Using redhat rsyslog to log remote cisco devices

We have about 15 different cisco devices that we want to log all to the same log server.  I have installed rhel5 and configured rsyslog to accept remote messages.

I added the following to rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerAddress x.x.x.x
$UDPServerRun 514
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514

*.* -?DynaFile

I also added this to /etc/sysconfig/rsyslog:
 
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -rPortNumber Enables logging from remote machines. The listener will listen to the specified port.
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r514"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

I tested this with another linux box (redhat desktop 6) and I am receiving the log messages fine and it also made  a dir in /var/log/rsyslog for the device and all works great.


I am not a cisco guy but I had the cisco folks here add the ip address of this machine to their config for logging.  They are telling me the cisco is configured correctly but I am not receiving anything from them.


LVL 23
savoneAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Jan SpringerConnect With a Mentor Commented:
I would expect to see something like this:

  logging trap debugging
  logging facility local4
  logging buffered 32768 debugging
  logging source-interface <put the interface info here>
  logging X.X.16.54
  logging on

The last command does not show up in a 'show run'.  The facility number needs to match what you have defined in the .conf file.
0
 
Jan SpringerCommented:
Is iptables allowing the packets in?

Have you run wireshark for that particular cisco host ip to see what is going on?
0
 
savoneAuthor Commented:
iptables is set to allow 514 from anywhere, it has been tested by adding new linux machines without any problem.

I have done a tcpdump, and I do not see any traffic from the cisco devices.  I am assuming its a setting on the cisco device that is why I added this question to the cisco zone as well.



0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Jan SpringerCommented:
Ask the person configuring the cisco to do a:
 
   sho run | i log
0
 
savoneAuthor Commented:
@_jesper_

I asked the cisco guy to send me the output of show run | i log and this is what I was sent.  Some info has been changed for security purposes (ip/usernames)



CISCO-SW2#sho run | i log
service timestamps log datetime msec localtime show-timezone aaa authentication login default group tacacs+ local aaa authentication login console group

tacacs+ local  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status logging trap debugging logging facility local0 logging X.X.16.54  login authentication console CISCO-SW2#

 

CISCO-SW2#sho log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


    Console logging: level debugging, 84 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 84 messages logged, xml disabled,
                     filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level debugging, 98 message lines logged
        Logging to X.X.16.54  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              19 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

Log Buffer (4096 bytes):
: Feb 28 12:34:04.045 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000046: Feb 28 12:35:59.237 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000047: Feb 28 12:55:44.442 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000048: Mar  1 06:49:35.640 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000049: Mar  1 13:33:29.778 est: %SYS-5-CONFIG_I: Configured from console by grugantj on vty0 (X.X.29.6)
000050: Mar  2 16:07:31.375 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000051: Mar  2 16:13:45.674 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty1 (X.X.30.48)
000052: Mar  2 16:24:23.549 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty2 (X.X.30.48)
000053: Mar  2 16:26:50.945 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000054: Mar  2 16:33:23.790 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty2 (X.X.30.48)
000055: Mar  2 16:34:10.674 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000056: Mar  2 16:40:55.809 est: %SYS-5-CONFIG_I: Configured from console by lliu on vty1 (X.X.30.48)
000057: Mar  2 16:41:35.185 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000058: Mar  2 16:46:52.885 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty1 (X.X.30.48)
000059: Mar  2 16:55:00.446 est: %SYS-5-CONFIG_I: Configured from console by lliu on vty2 (X.X.30.48)
000060: Mar  7 13:15:42.226 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000061: Mar  8 07:16:56.408 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000062: Mar 10 09:30:40.333 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.6 port 514 stopped - CLI initiated
000063: Mar 10 09:30:40.383 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000064: Mar 10 09:30:40.450 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000065: Mar 10 09:30:42.287 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.54 Port 514 started - CLI initiated
000066: Mar 10 09:31:17.922 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000067: Mar 10 09:50:53.002 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000068: Mar 10 09:50:53.975 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000069: Mar 10 09:54:45.710 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000070: Mar 10 10:14:18.131 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000071: Mar 10 10:14:19.020 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000072: Mar 10 10:15:44.567 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000073: Mar 10 10:15:45.699 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000074: Mar 10 10:17:06.750 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000075: Mar 10 10:17:07.563 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000076: Mar 10 10:17:53.373 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.54 port 514 stopped - CLI initiated
000077: Mar 10 10:17:57.979 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000078: Mar 10 10:32:27.304 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000079: Mar 10 10:33:04.121 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000080: Mar 10 10:44:48.317 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196) CISCO-SW2#




0
 
savoneAuthor Commented:
@ _jesper_

I am not using facility numbers for my other linux boxes, is it absolutely necessary with rsyslog?

I was under the impression that the following line in the conf file would create a directory and log file for each incoming host:

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.* -?DynaFile




0
 
Jan SpringerCommented:
You need to define a facility even if that facility is 'syslog'
0
 
savoneAuthor Commented:
Im sorry jesper, I dont under your last statement, can you explain a little deeper? or maybe give me an example?

0
 
Jan SpringerCommented:
On the cisco devices, the 'logging facility <put something here>' needs to be configured.
0
 
savoneAuthor Commented:
I see, does that have to match what I have in my /etc/rsyslog.conf ??

Here is what I have in my /etc/rsyslog.conf file:

$ModLoad imuxsock.so      # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)

$ModLoad imudp.so
$UDPServerAddress 157.187.16.54
$UDPServerRun 514
$ModLoad imtcp.so  
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

*.* -?DynaFil
0
 
Jan SpringerCommented:
I believe 'syslog' is a valid keyword.  

I keep all of my router logs consolidated in their own syslog file.  Dumping everything into the default syslog configuration file can make for some awfully long parsing.
0
 
savoneAuthor Commented:

quote jesper
"I keep all of my router logs consolidated in their own syslog file.  Dumping everything into the default syslog configuration file can make for some awfully long parsing."

I agree, but using the below in your rsyslog.conf file will make a directory for each device, then create a new file every day for each device within its own directory.

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.* -?DynaFile
0
 
Jan SpringerCommented:
Yes, understood.  I meant if you specify an existing facility ...
0
All Courses

From novice to tech pro — start learning today.