Personal tools
You are here: Home Networking Cisco IOS Logging to a syslog or rsyslog host from Cisco IOS
 

Logging to a syslog or rsyslog host from Cisco IOS

 Howto configure a Cisco IOS router to log messages to syslog.

 

Steps:

  • Configure the Cisco IOS router to generate syslog messages
  • Allow syslog message out from the router
  • Allow syslog messages into the syslog host
  • Enable syslog to record messages

 

 Router

The router is configured to send the syslog messages with facility 'local6'. All messages, including debug messages, are sent to the syslog server. The messages are sent in the clear

logging 192.168.0.10
logging facility local6
logging trap debugging

If high volumes are debug level logging is generates, the console can be overwhelmed with messages, and the router can become non-responsive. Reduce the console logging level so that debug messages aren't shown.

logging console informational

 

Show logging

    Trap logging: level debugging, 7073 message lines logged
        Logging to 192.168.0.10  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              6978 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled

Linux

By default the syslog server will ignore syslog messages from another host. It must be configured to allow messages.

Firstly allow the syslog messages into the host, at the network level (this assumes you have the host firewalled with iptables). Given that the logging is unauthenticated and unencrypted the rule is reasonably restrictive in which traffic is allowed.

-A udpIn -p udp -m udp -i eth0 --source 192.168.0.1/32 --dport 514 -m state --state NEW -j ACCEPT

Allow syslog to log messages from external hosts with the '-r' switch, or with rsyslog the '-r514' switch.

With syslog, edit the syslog configuration file '/etc/sysconfig/syslog':

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".

Or on newer releases with rsyslog, edit '/etc/sysconfig/rsyslog':

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -rPortNumber Enables logging from remote machines. The listener will listen to the specified port.
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r514"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

 

Direct 'local6' traffic (the facility we configured above in the router) to go to a 'network.log. file. Given that high volume debug style logging messages may be going to this file, put a leading '-' on the filename  to indicate that a sync after each message is not required.

local6.*            -/var/log/network.log

 Restart the syslog/rsyslog daemon to pick up the changes.

service syslog restart

 

Document Actions