[syslog-ng] logging from Cisco
Grigoreva, Yelena
Yelena.Grigoreva at detecon.com
Thu May 24 15:32:22 CEST 2007
Hallo,
thanks for your quick feedback.
Here is my "show logging" from cisco:
cisco6506#show logging
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns)
Console logging: level debugging, 82 messages logged
Monitor logging: level informational, 9 messages logged
Logging to: vty1(3)
Buffer logging: level debugging, 82 messages logged
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 96 message lines logged
Logging to 10.102.4.5, 96 message lines logged
And my syslog-ng.conf File:
After your e-mail I have tried to change config file, but it wasn't successful, thats' why I commented my changes out.
#
# /etc/syslog-ng/syslog-ng.conf
#
# File format description can be found in syslog-ng.conf(5)
# and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#
# NOTE: The SuSEconfig script and its syslog-ng.conf.in
# configuration template aren't used any more.
#
# Feel free to edit this file directly.
#
# Additional log sockets for chroot environments can
# be declared in the /etc/sysconfig/syslog file using
# SYSLOGD_ADDITIONAL_SOCKET<NAME>
# variables. This way allows to define a socket from
# RPM scripts and is used by several services, e.g.
# bind and dhcpd.
#
# The sockets defined in /etc/sysconfig/syslog file
# are added by the /etc/ini.d/syslog init-script using
# "-a path" command line options while syslog-ng is
# started.
#
# This syslog-ng contains an extension and appends the
# sockets added by "-a" option to the same source group
# and using the same socket type (unix-dgram) as the
# "/dev/log" socket.
# If one of the sockets added by "-a" option already
# exists in any (other) source group in the config file,
# then the socket added by "-a" option is ignored.
#
#
# Global options.
#
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };
#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
#
# include internal syslog-ng messages
# note: the internal() soure is required!
#
internal();
#
# the default log socket for local logging:
#
unix-dgram("/dev/log");
#
# uncomment to process log messages from network:
#(added IP-addresses)
#udp(ip("10.102.4.4, 10.102.4.1, 10,102.4.3, 10.102.4.2, 10.102.4.13") port(514));
};
#source my_source {
# # udp();
# udp(ip("10.102.4.1")port(514));
# };
#
# Filter definitions
#
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
filter f_console { level(warn) and facility(kern) and not filter(f_iptables)
or level(err) and not facility(authpriv); };
filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit { level(crit) and facility(news); };
filter f_newserr { level(err) and facility(news); };
filter f_news { facility(news); };
filter f_mailinfo { level(info) and facility(mail); };
filter f_mailwarn { level(warn) and facility(mail); };
filter f_mailerr { level(err, crit) and facility(mail); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_local { facility(local0, local1, local2, local3,
local4, local5, local6, local7); };
filter f_acpid { match('^\[acpid\]:'); };
filter f_netmgm { match('^NetworkManager:'); };
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
filter f_warn { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert { level(alert); };
################ my own filter ############################################
#filter test_netz { netmask("10.102.4.0/255.255.255.240");};
################################################################################
#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console { file("/dev/tty10" group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };
destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };
# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };
############## my own logs #######################################################
#log { source(test_netz); filter(test_netz); destination(test_netz); };
##################################################################################
############## my own destinations################################################
#destination test_netz {file("/var/log/cisco.log" owner("root") group("users")
# perm(0640));}
##################################################################################
#
# News-messages in separate files:
#
#destination test_netz {file("/var/log/cisco.log" owner("root") group("users")
#perm(0640));}
destination newscrit { file("/var/log/news/news.crit"
owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };
destination newserr { file("/var/log/news/news.err"
owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };
destination newsnotice { file("/var/log/news/news.notice"
owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };
# and optionally also all in one file:
#(don't forget to provide logrotation config)
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };
#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };
destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };
destination mailerr { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr); destination(mailerr); };
#
# and also all in one file:
#
#destination mail { file("/var/log/mail"); };
#log { source(src); filter(f_mail); destination(mail); };
#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid"); };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };
#
# NetworkManager messages in one file:
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };
#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
destination cron { file("/var/log/cron"); };
log { source(src); filter(f_cron); destination(cron); };
#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };
#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };
#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };
#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };
#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };
# local-messages in separate files:
#
#destination local3 { file("/var/log/local3"); };
#log { source(src); filter(f_local); destination(local3); };
#destination local4 { file("/var/log/local4"); };
#log { source(src); filter(f_local); destination(local4); };
#
# and also all in one file:
#
#destination local { file("/var/log/local"); };
#log { source(src); filter(f_local); destination(local); };
-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu on behalf of Werner Thal
Sent: Thu 5/24/2007 11:28 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] logging from Cisco
Hallo Yelena,
I can't really figure out where your problem is, so I would like to tell you how I log the
events from my network equipment.
Becaus e I'm only responsible for networking equipment like switches and routers,
I can be sure that no one else will have my logging-server as a destination. So I don't
take care about any "facility" and log everything wich is destined for my server.
First I defined a source:
######### MY Sources ###########
source netz_kompo {
# udp();
udp (ip(x.x.x.x));
};
where x.x.x.x is the IP of my logging-server. Be sure no other source object uses udp.
Then some destinations, one for every customer-network:
########## MY Destinations ##########
# MY-LAN
destination my { file("/bla/blubb/my.log" owner("root") group ("users") perm(0640)); };
# customer1
destination customer1 { file("/bla/blubb/customer1.log" owner("root") group ("users") perm(0640)); };
# customer2
destination customer2 { file("/bla/blubb/customer2.log" owner("root") group ("users") perm(0640)); };
# customer3
destination customer3 { file("/bla/blubb/customer3.log" owner("root") group ("users") perm(0640)); };
######
Here are some filters:
############ MYFilter ##################
# MY
filter my_all { netmask("x.x.0.0/255.255.0.0"); };
# customer1
filter customer1_all { netmask("x.x.0.0/255.255.0.0"); };
At last - the log-objects:
############ MY logs #####################
#MY
log {
source(netz_kompo);
filter(my_all);
destination(my);
};
#Customer1
log {
source(netz_kompo);
filter(customer1_all);
destination(customer1);
};
Hope this helps
CU
Werner
Am Mittwoch, 23. Mai 2007 18:18 schrieb Grigoreva, Yelena:
>
> Hallo,
>
>
> I have enabled Cisco logging to my host SUSE 10.2. From the Wireshark tool I can see that I become the syslog messages and then I try to find them somewhere in /var/log/.... but w/t success. ;(
>
> Where are the syslog messages logged from external HW? I have set in my sysconf SYSLOGD_PARAMS="-rx -m 0" to enable external logging, but all the same-no effect.I have created local0, cisco files: I am not sure what file name should I give? where must it be specified?
>
> I will be grateful for any tip :)
>
> warm regards
> Yelena
>
>
>
--
___________________________________________________________________________
A Linux-Server is like a tent: no windows, no gates and an apache inside...
_______________________________________________
syslog-ng maillist - syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070524/64754430/attachment.htm
More information about the syslog-ng
mailing list