<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>RE: [syslog-ng] logging from Cisco</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>Hallo,<BR>
<BR>
thanks for your quick feedback.<BR>
Here is my "show logging" from cisco:<BR>
cisco6506#show logging<BR>
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns)<BR>
Console logging: level debugging, 82 messages logged<BR>
Monitor logging: level informational, 9 messages logged<BR>
Logging to: vty1(3)<BR>
Buffer logging: level debugging, 82 messages logged<BR>
Exception Logging: size (4096 bytes)<BR>
Count and timestamp logging messages: disabled<BR>
Trap logging: level informational, 96 message lines logged<BR>
Logging to 10.102.4.5, 96 message lines logged<BR>
<BR>
And my syslog-ng.conf File:<BR>
After your e-mail I have tried to change config file, but it wasn't successful, thats' why I commented my changes out. <BR>
#<BR>
# /etc/syslog-ng/syslog-ng.conf<BR>
#<BR>
# File format description can be found in syslog-ng.conf(5)<BR>
# and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt.<BR>
#<BR>
# NOTE: The SuSEconfig script and its syslog-ng.conf.in<BR>
# configuration template aren't used any more.<BR>
#<BR>
# Feel free to edit this file directly.<BR>
#<BR>
# Additional log sockets for chroot environments can<BR>
# be declared in the /etc/sysconfig/syslog file using<BR>
# SYSLOGD_ADDITIONAL_SOCKET<NAME><BR>
# variables. This way allows to define a socket from<BR>
# RPM scripts and is used by several services, e.g.<BR>
# bind and dhcpd.<BR>
#<BR>
# The sockets defined in /etc/sysconfig/syslog file<BR>
# are added by the /etc/ini.d/syslog init-script using<BR>
# "-a path" command line options while syslog-ng is<BR>
# started.<BR>
#<BR>
# This syslog-ng contains an extension and appends the<BR>
# sockets added by "-a" option to the same source group<BR>
# and using the same socket type (unix-dgram) as the<BR>
# "/dev/log" socket.<BR>
# If one of the sockets added by "-a" option already<BR>
# exists in any (other) source group in the config file,<BR>
# then the socket added by "-a" option is ignored.<BR>
#<BR>
<BR>
#<BR>
# Global options.<BR>
#<BR>
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };<BR>
<BR>
#<BR>
# 'src' is our main source definition. you can add<BR>
# more sources driver definitions to it, or define<BR>
# your own sources, i.e.:<BR>
#<BR>
#source my_src { .... };<BR>
#<BR>
source src {<BR>
#<BR>
# include internal syslog-ng messages<BR>
# note: the internal() soure is required!<BR>
#<BR>
internal();<BR>
<BR>
#<BR>
# the default log socket for local logging:<BR>
#<BR>
unix-dgram("/dev/log");<BR>
<BR>
#<BR>
# uncomment to process log messages from network:<BR>
#(added IP-addresses)<BR>
#udp(ip("10.102.4.4, 10.102.4.1, 10,102.4.3, 10.102.4.2, 10.102.4.13") port(514));<BR>
};<BR>
#source my_source {<BR>
# # udp();<BR>
# udp(ip("10.102.4.1")port(514));<BR>
# };<BR>
<BR>
<BR>
#<BR>
# Filter definitions<BR>
#<BR>
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };<BR>
<BR>
filter f_console { level(warn) and facility(kern) and not filter(f_iptables)<BR>
or level(err) and not facility(authpriv); };<BR>
<BR>
filter f_newsnotice { level(notice) and facility(news); };<BR>
filter f_newscrit { level(crit) and facility(news); };<BR>
filter f_newserr { level(err) and facility(news); };<BR>
filter f_news { facility(news); };<BR>
<BR>
filter f_mailinfo { level(info) and facility(mail); };<BR>
filter f_mailwarn { level(warn) and facility(mail); };<BR>
filter f_mailerr { level(err, crit) and facility(mail); };<BR>
filter f_mail { facility(mail); };<BR>
<BR>
filter f_cron { facility(cron); };<BR>
<BR>
filter f_local { facility(local0, local1, local2, local3,<BR>
local4, local5, local6, local7); };<BR>
<BR>
filter f_acpid { match('^\[acpid\]:'); };<BR>
filter f_netmgm { match('^NetworkManager:'); };<BR>
<BR>
filter f_messages { not facility(news, mail) and not filter(f_iptables); };<BR>
filter f_warn { level(warn, err, crit) and not filter(f_iptables); };<BR>
filter f_alert { level(alert); };<BR>
################ my own filter ############################################<BR>
#filter test_netz { netmask("10.102.4.0/255.255.255.240");};<BR>
################################################################################<BR>
#<BR>
# Most warning and errors on tty10 and on the xconsole pipe:<BR>
#<BR>
destination console { file("/dev/tty10" group(tty) perm(0620)); };<BR>
log { source(src); filter(f_console); destination(console); };<BR>
<BR>
destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };<BR>
log { source(src); filter(f_console); destination(xconsole); };<BR>
<BR>
# Enable this, if you want that root is informed immediately,<BR>
# e.g. of logins:<BR>
#<BR>
#destination root { usertty("root"); };<BR>
#log { source(src); filter(f_alert); destination(root); };<BR>
############## my own logs #######################################################<BR>
#log { source(test_netz); filter(test_netz); destination(test_netz); };<BR>
<BR>
##################################################################################<BR>
<BR>
############## my own destinations################################################<BR>
#destination test_netz {file("/var/log/cisco.log" owner("root") group("users")<BR>
# perm(0640));}<BR>
##################################################################################<BR>
#<BR>
# News-messages in separate files:<BR>
#<BR>
#destination test_netz {file("/var/log/cisco.log" owner("root") group("users")<BR>
#perm(0640));}<BR>
destination newscrit { file("/var/log/news/news.crit"<BR>
owner(news) group(news)); };<BR>
log { source(src); filter(f_newscrit); destination(newscrit); };<BR>
<BR>
destination newserr { file("/var/log/news/news.err"<BR>
owner(news) group(news)); };<BR>
log { source(src); filter(f_newserr); destination(newserr); };<BR>
<BR>
destination newsnotice { file("/var/log/news/news.notice"<BR>
owner(news) group(news)); };<BR>
log { source(src); filter(f_newsnotice); destination(newsnotice); };<BR>
<BR>
<BR>
# and optionally also all in one file:<BR>
#(don't forget to provide logrotation config)<BR>
<BR>
#destination news { file("/var/log/news.all"); };<BR>
#log { source(src); filter(f_news); destination(news); };<BR>
<BR>
<BR>
#<BR>
# Mail-messages in separate files:<BR>
#<BR>
destination mailinfo { file("/var/log/mail.info"); };<BR>
log { source(src); filter(f_mailinfo); destination(mailinfo); };<BR>
<BR>
destination mailwarn { file("/var/log/mail.warn"); };<BR>
log { source(src); filter(f_mailwarn); destination(mailwarn); };<BR>
<BR>
destination mailerr { file("/var/log/mail.err" fsync(yes)); };<BR>
log { source(src); filter(f_mailerr); destination(mailerr); };<BR>
<BR>
#<BR>
# and also all in one file:<BR>
#<BR>
#destination mail { file("/var/log/mail"); };<BR>
#log { source(src); filter(f_mail); destination(mail); };<BR>
<BR>
<BR>
#<BR>
# acpid messages in one file:<BR>
#<BR>
destination acpid { file("/var/log/acpid"); };<BR>
log { source(src); filter(f_acpid); destination(acpid); flags(final); };<BR>
<BR>
#<BR>
# NetworkManager messages in one file:<BR>
<BR>
destination netmgm { file("/var/log/NetworkManager"); };<BR>
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };<BR>
<BR>
<BR>
#<BR>
# Cron-messages in one file:<BR>
# (don't forget to provide logrotation config)<BR>
#<BR>
destination cron { file("/var/log/cron"); };<BR>
log { source(src); filter(f_cron); destination(cron); };<BR>
<BR>
<BR>
#<BR>
# Some boot scripts use/require local[1-7]:<BR>
#<BR>
destination localmessages { file("/var/log/localmessages"); };<BR>
log { source(src); filter(f_local); destination(localmessages); };<BR>
<BR>
<BR>
#<BR>
# All messages except iptables and the facilities news and mail:<BR>
#<BR>
destination messages { file("/var/log/messages"); };<BR>
log { source(src); filter(f_messages); destination(messages); };<BR>
<BR>
<BR>
#<BR>
# Firewall (iptables) messages in one file:<BR>
#<BR>
destination firewall { file("/var/log/firewall"); };<BR>
log { source(src); filter(f_iptables); destination(firewall); };<BR>
<BR>
<BR>
#<BR>
# Warnings (except iptables) in one file:<BR>
#<BR>
destination warn { file("/var/log/warn" fsync(yes)); };<BR>
log { source(src); filter(f_warn); destination(warn); };<BR>
<BR>
#<BR>
# Enable this, if you want to keep all messages in one file:<BR>
# (don't forget to provide logrotation config)<BR>
#<BR>
#destination allmessages { file("/var/log/allmessages"); };<BR>
#log { source(src); destination(allmessages); };<BR>
<BR>
# local-messages in separate files:<BR>
#<BR>
#destination local3 { file("/var/log/local3"); };<BR>
#log { source(src); filter(f_local); destination(local3); };<BR>
<BR>
#destination local4 { file("/var/log/local4"); };<BR>
#log { source(src); filter(f_local); destination(local4); };<BR>
<BR>
<BR>
#<BR>
# and also all in one file:<BR>
#<BR>
#destination local { file("/var/log/local"); };<BR>
#log { source(src); filter(f_local); destination(local); };<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: syslog-ng-bounces@lists.balabit.hu on behalf of Werner Thal<BR>
Sent: Thu 5/24/2007 11:28 AM<BR>
To: Syslog-ng users' and developers' mailing list<BR>
Subject: Re: [syslog-ng] logging from Cisco<BR>
<BR>
Hallo Yelena,<BR>
<BR>
I can't really figure out where your problem is, so I would like to tell you how I log the<BR>
events from my network equipment.<BR>
<BR>
Becaus e I'm only responsible for networking equipment like switches and routers,<BR>
I can be sure that no one else will have my logging-server as a destination. So I don't<BR>
take care about any "facility" and log everything wich is destined for my server.<BR>
<BR>
First I defined a source:<BR>
######### MY Sources ###########<BR>
source netz_kompo {<BR>
# udp();<BR>
udp (ip(x.x.x.x));<BR>
};<BR>
where x.x.x.x is the IP of my logging-server. Be sure no other source object uses udp.<BR>
<BR>
Then some destinations, one for every customer-network:<BR>
########## MY Destinations ##########<BR>
# MY-LAN<BR>
destination my { file("/bla/blubb/my.log" owner("root") group ("users") perm(0640)); };<BR>
<BR>
# customer1<BR>
destination customer1 { file("/bla/blubb/customer1.log" owner("root") group ("users") perm(0640)); };<BR>
<BR>
# customer2<BR>
destination customer2 { file("/bla/blubb/customer2.log" owner("root") group ("users") perm(0640)); };<BR>
<BR>
# customer3<BR>
destination customer3 { file("/bla/blubb/customer3.log" owner("root") group ("users") perm(0640)); };<BR>
######<BR>
<BR>
Here are some filters:<BR>
############ MYFilter ##################<BR>
# MY<BR>
filter my_all { netmask("x.x.0.0/255.255.0.0"); };<BR>
<BR>
# customer1<BR>
filter customer1_all { netmask("x.x.0.0/255.255.0.0"); };<BR>
<BR>
<BR>
At last - the log-objects:<BR>
<BR>
<BR>
############ MY logs #####################<BR>
#MY<BR>
log {<BR>
source(netz_kompo);<BR>
filter(my_all);<BR>
destination(my);<BR>
};<BR>
<BR>
#Customer1<BR>
log {<BR>
source(netz_kompo);<BR>
filter(customer1_all);<BR>
destination(customer1);<BR>
};<BR>
<BR>
<BR>
Hope this helps<BR>
<BR>
CU<BR>
Werner<BR>
<BR>
<BR>
<BR>
Am Mittwoch, 23. Mai 2007 18:18 schrieb Grigoreva, Yelena:<BR>
><BR>
> Hallo,<BR>
><BR>
><BR>
> I have enabled Cisco logging to my host SUSE 10.2. From the Wireshark tool I can see that I become the syslog messages and then I try to find them somewhere in /var/log/.... but w/t success. ;(<BR>
><BR>
> Where are the syslog messages logged from external HW? I have set in my sysconf SYSLOGD_PARAMS="-rx -m 0" to enable external logging, but all the same-no effect.I have created local0, cisco files: I am not sure what file name should I give? where must it be specified?<BR>
><BR>
> I will be grateful for any tip :)<BR>
><BR>
> warm regards<BR>
> Yelena<BR>
><BR>
><BR>
><BR>
<BR>
--<BR>
___________________________________________________________________________<BR>
A Linux-Server is like a tent: no windows, no gates and an apache inside...<BR>
_______________________________________________<BR>
syslog-ng maillist - syslog-ng@lists.balabit.hu<BR>
<A HREF="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</A><BR>
Frequently asked questions at <A HREF="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</A><BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>