I am in the process of setting up a syslog server for a large number of Cisco boxes, and have faced some difficulties which may be due to an error in syslog-ng 1.4.13 on Solaris 8 regarding the source statement. source net { udp(); }; As far as I can understand from the documentation, this ought to listen to all incoming udp packets on port 514. Contrary to the documentation, I never got this to work at all. I even tried to stop the native syslogd, but to no avail. source net { udp(ip("xxx.xxx.xxx.22") port(514)); }; Stating the service ip address and syslog port works perfectly. On the Cisco IOS side, it took me some time to realize that logging source-interface Ethernet0 is essential to do remote logging. This is the interface with the ip address which have access to the remote syslog host. Other experiences, especially best practices, with syslog-ng and Cisco boxes are greatly appreciated. Best regards, Brian D. Olesen UNIX Administrator Orange DK
Brian, I am logging all of my cisco equipment without a problem. I am running syslog-ng on a linux machine. My config has the following line to accept from all network hosts: source net { udp(ip(0.0.0.0) port(514)); }; You might find that forcing the cisco box to a particular facility will be helpfull. For example: logging facility local3 -- Allen "Brian D. Olesen" wrote:
I am in the process of setting up a syslog server for a large number of Cisco boxes, and have faced some difficulties which may be due to an error in syslog-ng 1.4.13 on Solaris 8 regarding the source statement.
source net { udp(); };
As far as I can understand from the documentation, this ought to listen to all incoming udp packets on port 514. Contrary to the documentation, I never got this to work at all. I even tried to stop the native syslogd, but to no avail.
source net { udp(ip("xxx.xxx.xxx.22") port(514)); };
Stating the service ip address and syslog port works perfectly.
On the Cisco IOS side, it took me some time to realize that
logging source-interface Ethernet0
is essential to do remote logging. This is the interface with the ip address which have access to the remote syslog host.
Other experiences, especially best practices, with syslog-ng and Cisco boxes are greatly appreciated.
Best regards,
Brian D. Olesen UNIX Administrator
Orange DK
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
Sounds good, I was able to get Solaris 8 to work with the default statement for source. The Cisco statement is good to, unless you have multiple paths to your logging server. So if that ethernet connection ever dies on you, and there's still a path for the router to physically reach your logging server, it will not work (at least not from my experience). Most of my routers have multiple connections to my logging server so I ended up creating a loopback0 interface with an IP address on the router and then did a: "logging source-interface Loopback0" That helps when I have WAN links that go down on me. The loopback interface stays up all the time and will find the best route out of the router to my logging server and will still keep the loopback's IP address. Also, if you have more than just Cisco devices logging to syslog-ng you can also put in: "logging facility X" (where X equals local0-7 or a few other facilities, type "logging facility ?" to see the list). Hope that helps, JonM "Brian D. Olesen" wrote:
I am in the process of setting up a syslog server for a large number of Cisco boxes, and have faced some difficulties which may be due to an error in syslog-ng 1.4.13 on Solaris 8 regarding the source statement.
source net { udp(); };
As far as I can understand from the documentation, this ought to listen to all incoming udp packets on port 514. Contrary to the documentation, I never got this to work at all. I even tried to stop the native syslogd, but to no avail.
source net { udp(ip("xxx.xxx.xxx.22") port(514)); };
Stating the service ip address and syslog port works perfectly.
On the Cisco IOS side, it took me some time to realize that
logging source-interface Ethernet0
is essential to do remote logging. This is the interface with the ip address which have access to the remote syslog host.
Other experiences, especially best practices, with syslog-ng and Cisco boxes are greatly appreciated.
Best regards,
Brian D. Olesen UNIX Administrator
Orange DK
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
On Fri, Nov 02, 2001 at 04:19:39PM +0100, Brian D. Olesen wrote:
I am in the process of setting up a syslog server for a large number of Cisco boxes, and have faced some difficulties which may be due to an error in syslog-ng 1.4.13 on Solaris 8 regarding the source statement.
source net { udp(); };
As far as I can understand from the documentation, this ought to listen to all incoming udp packets on port 514. Contrary to the documentation, I never got this to work at all. I even tried to stop the native syslogd, but to no avail.
source net { udp(ip("xxx.xxx.xxx.22") port(514)); };
Stating the service ip address and syslog port works perfectly.
On the Cisco IOS side, it took me some time to realize that
logging source-interface Ethernet0
is essential to do remote logging. This is the interface with the ip address which have access to the remote syslog host.
Other experiences, especially best practices, with syslog-ng and Cisco boxes are greatly appreciated.
Back when we had Cisco gear, we had no problems. You may wish to sniff ("snoop" under Solaris) the netowrk to ensure logging is being sent to your Solaris box. This should also let you see what facility it is using. Any chance you are either sending the logging information: * to the wrong IP address * to the wrong LAN * to the right IP address and LAN, but your ACLs are filtering the packets (happens to me all the time :) If snoop is a little wordy for your liking, filter on port 514 ("snoop port 514") ---------------------------------------------------------------------------- __o Bradley Arlt Email: arlt@cpsc.ucalgary.ca o__ _ \<_ WWW: www.acs.ucalgary.ca/~bdarlt _>/ _ (_)/(_) -Eat well, sleep peacefully, drink lots, and ride like hell. (_)\(_)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On the Cisco IOS side, it took me some time to realize that
logging source-interface Ethernet0
is essential to do remote logging. This is the interface with the ip address which have access to the remote syslog host.
Yep, but IOS _does_ send out syslog even if you do not have source-interface defined; it will label the ip packet with the ip address of the interface through which it sends your outgoing syslog packet. Therefore, if your syslog box can - for some reason - be reached through more than one interface, you might end up receiving syslog packets from same device but with different source ip's! One practise might be using a loopback-interface for syslog messages source-interface. That way, even if your outgoing source-interface goes down and your syslog box can be reached through another interface, you still get syslog messages. -MNi -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBO+ZGKUXQWDVhHgF9EQIC0gCg0tMxOIs9fTYASEs+3acxV/dmjgoAn0Ap QYeHSb5dRTtxrvtIP3rc0V77 =bduo -----END PGP SIGNATURE-----
Speaking of Cisco "logging source-interface", has anyone else noticed that if this command is *not* used that the resulting Syslog packet contains an invalid CRC value? My Wintel stack simply throws the packet away. I caught the packets via a sniffer and noticed the invalid CRC. Once I specified the source interface the CRC was correct and Windows could receive the messages. This was with IOS 12.something, might be fixed by now. Just my 2c worth :-) Cheers Andrew
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Speaking of Cisco "logging source-interface", has anyone else noticed that if this command is *not* used that the resulting Syslog packet contains an invalid CRC value? My Wintel stack simply throws the packet away. I caught the packets via a sniffer and noticed the invalid CRC. Once I specified the source interface the CRC was correct and Windows could receive the messages. This was with IOS 12.something, might be fixed by now. Just my 2c worth :-)
Bugger, haven't seen that one. Still, I haven't ever tried logging onto Windows box, only on Unices. Nope, wasn't aware of that, have to dig up if it is still broken... -MNi -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBO+ZdMUXQWDVhHgF9EQJNhACgyiW9/3XEX9WojfQ1KCGwV8L3VGcAn344 6aD4H8D88+YwkwAzAJSt0HLq =Wllb -----END PGP SIGNATURE-----
participants (6)
-
Allen Bettilyon
-
Andrew Ross
-
Brad Arlt
-
Brian D. Olesen
-
jmad
-
Mikko Niskanen