Hallo, thanks for your quick feedback. Here is my "show logging" from cisco: cisco6506#show logging Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns) Console logging: level debugging, 82 messages logged Monitor logging: level informational, 9 messages logged Logging to: vty1(3) Buffer logging: level debugging, 82 messages logged Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 96 message lines logged Logging to 10.102.4.5, 96 message lines logged And my syslog-ng.conf File: After your e-mail I have tried to change config file, but it wasn't successful, thats' why I commented my changes out. # # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # # Additional log sockets for chroot environments can # be declared in the /etc/sysconfig/syslog file using # SYSLOGD_ADDITIONAL_SOCKET<NAME> # variables. This way allows to define a socket from # RPM scripts and is used by several services, e.g. # bind and dhcpd. # # The sockets defined in /etc/sysconfig/syslog file # are added by the /etc/ini.d/syslog init-script using # "-a path" command line options while syslog-ng is # started. # # This syslog-ng contains an extension and appends the # sockets added by "-a" option to the same source group # and using the same socket type (unix-dgram) as the # "/dev/log" socket. # If one of the sockets added by "-a" option already # exists in any (other) source group in the config file, # then the socket added by "-a" option is ignored. # # # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); }; # # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal(); # # the default log socket for local logging: # unix-dgram("/dev/log"); # # uncomment to process log messages from network: #(added IP-addresses) #udp(ip("10.102.4.4, 10.102.4.1, 10,102.4.3, 10.102.4.2, 10.102.4.13") port(514)); }; #source my_source { # # udp(); # udp(ip("10.102.4.1")port(514)); # }; # # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); }; filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); }; filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_cron { facility(cron); }; filter f_local { facility(local0, local1, local2, local3, local4, local5, local6, local7); }; filter f_acpid { match('^\[acpid\]:'); }; filter f_netmgm { match('^NetworkManager:'); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; filter f_alert { level(alert); }; ################ my own filter ############################################ #filter test_netz { netmask("10.102.4.0/255.255.255.240");}; ################################################################################ # # Most warning and errors on tty10 and on the xconsole pipe: # destination console { file("/dev/tty10" group(tty) perm(0620)); }; log { source(src); filter(f_console); destination(console); }; destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); }; log { source(src); filter(f_console); destination(xconsole); }; # Enable this, if you want that root is informed immediately, # e.g. of logins: # #destination root { usertty("root"); }; #log { source(src); filter(f_alert); destination(root); }; ############## my own logs ####################################################### #log { source(test_netz); filter(test_netz); destination(test_netz); }; ################################################################################## ############## my own destinations################################################ #destination test_netz {file("/var/log/cisco.log" owner("root") group("users") # perm(0640));} ################################################################################## # # News-messages in separate files: # #destination test_netz {file("/var/log/cisco.log" owner("root") group("users") #perm(0640));} destination newscrit { file("/var/log/news/news.crit" owner(news) group(news)); }; log { source(src); filter(f_newscrit); destination(newscrit); }; destination newserr { file("/var/log/news/news.err" owner(news) group(news)); }; log { source(src); filter(f_newserr); destination(newserr); }; destination newsnotice { file("/var/log/news/news.notice" owner(news) group(news)); }; log { source(src); filter(f_newsnotice); destination(newsnotice); }; # and optionally also all in one file: #(don't forget to provide logrotation config) #destination news { file("/var/log/news.all"); }; #log { source(src); filter(f_news); destination(news); }; # # Mail-messages in separate files: # destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); }; # # and also all in one file: # #destination mail { file("/var/log/mail"); }; #log { source(src); filter(f_mail); destination(mail); }; # # acpid messages in one file: # destination acpid { file("/var/log/acpid"); }; log { source(src); filter(f_acpid); destination(acpid); flags(final); }; # # NetworkManager messages in one file: destination netmgm { file("/var/log/NetworkManager"); }; log { source(src); filter(f_netmgm); destination(netmgm); flags(final); }; # # Cron-messages in one file: # (don't forget to provide logrotation config) # destination cron { file("/var/log/cron"); }; log { source(src); filter(f_cron); destination(cron); }; # # Some boot scripts use/require local[1-7]: # destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); }; # # All messages except iptables and the facilities news and mail: # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; # # Firewall (iptables) messages in one file: # destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); }; # # Warnings (except iptables) in one file: # destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); }; # # Enable this, if you want to keep all messages in one file: # (don't forget to provide logrotation config) # #destination allmessages { file("/var/log/allmessages"); }; #log { source(src); destination(allmessages); }; # local-messages in separate files: # #destination local3 { file("/var/log/local3"); }; #log { source(src); filter(f_local); destination(local3); }; #destination local4 { file("/var/log/local4"); }; #log { source(src); filter(f_local); destination(local4); }; # # and also all in one file: # #destination local { file("/var/log/local"); }; #log { source(src); filter(f_local); destination(local); }; -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu on behalf of Werner Thal Sent: Thu 5/24/2007 11:28 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] logging from Cisco Hallo Yelena, I can't really figure out where your problem is, so I would like to tell you how I log the events from my network equipment. Becaus e I'm only responsible for networking equipment like switches and routers, I can be sure that no one else will have my logging-server as a destination. So I don't take care about any "facility" and log everything wich is destined for my server. First I defined a source: ######### MY Sources ########### source netz_kompo { # udp(); udp (ip(x.x.x.x)); }; where x.x.x.x is the IP of my logging-server. Be sure no other source object uses udp. Then some destinations, one for every customer-network: ########## MY Destinations ########## # MY-LAN destination my { file("/bla/blubb/my.log" owner("root") group ("users") perm(0640)); }; # customer1 destination customer1 { file("/bla/blubb/customer1.log" owner("root") group ("users") perm(0640)); }; # customer2 destination customer2 { file("/bla/blubb/customer2.log" owner("root") group ("users") perm(0640)); }; # customer3 destination customer3 { file("/bla/blubb/customer3.log" owner("root") group ("users") perm(0640)); }; ###### Here are some filters: ############ MYFilter ################## # MY filter my_all { netmask("x.x.0.0/255.255.0.0"); }; # customer1 filter customer1_all { netmask("x.x.0.0/255.255.0.0"); }; At last - the log-objects: ############ MY logs ##################### #MY log { source(netz_kompo); filter(my_all); destination(my); }; #Customer1 log { source(netz_kompo); filter(customer1_all); destination(customer1); }; Hope this helps CU Werner Am Mittwoch, 23. Mai 2007 18:18 schrieb Grigoreva, Yelena:
Hallo,
I have enabled Cisco logging to my host SUSE 10.2. From the Wireshark tool I can see that I become the syslog messages and then I try to find them somewhere in /var/log/.... but w/t success. ;(
Where are the syslog messages logged from external HW? I have set in my sysconf SYSLOGD_PARAMS="-rx -m 0" to enable external logging, but all the same-no effect.I have created local0, cisco files: I am not sure what file name should I give? where must it be specified?
I will be grateful for any tip :)
warm regards Yelena
-- ___________________________________________________________________________ A Linux-Server is like a tent: no windows, no gates and an apache inside... _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html