Configuring rsyslog to get syslog from network devices

From Notes_Wiki
Revision as of 05:43, 15 February 2015 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb>Rsyslog_configuration|Rsyslog configuration</yambe:breadcrumb> =Configuring rsyslog to get syslog from network devices= ==Cisco switch== Standard rsyslog c...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb>Rsyslog_configuration|Rsyslog configuration</yambe:breadcrumb>

Configuring rsyslog to get syslog from network devices

Cisco switch

Standard rsyslog configuration as explained at Installing rsyslog from yum repository does not works well with Cisco switches as it causes creation of one new file for each syslog message. Hence for Cisco switch the configuration has to be changed to: 

$template TmplAuth, “/var/log/netlog/%HOSTNAME%/combined.log"

*.*   ?TmplAuth

so that logs are not separated by program-name but are sent to one single file named combined.log.


Cisco switch configuration

To configure Cisco switch to send logs to rsyslog server use: 

(config)# logging trap notifications
(config)# logging facility local6
(config)# logging 10.4.20.212

where 10.4.20.212 is IP address of rsyslog server.


HP switch

In case of HP and Linksys switches the logs get created by INFO, DEBUG etc. categories or by date-time. All this is caused by differences in expectation of syslog message structure by rsyslog, in comparison to what switches send. To configure logging in such cases use: 

if $fromhost-ip startswith '10.4.4.54' then /var/log/netlog/10.4.4.54.log
& ~

$template TmplAuth, “/var/log/netlog/%HOSTNAME%/combined.log"
*.*   ?TmplAuth

Here the first if line causes all logs from IP address 10.4.4.54 to go to file with same name. Then the logs which have been sent to file are ignored using "& ~". Then for remaining logs the normal configuration which works for Cisco is left. Thus for every HP switch two lines similar to: 

if $fromhost-ip startswith '10.4.4.54' then /var/log/netlog/10.4.4.54.log
& ~

need to be added before generic lines which work for Cisco.

HP switch rsyslog configuration

To configure HP switch to send syslog messages to rsyslog server use: 

ssh admin@IP
  system-view
  info-center loghost 10.4.20.212 channel loghost facility local5
  save
    Y
    Confirm Overwrite by pressing enter ( flash:/startup.cfg )
  quit
quit


Linksys switch

To configure rsyslog server for capturing logs the configuration is same as that for HP switches. That is, for each linksys switch following two lines with appropriate IP replacement are required: 

if $fromhost-ip startswith '10.4.4.54' then /var/log/netlog/10.4.4.54.log
& ~


Linksys switch configuration

To configure Linksys switch to send syslog messages to rsyslog server, login using Web interface as admin user and use following steps:

  1. Go to Admin -> Server logs
  2. Create a new syslog server with following details:
    Name
    10.4.20.212
    IP address
    10.4.20.212
    Port
    514
    Facility
    Local 0
  3. Then go to Admin -> Logging and select Error, Warning and Info (Avoid selecting debug)


<yambe:breadcrumb>Rsyslog_configuration|Rsyslog configuration</yambe:breadcrumb>

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Configuring_rsyslog_to_get_syslog_from_network_devices&oldid=1924"