Solved

Using redhat rsyslog to log remote cisco devices

Posted on 2011-03-10
13
2,154 Views
Last Modified: 2012-05-11
We have about 15 different cisco devices that we want to log all to the same log server.  I have installed rhel5 and configured rsyslog to accept remote messages.

I added the following to rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerAddress x.x.x.x
$UDPServerRun 514
$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514

*.* -?DynaFile

I also added this to /etc/sysconfig/rsyslog:
 
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -rPortNumber Enables logging from remote machines. The listener will listen to the specified port.
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r514"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

I tested this with another linux box (redhat desktop 6) and I am receiving the log messages fine and it also made  a dir in /var/log/rsyslog for the device and all works great.


I am not a cisco guy but I had the cisco folks here add the ip address of this machine to their config for logging.  They are telling me the cisco is configured correctly but I am not receiving anything from them.


0
Comment
Question by:savone
  • 7
  • 6
13 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Is iptables allowing the packets in?

Have you run wireshark for that particular cisco host ip to see what is going on?
0
 
LVL 23

Author Comment

by:savone
Comment Utility
iptables is set to allow 514 from anywhere, it has been tested by adding new linux machines without any problem.

I have done a tcpdump, and I do not see any traffic from the cisco devices.  I am assuming its a setting on the cisco device that is why I added this question to the cisco zone as well.



0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Ask the person configuring the cisco to do a:
 
   sho run | i log
0
 
LVL 23

Author Comment

by:savone
Comment Utility
@_jesper_

I asked the cisco guy to send me the output of show run | i log and this is what I was sent.  Some info has been changed for security purposes (ip/usernames)



CISCO-SW2#sho run | i log
service timestamps log datetime msec localtime show-timezone aaa authentication login default group tacacs+ local aaa authentication login console group

tacacs+ local  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event link-status  no logging event

link-status logging trap debugging logging facility local0 logging X.X.16.54  login authentication console CISCO-SW2#

 

CISCO-SW2#sho log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

 

No Inactive Message Discriminator.


    Console logging: level debugging, 84 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 84 messages logged, xml disabled,
                     filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    File logging: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level debugging, 98 message lines logged
        Logging to X.X.16.54  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              19 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

Log Buffer (4096 bytes):
: Feb 28 12:34:04.045 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000046: Feb 28 12:35:59.237 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000047: Feb 28 12:55:44.442 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000048: Mar  1 06:49:35.640 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000049: Mar  1 13:33:29.778 est: %SYS-5-CONFIG_I: Configured from console by grugantj on vty0 (X.X.29.6)
000050: Mar  2 16:07:31.375 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000051: Mar  2 16:13:45.674 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty1 (X.X.30.48)
000052: Mar  2 16:24:23.549 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty2 (X.X.30.48)
000053: Mar  2 16:26:50.945 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000054: Mar  2 16:33:23.790 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty2 (X.X.30.48)
000055: Mar  2 16:34:10.674 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000056: Mar  2 16:40:55.809 est: %SYS-5-CONFIG_I: Configured from console by lliu on vty1 (X.X.30.48)
000057: Mar  2 16:41:35.185 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty0 (X.X.30.48)
000058: Mar  2 16:46:52.885 est: %SYS-5-CONFIG_I: Configured from console by test-user on vty1 (X.X.30.48)
000059: Mar  2 16:55:00.446 est: %SYS-5-CONFIG_I: Configured from console by lliu on vty2 (X.X.30.48)
000060: Mar  7 13:15:42.226 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000061: Mar  8 07:16:56.408 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000062: Mar 10 09:30:40.333 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.6 port 514 stopped - CLI initiated
000063: Mar 10 09:30:40.383 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000064: Mar 10 09:30:40.450 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000065: Mar 10 09:30:42.287 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.54 Port 514 started - CLI initiated
000066: Mar 10 09:31:17.922 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000067: Mar 10 09:50:53.002 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000068: Mar 10 09:50:53.975 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000069: Mar 10 09:54:45.710 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000070: Mar 10 10:14:18.131 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000071: Mar 10 10:14:19.020 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000072: Mar 10 10:15:44.567 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000073: Mar 10 10:15:45.699 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000074: Mar 10 10:17:06.750 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.27.50 port 514 stopped - CLI initiated
000075: Mar 10 10:17:07.563 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000076: Mar 10 10:17:53.373 est: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host X.X.16.54 port 514 stopped - CLI initiated
000077: Mar 10 10:17:57.979 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000078: Mar 10 10:32:27.304 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000079: Mar 10 10:33:04.121 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196)
000080: Mar 10 10:44:48.317 est: %SYS-5-CONFIG_I: Configured from console by USERX on vty0 (X.X.37.196) CISCO-SW2#




0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
Comment Utility
I would expect to see something like this:

  logging trap debugging
  logging facility local4
  logging buffered 32768 debugging
  logging source-interface <put the interface info here>
  logging X.X.16.54
  logging on

The last command does not show up in a 'show run'.  The facility number needs to match what you have defined in the .conf file.
0
 
LVL 23

Author Comment

by:savone
Comment Utility
@ _jesper_

I am not using facility numbers for my other linux boxes, is it absolutely necessary with rsyslog?

I was under the impression that the following line in the conf file would create a directory and log file for each incoming host:

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.* -?DynaFile




0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
You need to define a facility even if that facility is 'syslog'
0
 
LVL 23

Author Comment

by:savone
Comment Utility
Im sorry jesper, I dont under your last statement, can you explain a little deeper? or maybe give me an example?

0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
On the cisco devices, the 'logging facility <put something here>' needs to be configured.
0
 
LVL 23

Author Comment

by:savone
Comment Utility
I see, does that have to match what I have in my /etc/rsyslog.conf ??

Here is what I have in my /etc/rsyslog.conf file:

$ModLoad imuxsock.so      # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)

$ModLoad imudp.so
$UDPServerAddress 157.187.16.54
$UDPServerRun 514
$ModLoad imtcp.so  
$InputTCPServerRun 514

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

authpriv.*                                              /var/log/secure

mail.*                                                  -/var/log/maillog

cron.*                                                  /var/log/cron

*.emerg                                                 *

uucp,news.crit                                          /var/log/spooler

local7.*                                                /var/log/boot.log

*.* -?DynaFil
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
I believe 'syslog' is a valid keyword.  

I keep all of my router logs consolidated in their own syslog file.  Dumping everything into the default syslog configuration file can make for some awfully long parsing.
0
 
LVL 23

Author Comment

by:savone
Comment Utility

quote jesper
"I keep all of my router logs consolidated in their own syslog file.  Dumping everything into the default syslog configuration file can make for some awfully long parsing."

I agree, but using the below in your rsyslog.conf file will make a directory for each device, then create a new file every day for each device within its own directory.

$template DynaFile,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%_%$MONTH%-%$DAY%-%$YEAR%.log"

*.* -?DynaFile
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Yes, understood.  I meant if you specify an existing facility ...
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now