From: amy wong amywsp@gmail.com

Date: Tue, 29 Jun 2004 17:03:14 +0800

Subject: Cisco Log

To: bazsi@balabit.hu

Hi,

I'm new in syslog-ng. Currently install syslog-ng-1.4.7. I have got the cisco router monitor, and log can be seen on /var/log/messages but not /var/log/cisco.log. My questions are do the cisco.log file will be created automatically? and would you show me the right way in setting up?

source remote {tcp(); udp();};

destination d_cisco { file("/var/log/cisco.log); };

filter f_cisco_info { level(info); };

filter f_cisco_notice { level(notice); };

filter f_cisco_warn { level(warn); };

filter f_cisco_crit { level(crit); };

filter f_cisco_err { level(err); };

log { source(remote); filter(f_cisco_info); destination(d_cisco); }; log { source(remote); filter(f_cisco_notice); destination(d_cisco); }; log { source(remote); filter(f_cisco_warn); destination(d_cisco); }; log { source(remote); filter(f_cisco_crit); destination(d_cisco); }; log { source(remote); filter(f_cisco_err); destination(d_cisco); };

destination hosts { file("/var/log/HOSTS/$HOSTS/$YEAR/$MONTH/$DAY/$FACILITY" owner(root)

group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };

log { source(remote); destination(hosts); };

+++++++++++++++++++++++++++++++ Had to cut and paste

 

First the setup on the Cisco devices. Cisco uses facility 7 for syslog. You need to set the proper severity levels for what you plan on sending to your syslog host. Do not use debug, you will kill the router or switch possibly. YMMV. I took some snippets of our config file here. The filter just puts all levels of syslog into one file which is parsed by netcool. You will have to play around with the severities. Cisco is kind of confused (being nice) on some severities. I think you will end up adjusting and using what you think is critical than using what they think is critical. Remember that you can filter specific messages using syslog-ng i.e. LINK-5-UPDOWN. The 5 is severity.

 

I hope this helps.

 

# The udp and port 514 are defaults but sometimes we change them here for diagnostics.

# It is easier to leave in so you don't have to dig through docs to find out how to set the port

source s_udpmessages {udp(ip(<IPADDRESSOFLOCALINTERFACETOLISTENON>) port(514));};

#This is a log file for Netcool

destination d_mesg { file("/var/log/ncolog"); };

filter f_filter7   { facility(local7) and level(emerg,alert,crit,err,warning,notice,info); };

log { source(s_udpmessages); filter(f_filter7); destination(d_mesg); };