[syslog-ng]Cisco Syslog with Syslog-ng
Davis, Jay
syslog-ng@lists.balabit.hu
Thu, 1 Jul 2004 10:27:52 -0400
This is a multi-part message in MIME format.
------_=_NextPart_001_01C45F77.97C33F1E
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
From: amy wong amywsp@gmail.com
Date: Tue, 29 Jun 2004 17:03:14 +0800
Subject: Cisco Log
To: bazsi@balabit.hu
Hi,
I'm new in syslog-ng. Currently install syslog-ng-1.4.7. I have got the
cisco router monitor, and log can be seen on /var/log/messages but not
/var/log/cisco.log. My questions are do the cisco.log file will be
created automatically? and would you show me the right way in setting
up?
source remote {tcp(); udp();};
destination d_cisco { file("/var/log/cisco.log); };
filter f_cisco_info { level(info); };
filter f_cisco_notice { level(notice); };
filter f_cisco_warn { level(warn); };
filter f_cisco_crit { level(crit); };
filter f_cisco_err { level(err); };
log { source(remote); filter(f_cisco_info); destination(d_cisco); }; log
{ source(remote); filter(f_cisco_notice); destination(d_cisco); }; log {
source(remote); filter(f_cisco_warn); destination(d_cisco); }; log {
source(remote); filter(f_cisco_crit); destination(d_cisco); }; log {
source(remote); filter(f_cisco_err); destination(d_cisco); };
destination hosts {
file("/var/log/HOSTS/$HOSTS/$YEAR/$MONTH/$DAY/$FACILITY" owner(root)
group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
log { source(remote); destination(hosts); };
+++++++++++++++++++++++++++++++ Had to cut and paste
=20
First the setup on the Cisco devices. Cisco uses facility 7 for syslog.
You need to set the proper severity levels for what you plan on sending
to your syslog host. Do not use debug, you will kill the router or
switch possibly. YMMV. I took some snippets of our config file here. The
filter just puts all levels of syslog into one file which is parsed by
netcool. You will have to play around with the severities. Cisco is kind
of confused (being nice) on some severities. I think you will end up
adjusting and using what you think is critical than using what they
think is critical. Remember that you can filter specific messages using
syslog-ng i.e. LINK-5-UPDOWN. The 5 is severity.=20
=20
I hope this helps.=20
=20
# The udp and port 514 are defaults but sometimes we change them here
for diagnostics.
# It is easier to leave in so you don't have to dig through docs to find
out how to set the port
source s_udpmessages {udp(ip(<IPADDRESSOFLOCALINTERFACETOLISTENON>)
port(514));};
#This is a log file for Netcool
destination d_mesg { file("/var/log/ncolog"); };=20
filter f_filter7 { facility(local7) and
level(emerg,alert,crit,err,warning,notice,info); };
log { source(s_udpmessages); filter(f_filter7); destination(d_mesg); };
------_=_NextPart_001_01C45F77.97C33F1E
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD>
<BODY>
<DIV>
<P><FONT face=3DArial size=3D2>From: amy wong <A=20
href=3D"mailto:amywsp@gmail.com">amywsp@gmail.com</A></FONT></P>
<P><FONT face=3DArial size=3D2>Date: Tue, 29 Jun 2004 17:03:14 =
+0800</FONT></P>
<P><FONT face=3DArial size=3D2>Subject: Cisco Log</FONT></P>
<P><FONT face=3DArial size=3D2>To: bazsi@balabit.hu</FONT></P>
<P><FONT face=3DArial size=3D2>Hi,</FONT></P>
<P><FONT face=3DArial size=3D2>I'm new in syslog-ng. Currently install=20
syslog-ng-1.4.7. I have got the cisco router monitor, and log can be =
seen on=20
/var/log/messages but not /var/log/cisco.log. My questions are do the =
cisco.log=20
file will be created automatically? and would you show me the right way =
in=20
setting up?</FONT></P>
<P><FONT face=3DArial size=3D2>source remote {tcp(); udp();};</FONT></P>
<P><FONT face=3DArial size=3D2>destination d_cisco { =
file("/var/log/cisco.log);=20
};</FONT></P>
<P><FONT face=3DArial size=3D2>filter f_cisco_info { level(info); =
};</FONT></P>
<P><FONT face=3DArial size=3D2>filter f_cisco_notice { level(notice); =
};</FONT></P>
<P><FONT face=3DArial size=3D2>filter f_cisco_warn { level(warn); =
};</FONT></P>
<P><FONT face=3DArial size=3D2>filter f_cisco_crit { level(crit); =
};</FONT></P>
<P><FONT face=3DArial size=3D2>filter f_cisco_err { level(err); =
};</FONT></P>
<P><FONT face=3DArial size=3D2>log { source(remote); =
filter(f_cisco_info);=20
destination(d_cisco); }; log { source(remote); filter(f_cisco_notice);=20
destination(d_cisco); }; log { source(remote); filter(f_cisco_warn);=20
destination(d_cisco); }; log { source(remote); filter(f_cisco_crit);=20
destination(d_cisco); }; log { source(remote); filter(f_cisco_err);=20
destination(d_cisco); };</FONT></P>
<P><FONT face=3DArial size=3D2>destination hosts {=20
file("/var/log/HOSTS/$HOSTS/$YEAR/$MONTH/$DAY/$FACILITY" =
owner(root)</FONT></P>
<P><FONT face=3DArial size=3D2>group(root) perm(0600) dir_perm(0700)=20
create_dirs(yes)); };</FONT></P>
<P><FONT face=3DArial size=3D2>log { source(remote); destination(hosts); =
};</FONT></P>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial=20
size=3D2>+++++++++++++++++++++++++++++++ Had to cut and =
paste</FONT></SPAN></P>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </P>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial size=3D2>First =
the setup on the=20
Cisco devices. Cisco uses facility 7 for syslog. You need to set the =
proper=20
severity levels for what you plan on sending to your syslog host. Do not =
use=20
debug, you will kill the router or switch possibly. YMMV. I took some =
snippets=20
of our config file here. The filter just puts all levels of syslog into =
one file=20
which is parsed by netcool. You will have to play around with the =
severities.=20
Cisco is kind of confused (being nice) on some severities. I think you =
will end=20
up adjusting and using what you think is critical than using what they =
think is=20
critical. Remember that you can filter specific messages using syslog-ng =
i.e.=20
LINK-5-UPDOWN. The 5 is severity. </FONT></SPAN></P>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </P>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial size=3D2>I hope =
this helps.=20
</FONT></SPAN></P>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial=20
size=3D2></FONT></SPAN> </P>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial size=3D2># The =
udp and port 514=20
are defaults but sometimes we change them here for=20
diagnostics.</FONT></SPAN></P>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial size=3D2># It is =
easier to=20
leave in so you don't have to dig through docs to find out how to set =
the=20
port</FONT></SPAN></P>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial size=3D2>source =
s_udpmessages=20
{udp(ip(<IPADDRESSOFLOCALINTERFACETOLISTENON>)=20
port(514));};</FONT></SPAN></P><SPAN class=3D835181614-01072004><FONT =
face=3DArial=20
size=3D2>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial size=3D2>#This is =
a log file=20
for Netcool</FONT></SPAN></P>
<P><SPAN class=3D835181614-01072004></SPAN></FONT></SPAN><SPAN=20
class=3D835181614-01072004><FONT face=3DArial size=3D2>destination =
d_mesg {=20
file("/var/log/ncolog"); }; </FONT></SPAN><SPAN =
class=3D835181614-01072004><FONT=20
face=3DArial size=3D2><BR></FONT></SPAN><SPAN =
class=3D835181614-01072004><FONT=20
face=3DArial size=3D2><BR>filter f_filter7 { =
facility(local7) and=20
level(emerg,alert,crit,err,warning,notice,info); };</FONT></SPAN></P>
<P><SPAN class=3D835181614-01072004><FONT face=3DArial size=3D2>log {=20
source(s_udpmessages); filter(f_filter7); destination(d_mesg);=20
};</FONT></SPAN></P></DIV></BODY></HTML>
=00
------_=_NextPart_001_01C45F77.97C33F1E--