General

SYSLOG

Simon Birtles

Ubuntu

1. Open the file
sudo nano /etc/rsyslog.conf

2. Edit the file
#################
#### MODULES ####
#################
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides –MARK– message capability

# provides UDP syslog reception
#$ModLoad imudp   –> Remove the “#” so that the server starts listening on a specific UDP port
#$UDPServerRun 514   –> Remove the “#” – this specifies the UDP port number

# provides TCP syslog reception
#$ModLoad imtcp   –> Remove the “#” so server listens on a specific TCP port
#$InputTCPServerRun 514  –> Remove the “#” – this specifies the TCP port number

3. Inspect facility SYSLOG and redirect log entries to another a file

#############################
### RULES ###
#############################
#
#
local2.* /var/log/mcu
local3.* /var/log/voicegw
local4.* /var/log/firewall

NOTE: Above, local3 is the name of the logging facility, as configured on the clients (routers/switches). The asterisk (*) is a placeholder for “any priority” – you can find more information here. voicegw is the filename where the log entries are being sent to. No need to create the file as the deamon will create it when the first log comes through.

4. Restart the service
sudo /etc/init.d/rsyslog restart

IOS

logging trap informational
logging origin-id str hq.home.local
logging facility local3
logging source-interface Loopback0
logging 192.168.2.250

Firewall

permit UDP SYSLOG

ASA Logging

Cisco FW shows it as 16-23 and the same are interpreted as 0-7 by Rsyslog service i.e.
16 = Local0 on rsyslog
17 = Local1 on rsyslog
18 = Local2 on rsyslog
19 = Local3 on rsyslog
20 = Local4 on rsyslog
21 = Local5 on rsyslog
22 = Local6 on rsyslog
23 = Local7 on rsyslog

logging enable
logging timestamp
logging buffer-size 1048576
logging console debugging
logging monitor errors
logging buffered debugging
logging trap notifications
logging asdm informational
logging device-id hostname
logging host DMZ 192.168.2.250

Simon Birtles

I have been in the IT sector for over 20 years with a primary focus on solutions around networking architecture & design in Data Center and WAN. I have held two CCIEs (#20221) for over 12 years with many retired certifications with Cisco and Microsoft. I have worked in demanding and critical sectors such as finance, insurance, health care and government providing solutions for architecture, design and problem analysis. I have been coding for as long as I can remember in C/C++ and Python (for most things nowadays). Locations that I work without additional paperwork (incl. post Brexit) are the UK and the EU including Germany, Netherlands, Spain and Belgium.