Because I always forget how to do this ...
To configure syslog on a CentOS Linux box to receive logs from my network gear; examples below for Cisco ASA/PIX, Foundry SI, Cisco Catalyst 3500XL, and Netscreen-50 firewall. This will also work for Fedora and RedHat, in case you were curious.
If you want names to display instead of IP addresses in the log file, add names to /etc/hosts.
On the Linux host, add these lines to /etc/syslog:
I've set all the network gear to log to local3 - you can choose different local values for each if you want to log to different files.
local3.* /var/log/network
To keep the logging from the network gear *out* of the /var/log/messages file, I added this "local3.none" to this line in /etc/syslog.conf, as below:
*.info;mail.none;authpriv.none;cron.none;local3.none /var/log/messages
And have syslog listen for remote requests by changing this line in /etc/sysconfig/syslog -OR- /etc/init.d/syslog - check the /etc/init.d/syslog file to see if it checks the /etc/sysconfig file.
Add the "-r" option to listen to remote requests
SYSLOGD_OPTIONS="-m 0 -r"
then
service syslog restart
a couple quick checks:
netstat -a | grep syslog
check that the file /var/log/netlog was created
and now configure the network devices:
on the ASA/PIX, facility 19 = local3
logging enable
logging timestamp
logging trap notifications
logging facility 19
logging host inside 10.1.1.10
On a Catalyst 3500 switch:
service timestamps log datetime localtime #this displays the timestamp in the syslog file
logging trap notifications
logging facility local3
logging 10.1.1.10
remember to set the clock to the right time, or use ntp
clock set ...
For a Foundry SI:
logging 10.1.1.10
logging facility local3
For a Netscreen 50:
set syslog config "10.1.1.10"
set syslog config "10.1.1.10" facilities local3 local3
set syslog src-interface ethernet1
set syslog enable
For Dell switches (poweredge something or other)
logging 10.1.1.10 facility local3
And don't forget if you want the new netlog rotated - add to /etc/logrotate.d/syslog
/var/log/netlog
Tip of the keyboard to:
http://www.linuxhomenetworking.com/wiki/index.php/
Quick_HOWTO_:_Ch05_:_Troubleshooting_Linux_with_syslog#Configuring_the_Linux_Syslog_Server
3 comments:
Thank you very much !
Don't forget to open up UDP/514 in IPTables. Otherwise you might spend half an hour chasing your tail, trying to figure out why these excellent directions don't seem to work.
Not that I'd ever do that, of course. :)
Note to self:
If you want syslog to work over a site-to-site IPSec tunnel,
set the syslog host to use interface Inside, not Outside.
Post a Comment