LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-02-2008, 04:32 AM   #1
Mohd Anis
LQ Newbie
 
Registered: Sep 2008
Posts: 2

Rep: Reputation: 0
Syslog-ng unable to log Cisco Logs


Hi,

I am using Fedora-8 (Syslog-ng) for collecting logs from my Cisco Router & Switches. Syslog-ng is unable to create files like cisco.log. Below is my syslog-ng.conf file. Pls suggest what is the mistake I am doing.


# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# 20000925 gb@sysfive.com
#
# Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 10 Aug 2002
# - for Red Hat 7.3
# - totally do away with klogd
# - add message "kernel:" as is done with klogd.
#
# Updated by Frank Crawford (<Frank.Crawford@ac3.com.au>) - 22 Aug 2002
# - use the log_prefix option as per Balazs Scheidler's email
#
# Updated by Jose Pedro Oliveira (<jpo at di.uminho.pt>) - 05 Apr 2003
# - corrected filters 'f_filter2' and 'f_filter6'
# these filters were only allowing messages of one specific
# priority level; they should be allowing messages from that
# priority and upper levels.
#
# Updated by Jose Pedro Oliveira (<jpo at di.uminho.pt>) - 25 Jan 2005
# - Don't sync the d_mail destination
#
# Updated by Jose Pedro Oliveira (<jpo at di.uminho.pt>) - 01 Feb 2005
# - /proc/kmsg is a file not a pipe.
# (https://lists.balabit.hu/pipermail/s...ry/006963.html)
#

options {
sync (1);
time_reopen (10);
log_fifo_size (1024);
long_hostnames (on);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));

};

source s_sys1 {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
udp(ip(0.0.0.0) port(514));
};


destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_user { file("/var/log/other.log"); };
destination d_mlal { usertty("*"); };
destination d_cisco { file("/var/log/cisco.log"); };


#filter f_filter1 { facility(kern); };
filter f_filter2 { level(info..emerg) and
not facility(mail,authpriv,cron); };
filter f_filter3 { facility(authpriv); };
filter f_filter4 { facility(mail); };
filter f_filter5 { level(emerg); };
filter f_filter6 { facility(uucp) or
(facility(news) and level(crit..emerg)); };
filter f_filter7 { facility(local7); };
filter f_filter8 { facility(cron); };
filter f_filter9 { facility(user); };
filter f_filter10 { facility(local7); };


#log { source(s_sys); filter(f_filter1); destination(d_cons); };
log { source(s_sys); filter(f_filter2); destination(d_mesg); };
log { source(s_sys); filter(f_filter3); destination(d_auth); };
log { source(s_sys); filter(f_filter4); destination(d_mail); };
log { source(s_sys); filter(f_filter5); destination(d_mlal); };
log { source(s_sys); filter(f_filter6); destination(d_spol); };
log { source(s_sys); filter(f_filter7); destination(d_boot); };
log { source(s_sys); filter(f_filter8); destination(d_cron); };
log { source(s_sys1); filter(f_filter9); destination(d_user); };
log { source(s_sys1); filter(f_filter10); destination(d_cisco); };
 
Old 09-02-2008, 09:18 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
what is "unable" here? do yo uhave actual errors stating a file could not be created, or is there simply a lack of a file? is traffic from the devices hitting the box? Is it on local7?
 
Old 09-02-2008, 11:50 PM   #3
Mohd Anis
LQ Newbie
 
Registered: Sep 2008
Posts: 2

Original Poster
Rep: Reputation: 0
Question

As per my config file, I understand that syslog-ng should create a file named cisco.log at "var/log/cisco.log" but no file is being created. Pls suggest if I am wrong, where to see the logs which have been collected from Cisco Router & Switches.

Anis
 
Old 09-03-2008, 04:14 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
that's what the config file says, yes, but you might be having all sorts of issues from end devices not being configured to selinux conflicts. use wireshark to at least ensure that the udp packets are hitting the server, and also check for any nasties in dmesg.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I need help getting syslog to log remotely, this is just the regular syslog. abefroman Linux - Software 2 06-05-2008 11:36 AM
Separating WPA logs from /var/log/messages using syslog-ng lp449 Linux - Newbie 1 06-04-2008 06:12 AM
syslog client to log to syslog-ng and itself noir911 Linux - Server 1 02-08-2008 09:51 AM
Opennms Logs - where are web.log, web_rtc.log and webauth.log referenced? not_much_of_a_guru Linux - Networking 0 07-12-2006 10:28 AM
my /var/log/syslog only logs the last 12 hours or so ALInux Linux - General 4 02-11-2006 10:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration