Tuesday, 7 July 2009

Using Ubuntu Syslog with Cisco

Today I decided to show you how to log your cisco to a syslog server on ubuntu.

Before we begin, backup the files as you never know when you'll change something you didn't mean to
cp /etc/syslog.conf /etc/syslog.conf.ididamistake

sudo /etc/syslog.conf
Add the following lines:
#router logging
local6.debug /var/log/cisco.log

This means send all messages from facility local6, with a priority of debug or greater, to /var/log/cisco.log

if this is not enough for you can always use local6.* this can be overkill but very useful

if you haven't already then you'll need to create the logfile
sudo touch /var/log/cisco.log

you'll need to enable syslog to accept messages from remote machines by editing
sudo nano /etc/default/syslogd

to add the -r option:

Now restart the syslog daemon.
sudo /etc/rc2.d/S10sysklogd restart

you can now create a test message into the syslog to see if it's logging
logger -p local6.debug "is this working?"

cat /var/log/cisco.log, you should see the line above.

Now, we have a little problem the message as also been posted to other log files in /etc/syslog.conf (such as /var/log/syslog, /var/log/messages, and /var/log/debug).
We don’t want the messages from the router mixed in with the system messages.
Edit /etc/syslog.conf to include exceptions for local6 anywhere we have an *.[whatever], like so:

auth,authpriv.none -/var/log/syslog

Restart the syslog daemon again.

Test that your config is working as expected for each in debug info notice warn err crit alert emerg panic
so run do
logger -p local6.debug "is this working?"
logger -p local6.warn "is this working?"
logger -p local6.info "is this working?"
logger -p local6.err "is this working?"
these should only go to cisco.log

Check /var/log/cisco.log, /var/log/syslog, /var/log/debug, and /var/log/messages - messages should only be in cisco.log.

Now that your syslog server is setup you need to configure the router to send the messages to the server.

Configure your router to send messages to the log host couldn't be easier.
config t
logging [ip address of your ubuntu box]
logging facility local6
logging history [severity]
logging on

Your version of IOS may require different commands. Have fun with that.

Logging severity level
emergencies System is unusable (severity=0)
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
errors Error conditions (severity=3)
warnings Warning conditions (severity=4)
notifications Normal but significant conditions (severity=5)
informational Informational messages (severity=6)
debugging Debugging messages (severity=7)

Normally I stick with informational (sev=6) debugging can create too much info and unless you have an issue with a router I wouldn't use it.

Compare the logging buffer on your router (”sh logging”) with the file on your log server; messages, since you made the change, should also be going to the server.
If not, make sure you can reach the log server from the router, and that port 514 isn’t blocked anywhere, otherwise, this won't work.

Now we don't want the log file to get too big so we'll setup a log rotation
Add this to sudo nano /etc/logrotate.conf below the “system-specific logs may be configured here”

/var/log/cisco.log {
rotate 7
size 5M

Remember you many need to change this depending on the number of messages you get, you can expand the size of the file as well and if you have access-list that have the logging option on the file can get quite large.
If you'd like to lean more about the logging options here is a useful link

No comments: