RE: [syslog-ng]Cisco Logging
Hi Drew I've tried your extra setting but I still get nothing about our cisco routers in the cisco.log or the sys.log files I'd setup for syslog-ng. I do however still get them via the syslogd. Is there something I'm missing out of the source bit of the code ? Regards Richard
-----Original Message----- From: Hamilton, Andrew Mr RAYTHEON 5 SIG CMD [SMTP:HamiltonA@hq.5sigcmd.army.mil] Sent: Friday, 6 April 2001 4:03 pm To: 'syslog-ng@lists.balabit.hu' Subject: RE: [syslog-ng]Cisco Logging
Richard,
syslog-ng does a considerably better job at filtering than does syslogd. This can cause you problems if you are not looking at it correctly. syslogd will log up to a priority for a facility in the syslog.conf. syslog-ng will log only that facility given in the syslog-ng.conf. Cisco devices log at the info level by default. So only if you are getting something from the Cisco devices at the debug level. If you want the same behavior as in syslogd you need to set your filter to "priority(info..debug)".
Regards, Drew
-----Original Message----- From: Shaw, Richard W [SMTP:Richard.W.Shaw@team.telstra.com] Sent: Friday, April 06, 2001 9:50 AM To: 'syslog-ng@lists.balabit.hu' Subject: [syslog-ng]Cisco Logging
Hi Guys
I've just found syslog-ng and am testing/comparing it to our current syslogd so I can match the logging then push everything to a syslog server.
My problem is that I'm getting no logs for Cisco devices, I don't even get anything in the sys.log file(see below):
syslogd.conf file : local7.debug /var/log/cisco.log
syslog-ng.conf file: source src { udp(); tcp(); sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); }; destination d_mail { file("/tmp/ng/$HOST/$YEAR/$MONTH/$DAY/mail.log" create_dirs(yes) ); }; destination d_cisco { file("/tmp/ng/$HOST/$YEAR/$MONTH/$DAY/cisco.log" create_dirs(ye s)); }; destination d_sshd { file( "/tmp/ng/$HOST/$YEAR/$MONTH/$DAY/sshd.log" create_dirs(yes )); }; destination d_tac { file( "/tmp/ng/$HOST/$YEAR/$MONTH/$DAY/tacplus.log" create_dirs(y es)); };
destination d_sys { file( "/tmp/ng/$HOST/$YEAR/$MONTH/$DAY/sys.log" create_dirs(yes)) ; };
filter f_mail { facility(mail); }; filter f_cisco { facility(local7) and priority(debug); }; filter f_sshd { match("sshd"); }; filter f_tac { facility(local6); };
log { source(src); filter(f_mail); destination(d_mail); }; log { source(src); filter(f_cisco); destination(d_cisco); }; log { source(src); filter(f_sshd); destination(d_sshd); }; log { source(src); filter(f_tac); destination(d_tac); };
log { source(src); destination(d_sys); };
Thanks in advance for any help
Regards Richard Shaw
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
"Shaw, Richard W" wrote:
Hi Drew
I've tried your extra setting but I still get nothing about our cisco routers in the cisco.log or the sys.log files I'd setup for syslog-ng. I do however still get them via the syslogd. Is there something I'm missing out of the source bit of the code ?
maybe it helps: (please excuse my lame english) it works for me the following way : cisco router logging facility daemon logging source-interface Loopback0 logging xx.xx.xx.212 logging xx.xx.xx.213 source-interface is important because if you don't do that the sender ip is the outgoing interface ip !!! the syslog servers are sun boxes. a year ago i did not managed it letting syslog-ng recieving (machine)internal syslog messages(solaris problem) - so i did a very dirty trick - changed the default syslog entry in the /etc/services to another port. now my old sylogs comes up and listens on another udp port. now i can start syslog-ng with: source net { udp(ip(xx.xx.xx.xx) port(514)); }; check which syslog is running with: lsof -i udp:514 now you should get an line with "syslog-ng". for testing use snoop or tcpdump ... xxxxxx:/usr/local/syslog-ng/etc>snoop -d hme0 udp port 514 Using device /dev/hme (promiscuous mode) zswitch5 -> xxxxxx SYSLOG C port=1028 <190>%MGMT-6-LOGINFA now you should get messages into you syslog-ng files. every following error should be a result from syslog-ng misconfiguration. bye werner Life is not fair. But the root password helps --------------------------------------------- email: werner.dundler@austrocontrol.at
participants (2)
-
Shaw, Richard W
-
Werner Dundler