[syslog-ng] logging from Cisco

Werner Thal wt at krzn.de
Thu May 24 11:28:35 CEST 2007 

Hallo Yelena,

I can't really figure out where your problem is, so I would like to tell you how I log the
events from my network equipment.

Becaus e I'm only responsible for networking equipment like switches and routers,
I can be sure that no one else will have my logging-server as a destination. So I don't
take care about any "facility" and log everything wich is destined for my server.

First I defined a source:
	######### MY Sources ###########
	source netz_kompo {
	        # udp();
	        udp (ip(x.x.x.x));
	};
where x.x.x.x is the IP of my logging-server. Be sure no  other source object uses udp.

Then some destinations, one for every customer-network:
	########## MY Destinations ##########
	# MY-LAN
	destination my { file("/bla/blubb/my.log" owner("root") group ("users") perm(0640)); };
	
	# customer1
	destination customer1 { file("/bla/blubb/customer1.log" owner("root") group ("users") perm(0640)); };
	
	# customer2
	destination customer2 { file("/bla/blubb/customer2.log" owner("root") group ("users") perm(0640)); };

	# customer3
	destination customer3 { file("/bla/blubb/customer3.log" owner("root") group ("users") perm(0640)); };
	######

Here are some filters:
	############ MYFilter ##################
	# MY
	filter my_all { netmask("x.x.0.0/255.255.0.0"); };

	# customer1
	filter customer1_all { netmask("x.x.0.0/255.255.0.0"); };


At last - the log-objects:


############ MY logs #####################
#MY
log {
        source(netz_kompo);
        filter(my_all);
        destination(my);
};

#Customer1
log {
        source(netz_kompo);
        filter(customer1_all);
        destination(customer1);
};


Hope this helps

CU
Werner



Am Mittwoch, 23. Mai 2007 18:18 schrieb Grigoreva, Yelena:
> 
> Hallo,
> 
> 
> I have enabled Cisco logging to my host SUSE 10.2. From the Wireshark tool I can see that I become the syslog messages and then I try to find them somewhere in /var/log/.... but w/t success. ;(
> 
> Where are the syslog messages logged from external HW? I have set in my sysconf SYSLOGD_PARAMS="-rx -m 0" to enable external logging, but all the same-no effect.I have created local0, cisco files: I am not sure what file name should I give? where must it be specified?
> 
> I will be grateful for any tip :)
> 
> warm regards
> Yelena
> 
> 
> 

-- 
___________________________________________________________________________
A Linux-Server is like a tent: no windows, no gates and an apache inside...

More information about the syslog-ng mailing list