Hallo, I have enabled Cisco logging to my host SUSE 10.2. From the Wireshark tool I can see that I become the syslog messages and then I try to find them somewhere in /var/log/.... but w/t success. ;( Where are the syslog messages logged from external HW? I have set in my sysconf SYSLOGD_PARAMS="-rx -m 0" to enable external logging, but all the same-no effect.I have created local0, cisco files: I am not sure what file name should I give? where must it be specified? I will be grateful for any tip :) warm regards Yelena
On Wed, 23 May 2007, Grigoreva, Yelena wrote:
Hallo,
I have enabled Cisco logging to my host SUSE 10.2. From the Wireshark tool I can see that I become the syslog messages and then I try to find them somewhere in /var/log/.... but w/t success. ;(
Where are the syslog messages logged from external HW? I have set in my sysconf SYSLOGD_PARAMS="-rx -m 0" to enable external logging, but all the same-no effect.I have created local0, cisco files: I am not sure what file name should I give? where must it be specified?
I will be grateful for any tip :)
Check local7. I think that's the default facility for Cisco devices. - billn
On Wed, 23 May 2007, Bill Nash wrote:
On Wed, 23 May 2007, Grigoreva, Yelena wrote:
I have enabled Cisco logging to my host SUSE 10.2. From the Wireshark tool I can see that I become the syslog messages and then I try to find them somewhere in /var/log/.... but w/t success. ;(
Where are the syslog messages logged from external HW? I have set in my sysconf SYSLOGD_PARAMS="-rx -m 0" to enable external logging, but all the same-no effect.I have created local0, cisco files: I am not sure what file name should I give? where must it be specified?
I will be grateful for any tip :)
Check local7. I think that's the default facility for Cisco devices.
Or local4, now that I really think on it. It depends on the type of device and which faction of Cisco (or purchased company) wrote the code. - billn
Bill Nash wrote:
On Wed, 23 May 2007, Bill Nash wrote:
On Wed, 23 May 2007, Grigoreva, Yelena wrote:
I have enabled Cisco logging to my host SUSE 10.2. From the Wireshark tool I can see that I become the syslog messages and then I try to find them somewhere in /var/log/.... but w/t success. ;(
Where are the syslog messages logged from external HW? I have set in my sysconf SYSLOGD_PARAMS="-rx -m 0" to enable external logging, but all the same-no effect.I have created local0, cisco files: I am not sure what file name should I give? where must it be specified?
I will be grateful for any tip :)
Check local7. I think that's the default facility for Cisco devices.
Or local4, now that I really think on it. It depends on the type of device and which faction of Cisco (or purchased company) wrote the code.
Here is a part of my syslog-ng.conf, after some thorough research on the Cisco website: #### {{{ Cisco, by device type filter f_cisco_router { facility(local2); }; filter f_cisco_switch { facility(local3); }; filter f_cisco_firewall { facility(local4); }; filter f_cisco_vpnbox { facility(local5); }; #### Cisco, by device type }}} ... # vim: set nowrap foldmethod=marker : The {{{ and }}} are used by vim to mark a "fold", so that it is shown as one-line. Just my 2 yen, in case you didn't know :-) Kalin. -- | A | Kalin KOZHUHAROV <kalin.kozhuharov@jp.adecco.com> | D | TEL: +81 (3) 6439-7547 MOBILE: +81 90 8496-0556 | J | IT Security Officer | P | Adecco Japan http://www.adecco.co.jp/
Here is a part of my syslog-ng.conf, after some thorough research on the Cisco website:
#### {{{ Cisco, by device type filter f_cisco_router { facility(local2); }; filter f_cisco_switch { facility(local3); }; filter f_cisco_firewall { facility(local4); }; filter f_cisco_vpnbox { facility(local5); }; #### Cisco, by device type }}}
Keep in mind that if you have any other devices sending messages using the same facility as above, you may inadvertently filter those messages as well. You can match some text strings within the messages themselves or use a regex. Regex is more accurate but can have performance impact on busy syslog-ng server. Tom
On Wed, May 23, 2007 at 11:52:48PM -0700, Tom Le wrote:
Here is a part of my syslog-ng.conf, after some thorough research on the Cisco website:
#### {{{ Cisco, by device type filter f_cisco_router { facility(local2); }; filter f_cisco_switch { facility(local3); }; filter f_cisco_firewall { facility(local4); }; filter f_cisco_vpnbox { facility(local5); }; #### Cisco, by device type }}}
Keep in mind that if you have any other devices sending messages using the same facility as above, you may inadvertently filter those messages as well. You can match some text strings within the messages themselves or use a regex. Regex is more accurate but can have performance impact on busy syslog-ng server.
Good point(s). I tend to use a different IP (often just a virual interface) as the source for host and network device syslog. It ends up help in a lot of cases. -- Nate First Law of System Requirements: "Anything is possible if you don't know what you're talking about..."
Hallo Yelena, I can't really figure out where your problem is, so I would like to tell you how I log the events from my network equipment. Becaus e I'm only responsible for networking equipment like switches and routers, I can be sure that no one else will have my logging-server as a destination. So I don't take care about any "facility" and log everything wich is destined for my server. First I defined a source: ######### MY Sources ########### source netz_kompo { # udp(); udp (ip(x.x.x.x)); }; where x.x.x.x is the IP of my logging-server. Be sure no other source object uses udp. Then some destinations, one for every customer-network: ########## MY Destinations ########## # MY-LAN destination my { file("/bla/blubb/my.log" owner("root") group ("users") perm(0640)); }; # customer1 destination customer1 { file("/bla/blubb/customer1.log" owner("root") group ("users") perm(0640)); }; # customer2 destination customer2 { file("/bla/blubb/customer2.log" owner("root") group ("users") perm(0640)); }; # customer3 destination customer3 { file("/bla/blubb/customer3.log" owner("root") group ("users") perm(0640)); }; ###### Here are some filters: ############ MYFilter ################## # MY filter my_all { netmask("x.x.0.0/255.255.0.0"); }; # customer1 filter customer1_all { netmask("x.x.0.0/255.255.0.0"); }; At last - the log-objects: ############ MY logs ##################### #MY log { source(netz_kompo); filter(my_all); destination(my); }; #Customer1 log { source(netz_kompo); filter(customer1_all); destination(customer1); }; Hope this helps CU Werner Am Mittwoch, 23. Mai 2007 18:18 schrieb Grigoreva, Yelena:
Hallo,
I have enabled Cisco logging to my host SUSE 10.2. From the Wireshark tool I can see that I become the syslog messages and then I try to find them somewhere in /var/log/.... but w/t success. ;(
Where are the syslog messages logged from external HW? I have set in my sysconf SYSLOGD_PARAMS="-rx -m 0" to enable external logging, but all the same-no effect.I have created local0, cisco files: I am not sure what file name should I give? where must it be specified?
I will be grateful for any tip :)
warm regards Yelena
-- ___________________________________________________________________________ A Linux-Server is like a tent: no windows, no gates and an apache inside...
Hallo, thanks for your quick feedback. Here is my "show logging" from cisco: cisco6506#show logging Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns) Console logging: level debugging, 82 messages logged Monitor logging: level informational, 9 messages logged Logging to: vty1(3) Buffer logging: level debugging, 82 messages logged Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 96 message lines logged Logging to 10.102.4.5, 96 message lines logged And my syslog-ng.conf File: After your e-mail I have tried to change config file, but it wasn't successful, thats' why I commented my changes out. # # /etc/syslog-ng/syslog-ng.conf # # File format description can be found in syslog-ng.conf(5) # and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt. # # NOTE: The SuSEconfig script and its syslog-ng.conf.in # configuration template aren't used any more. # # Feel free to edit this file directly. # # Additional log sockets for chroot environments can # be declared in the /etc/sysconfig/syslog file using # SYSLOGD_ADDITIONAL_SOCKET<NAME> # variables. This way allows to define a socket from # RPM scripts and is used by several services, e.g. # bind and dhcpd. # # The sockets defined in /etc/sysconfig/syslog file # are added by the /etc/ini.d/syslog init-script using # "-a path" command line options while syslog-ng is # started. # # This syslog-ng contains an extension and appends the # sockets added by "-a" option to the same source group # and using the same socket type (unix-dgram) as the # "/dev/log" socket. # If one of the sockets added by "-a" option already # exists in any (other) source group in the config file, # then the socket added by "-a" option is ignored. # # # Global options. # options { long_hostnames(off); sync(0); perm(0640); stats(3600); }; # # 'src' is our main source definition. you can add # more sources driver definitions to it, or define # your own sources, i.e.: # #source my_src { .... }; # source src { # # include internal syslog-ng messages # note: the internal() soure is required! # internal(); # # the default log socket for local logging: # unix-dgram("/dev/log"); # # uncomment to process log messages from network: #(added IP-addresses) #udp(ip("10.102.4.4, 10.102.4.1, 10,102.4.3, 10.102.4.2, 10.102.4.13") port(514)); }; #source my_source { # # udp(); # udp(ip("10.102.4.1")port(514)); # }; # # Filter definitions # filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); }; filter f_newsnotice { level(notice) and facility(news); }; filter f_newscrit { level(crit) and facility(news); }; filter f_newserr { level(err) and facility(news); }; filter f_news { facility(news); }; filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; filter f_cron { facility(cron); }; filter f_local { facility(local0, local1, local2, local3, local4, local5, local6, local7); }; filter f_acpid { match('^\[acpid\]:'); }; filter f_netmgm { match('^NetworkManager:'); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; filter f_alert { level(alert); }; ################ my own filter ############################################ #filter test_netz { netmask("10.102.4.0/255.255.255.240");}; ################################################################################ # # Most warning and errors on tty10 and on the xconsole pipe: # destination console { file("/dev/tty10" group(tty) perm(0620)); }; log { source(src); filter(f_console); destination(console); }; destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); }; log { source(src); filter(f_console); destination(xconsole); }; # Enable this, if you want that root is informed immediately, # e.g. of logins: # #destination root { usertty("root"); }; #log { source(src); filter(f_alert); destination(root); }; ############## my own logs ####################################################### #log { source(test_netz); filter(test_netz); destination(test_netz); }; ################################################################################## ############## my own destinations################################################ #destination test_netz {file("/var/log/cisco.log" owner("root") group("users") # perm(0640));} ################################################################################## # # News-messages in separate files: # #destination test_netz {file("/var/log/cisco.log" owner("root") group("users") #perm(0640));} destination newscrit { file("/var/log/news/news.crit" owner(news) group(news)); }; log { source(src); filter(f_newscrit); destination(newscrit); }; destination newserr { file("/var/log/news/news.err" owner(news) group(news)); }; log { source(src); filter(f_newserr); destination(newserr); }; destination newsnotice { file("/var/log/news/news.notice" owner(news) group(news)); }; log { source(src); filter(f_newsnotice); destination(newsnotice); }; # and optionally also all in one file: #(don't forget to provide logrotation config) #destination news { file("/var/log/news.all"); }; #log { source(src); filter(f_news); destination(news); }; # # Mail-messages in separate files: # destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); }; # # and also all in one file: # #destination mail { file("/var/log/mail"); }; #log { source(src); filter(f_mail); destination(mail); }; # # acpid messages in one file: # destination acpid { file("/var/log/acpid"); }; log { source(src); filter(f_acpid); destination(acpid); flags(final); }; # # NetworkManager messages in one file: destination netmgm { file("/var/log/NetworkManager"); }; log { source(src); filter(f_netmgm); destination(netmgm); flags(final); }; # # Cron-messages in one file: # (don't forget to provide logrotation config) # destination cron { file("/var/log/cron"); }; log { source(src); filter(f_cron); destination(cron); }; # # Some boot scripts use/require local[1-7]: # destination localmessages { file("/var/log/localmessages"); }; log { source(src); filter(f_local); destination(localmessages); }; # # All messages except iptables and the facilities news and mail: # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; # # Firewall (iptables) messages in one file: # destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); }; # # Warnings (except iptables) in one file: # destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); }; # # Enable this, if you want to keep all messages in one file: # (don't forget to provide logrotation config) # #destination allmessages { file("/var/log/allmessages"); }; #log { source(src); destination(allmessages); }; # local-messages in separate files: # #destination local3 { file("/var/log/local3"); }; #log { source(src); filter(f_local); destination(local3); }; #destination local4 { file("/var/log/local4"); }; #log { source(src); filter(f_local); destination(local4); }; # # and also all in one file: # #destination local { file("/var/log/local"); }; #log { source(src); filter(f_local); destination(local); }; -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu on behalf of Werner Thal Sent: Thu 5/24/2007 11:28 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] logging from Cisco Hallo Yelena, I can't really figure out where your problem is, so I would like to tell you how I log the events from my network equipment. Becaus e I'm only responsible for networking equipment like switches and routers, I can be sure that no one else will have my logging-server as a destination. So I don't take care about any "facility" and log everything wich is destined for my server. First I defined a source: ######### MY Sources ########### source netz_kompo { # udp(); udp (ip(x.x.x.x)); }; where x.x.x.x is the IP of my logging-server. Be sure no other source object uses udp. Then some destinations, one for every customer-network: ########## MY Destinations ########## # MY-LAN destination my { file("/bla/blubb/my.log" owner("root") group ("users") perm(0640)); }; # customer1 destination customer1 { file("/bla/blubb/customer1.log" owner("root") group ("users") perm(0640)); }; # customer2 destination customer2 { file("/bla/blubb/customer2.log" owner("root") group ("users") perm(0640)); }; # customer3 destination customer3 { file("/bla/blubb/customer3.log" owner("root") group ("users") perm(0640)); }; ###### Here are some filters: ############ MYFilter ################## # MY filter my_all { netmask("x.x.0.0/255.255.0.0"); }; # customer1 filter customer1_all { netmask("x.x.0.0/255.255.0.0"); }; At last - the log-objects: ############ MY logs ##################### #MY log { source(netz_kompo); filter(my_all); destination(my); }; #Customer1 log { source(netz_kompo); filter(customer1_all); destination(customer1); }; Hope this helps CU Werner Am Mittwoch, 23. Mai 2007 18:18 schrieb Grigoreva, Yelena:
Hallo,
I have enabled Cisco logging to my host SUSE 10.2. From the Wireshark tool I can see that I become the syslog messages and then I try to find them somewhere in /var/log/.... but w/t success. ;(
Where are the syslog messages logged from external HW? I have set in my sysconf SYSLOGD_PARAMS="-rx -m 0" to enable external logging, but all the same-no effect.I have created local0, cisco files: I am not sure what file name should I give? where must it be specified?
I will be grateful for any tip :)
warm regards Yelena
-- ___________________________________________________________________________ A Linux-Server is like a tent: no windows, no gates and an apache inside... _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On 5/24/07, Grigoreva, Yelena <Yelena.Grigoreva@detecon.com> wrote:
#source my_source { # # udp(); # udp(ip("10.102.4.1")port(514)); # };
You are going to need to have a source other than internal to receive messages from the network. source net { udp(ip(10.102.4.1) ); };
ok I wrote so: source src { internal(); udp(ip(10.102.4.1)); unix-dgram("/dev/log"); }; then linux-fxot:/dev # service syslog restart Shutting down syslog services done Starting syslog servicesio.c: bind_inet_socket() bind failed 10.102.4.1:514 Cannot assign requested address Error initializing configuration, exiting. startproc: exit status of parent of /sbin/syslog-ng: 1 failed -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu on behalf of Jason Qualkenbush Sent: Thu 5/24/2007 3:57 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] logging from Cisco On 5/24/07, Grigoreva, Yelena <Yelena.Grigoreva@detecon.com> wrote:
#source my_source { # # udp(); # udp(ip("10.102.4.1")port(514)); # };
You are going to need to have a source other than internal to receive messages from the network. source net { udp(ip(10.102.4.1) ); }; _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On 5/24/07, Grigoreva, Yelena <Yelena.Grigoreva@detecon.com> wrote:
ok I wrote so:
source src {
internal(); udp(ip(10.102.4.1)); unix-dgram("/dev/log"); };
Try: udp(); unless you don't want syslog-ng to bind on all interfaces.
Hallo, Hurra!!! I got it!!! I typed udp() w/t IP-address and it is OK now! I am so happy: I can dance now samba :) the next step is to filter all this, cause I get really many messages from all routers and switches ;) best regards Yelena -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu on behalf of Jason Qualkenbush Sent: Thu 5/24/2007 3:57 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] logging from Cisco On 5/24/07, Grigoreva, Yelena <Yelena.Grigoreva@detecon.com> wrote:
#source my_source { # # udp(); # udp(ip("10.102.4.1")port(514)); # };
You are going to need to have a source other than internal to receive messages from the network. source net { udp(ip(10.102.4.1) ); }; _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (7)
-
Bill Nash
-
Grigoreva, Yelena
-
Jason Qualkenbush
-
Kalin KOZHUHAROV
-
Nate Campi
-
Tom Le
-
Werner Thal