SYSLOG
Ubuntu
1. Open the file
sudo nano /etc/rsyslog.conf
2. Edit the file
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides –MARK– message capability
# provides UDP syslog reception
#$ModLoad imudp –> Remove the “#” so that the server starts listening on a specific UDP port
#$UDPServerRun 514 –> Remove the “#” – this specifies the UDP port number
# provides TCP syslog reception
#$ModLoad imtcp –> Remove the “#” so server listens on a specific TCP port
#$InputTCPServerRun 514 –> Remove the “#” – this specifies the TCP port number
3. Inspect facility SYSLOG and redirect log entries to another a file
#############################
### RULES ###
#############################
#
#
local2.* /var/log/mcu
local3.* /var/log/voicegw
local4.* /var/log/firewall
NOTE: Above, local3 is the name of the logging facility, as configured on the clients (routers/switches). The asterisk (*) is a placeholder for “any priority” – you can find more information here. voicegw is the filename where the log entries are being sent to. No need to create the file as the deamon will create it when the first log comes through.
4. Restart the service
sudo /etc/init.d/rsyslog restart
IOS
logging trap informational
logging origin-id str hq.home.local
logging facility local3
logging source-interface Loopback0
logging 192.168.2.250
Firewall
permit UDP SYSLOG
ASA Logging
Cisco FW shows it as 16-23 and the same are interpreted as 0-7 by Rsyslog service i.e.
16 = Local0 on rsyslog
17 = Local1 on rsyslog
18 = Local2 on rsyslog
19 = Local3 on rsyslog
20 = Local4 on rsyslog
21 = Local5 on rsyslog
22 = Local6 on rsyslog
23 = Local7 on rsyslog
logging enable
logging timestamp
logging buffer-size 1048576
logging console debugging
logging monitor errors
logging buffered debugging
logging trap notifications
logging asdm informational
logging device-id hostname
logging host DMZ 192.168.2.250