[syslog-ng]syslog-ng and Cisco boxes
Brad Arlt
arlt@cpsc.ucalgary.ca
Fri, 2 Nov 2001 15:11:09 -0700
On Fri, Nov 02, 2001 at 04:19:39PM +0100, Brian D. Olesen wrote:
> I am in the process of setting up a syslog server for a large number of
> Cisco boxes, and have faced some difficulties which may be due to an error
> in syslog-ng 1.4.13 on Solaris 8 regarding the source statement.
>
> source net { udp(); };
>
> As far as I can understand from the documentation, this ought to listen to
> all incoming udp packets on port 514. Contrary to the documentation, I never
> got this to work at all. I even tried to stop the native syslogd, but to no
> avail.
>
> source net { udp(ip("xxx.xxx.xxx.22") port(514)); };
>
> Stating the service ip address and syslog port works perfectly.
>
> On the Cisco IOS side, it took me some time to realize that
>
> logging source-interface Ethernet0
>
> is essential to do remote logging. This is the interface with the ip address
> which have access to the remote syslog host.
>
> Other experiences, especially best practices, with syslog-ng and Cisco boxes
> are greatly appreciated.
Back when we had Cisco gear, we had no problems. You may wish to
sniff ("snoop" under Solaris) the netowrk to ensure logging is being
sent to your Solaris box. This should also let you see what facility it
is using.
Any chance you are either sending the logging information:
* to the wrong IP address
* to the wrong LAN
* to the right IP address and LAN, but your ACLs are filtering
the packets (happens to me all the time :)
If snoop is a little wordy for your liking, filter on port 514
("snoop port 514")
----------------------------------------------------------------------------
__o Bradley Arlt Email: arlt@cpsc.ucalgary.ca o__
_ \<_ WWW: www.acs.ucalgary.ca/~bdarlt _>/ _
(_)/(_) -Eat well, sleep peacefully, drink lots, and ride like hell. (_)\(_)