7 13:15:42.226 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000061: Mar  8 07:16:56.408 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000062: Mar 10 09:30:40.333 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.6 port 514 stopped - CLI initiated
000063: Mar 10 09:30:40.383 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000064: Mar 10 09:30:40.450 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000065: Mar 10 09:30:42.287 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.54 Port 514 started - CLI initiated
000066: Mar 10 09:31:17.922 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000067: Mar 10 09:50:53.002 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000068: Mar 10 09:50:53.975 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000069: Mar 10 09:54:45.710 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000070: Mar 10 10:14:18.131 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000071: Mar 10 10:14:19.020 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000072: Mar 10 10:15:44.567 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000073: Mar 10 10:15:45.699 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000074: Mar 10 10:17:06.750 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000075: Mar 10 10:17:07.563 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000076: Mar 10 10:17:53.373 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.54 port 514 stopped - CLI initiated
000077: Mar 10 10:17:57.979 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000078: Mar 10 10:32:27.304 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000079: Mar 10 10:33:04.121 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000080: Mar 10 10:44:48.317 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196) CISCO-SW2#




0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 35096897
I would expect to see something like this:

  logging trap debugging
  logging facility local4
  logging buffered 32768 debugging
  logging source-interface <put the interface info here>
  logging X.X.16.54
  logging on

The last command does not show up in a 'show run'.  The facility number needs to match what you have defined in the .conf file.
0
 
LVL 23

Author Comment

by:savone
ID: 35096979
@ _jesper_

I am not using facility numbers for my other linux boxes, is it absolutely necessary with rsyslog?

I was under the impression that the following line in the conf file would create a directory and log file for each incoming host:

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.* -?DynaFile




0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 35097689
You need to define a facility even if that facility is 'syslog'
0
 
LVL 23

Author Comment

by:savone
ID: 35097803
Im sorry jesper, I dont under your last statement, can you explain a little deeper? or maybe give me an example?

0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 35098045
On the cisco devices, the 'logging facility <put something here>' needs to be configured.
0
 
LVL 23

Author Comment

by:savone
ID: 35098129
I see, does that have to match what I have in my /etc/rsyslog.conf ??

Here is what I have in my /etc/rsyslog.conf file:

$ModLoad imuxsock.so      # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)

$ModLoad imudp.so
$UDPServerAddress 157.187.16.54
$UDPServerRun 514
$ModLoad imtcp.so  
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

*.* -?DynaFil
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 35098583
I believe 'syslog' is a valid keyword.  

I keep all of my router logs consolidated in their own syslog file.  Dumping everything into the default syslog configuration file can make for some awfully long parsing.
0
 
LVL 23

Author Comment

by:savone
ID: 35099385

quote jesper
"I keep all of my router logs consolidated in their own syslog file.  Dumping everything into the default syslog configuration file can make for some awfully long parsing."

I agree, but using the below in your rsyslog.conf file will make a directory for each device, then create a new file every day for each device within its own directory.

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.* -?DynaFile
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 35099498
Yes, understood.  I meant if you specify an existing facility ...
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Certificate Request CentOS/Apache 1 58
Extended ping 6 56
MySql Linux vs Windows: bad results for Windows but why? 10 76
IP Jumping 6 73
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question