Friday, December 4, 2009

Quick HOWTO:syslog-ng + cisco configuration

Hi all, in this short article I will demonstrate how to configure syslog-ng to caputre cisco log messages.

Let's start with the server side, I'm using Open SUSE11 VM in my case.

I will assume you have "syslog-ng" is already installed on your system.

So first, will need to edit /etc/sysconfig/syslog and change the following 2 lines:

SYSLOGD_PARAMS="-r"
SYSLOG_DAEMON="syslog-ng"


The 1st option (-r ) tells the Daemon to be in passive mode - act like a logging server.
The 2nd option tells syslog Daemon to use syslog-ng as the system default logging scheme.

Our main configuration file is /etc/syslog-ng/syslog-ng.conf
Open it with your favourite text editor and add:

options { sync (0);

time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (yes);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source sys { unix-stream ("/dev/log"); internal(); };
source remote { udp(); };

destination std { file( "/var/log/syslog-ng/$HOST/$YEAR$MONTH/$FACILITY" create_dirs(yes)); };

log { source(sys); destination(std); };
log { source(remote); destination(std); };


Save the file, restart the service with /etc/init.d/syslog-restart
Verify syslog-ng is running on your run-level and listening on port 514:

chkconfig --list grep syslog
syslog 0:off 1:off 2:on 3:on 4:off 5:on 6:off


netstat -ntulp "pipe" grep ":514"

udp 0 0 0.0.0.0:514 0.0.0.0:* 32446/syslog-ng

All logs will be saved under: /var/log/syslog-ng/$HOSTNAME/$DATE/$LOG
(As we have stated to be in the syslog-ng config file), the server side is done, great.


Now let's login to our cisco router and access "configure terminal", from there execute theese commands:

service timestamps log datetime localtime
no logging console
no logging monitor
logging 192.168.0.180
Instead of the IP address, enter your logging server IP, save the configuration and exit the router.

Let's check if everything works, my router is called "cisco851" I've tried to enter privileged mode with wrong password, The result will be:

root@server01 # tail -f /var/log/syslog-ng/cisco851/200912/local4

Dec 4 14:15:58 cisco851 1895: Dec 4 12:15:59: %SYS-5-PRIV_AUTH_FAIL: Authentication to Privilage level 15 failed by paul on vty0 (192.168.0.180)

Dec 4 14:16:34 cisco851 1896: Dec 4 12:16:35: %SYS-5-PRIV_AUTH_FAIL: Authentication to Privilage level 15 failed by paul on vty0 (192.168.0.180)


We are done.