Cisco 837 & Syslog. Where's the messages.

Discussion in 'Cisco' started by Marc, May 14, 2007.

  1. Marc

    Marc Guest

    I've got a Cisco 837 acting as my firewall too and Kiwi Syslog on my pc
    (192.168.1.7) I've got logging on and, I think, everthing set up correctly.
    Yet the only messages I receive from the router to syslog are when I wr to
    the console or do a local test. This is driving me crazy. I can't figure
    out wny I'm not getting any messages. The logging trap is set at debugging.
    Syslog is set to listen on port 514 for UDP and TCP on port 1468. My AV/Spy
    program is disabled. Here's my router config:

    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log datetime
    service password-encryption
    !
    hostname Cisco837
    !
    boot-start-marker
    boot-end-marker

    clock timezone CST -6
    no aaa new-model
    ip subnet-zero
    !
    ip dhcp excluded-address 192.168.1.1 192.168.1.49
    !
    ip dhcp pool CLIENT
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 66.90.138.145 66.228.128.69
    lease 0 8
    !
    !
    ip name-server 66.90.138.145
    ip name-server 66.228.128.69
    ip multicast-routing
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip ips po max-events 100
    vpdn enable
    vpdn softshut
    !
    vpdn-group 1
    request-dialin
    protocol pppoe
    ip mtu adjust
    !
    no ftp-server write-enable
    !
    no crypto isakmp enable
    no crypto isakmp ccm
    !
    crypto ipsec nat-transparency spi-matching
    !
    interface Ethernet0
    description Connection to LAN
    ip address 192.168.1.1 255.255.255.0
    ip mtu 1452
    ip pim sparse-dense-mode
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    ip igmp helper-address udl Dialer1
    ipv6 mtu 1452
    no cdp enable
    hold-queue 100 out
    !
    interface ATM0
    mtu 1492
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    dsl operating-mode auto
    hold-queue 224 in
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    interface FastEthernet1
    duplex auto
    speed auto
    !
    interface FastEthernet2
    duplex auto
    speed auto
    !
    interface FastEthernet3
    duplex auto
    speed auto
    !
    interface FastEthernet4
    duplex auto
    speed auto
    !
    interface Virtual-Template1
    no ip address
    !
    interface Dialer1
    description DSL Dialer
    mtu 1492
    ip address negotiated
    ip pim sparse-dense-mode
    ip nat outside
    ip inspect myfw out
    ip virtual-reassembly
    encapsulation ppp
    ip tcp adjust-mss 1400
    ip igmp unidirectional-link
    dialer pool 1
    dialer remote-name redback
    dialer-group 1
    ppp ipcp dns request
    ppp ipcp wins request
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    ip http server
    ip http secure-server
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 192.168.1.7 52975 interface Dialer1 52975
    ip nat inside source static udp 192.168.1.7 52965 interface Dialer1 52965
    ip nat inside source static tcp 192.168.1.7 52965 interface Dialer1 52965
    ip nat inside source static udp 192.168.1.7 52975 interface Dialer1 52975
    ip nat inside source static udp 192.168.1.7 52875 interface Dialer1 52875
    ip nat inside source static tcp 192.168.1.7 52865 interface Dialer1 52865
    ip nat inside source static tcp 192.168.1.7 4711 interface Dialer1 4711
    ip nat inside source static udp 192.168.1.7 4672 interface Dialer1 4672
    ip nat inside source static tcp 192.168.1.7 4662 interface Dialer1 4662
    ip nat inside source static tcp 192.168.1.7 3389 interface Dialer1 3389
    !
    ip access-list log-update threshold 1
    logging trap debugging
    logging facility syslog
    logging source-interface Ethernet0
    logging 192.168.1.7

    access-list 102 remark permit internal network internet access
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 111 permit tcp any any eq 3389 log
    access-list 111 permit tcp any any eq 4662
    access-list 111 permit tcp any any eq 52865 log
    access-list 111 permit udp any any eq 52875 log
    access-list 111 permit tcp any any eq 52965 log
    access-list 111 permit udp any any eq 52965 log
    access-list 111 permit tcp any any eq 52975 log
    access-list 111 permit udp any any eq 52975 log
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 remark Block all Outside traffic In
    access-list 111 deny ip any any log
    dialer-list 1 protocol ip permit

    snmp-server community marcwrite RW
    snmp-server community public RO
    snmp-server community marcread RO
    snmp-server contact xxx
    snmp-server enable traps tty
    snmp-server host 192.168.1.7 marcwrite
    !
    !
    control-plane
    !
    banner motd ^C*********************!!!IMPORTANT
    NOTICE!!!***********************
    *
    * This is a restricted system. All connections are logged. *
    * If you are not authorized to connect to this system, log *
    * off now.
    * *
    * Violators will be prosecuted to the full extent of the law. *
    *******************************************************************
    * *
    **********************!!!AVIS IMPORTANT!!!*************************
    * L'acces au present systeme est limite et tous ses acces sont *
    * actuellement utilises. Si vous n'etes pas autorise a vous y *
    * raccorder, veuillez quitter ce systeme immediatement. *
    * *
    * Tout contrevenant sera poursuivi en vertu des mesures prevues *
    * par la loi. *
    *******************************************************************^C
    !
    line con 0
    exec-timeout 120 0
    password 7 051C091D704A4B0D
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    exec-timeout 120 0
    password 7 1059060B5411170F
    login local
    length 0
    !
    scheduler max-task-time 5000
    end
     
    Marc, May 14, 2007
    #1
    1. Advertising

  2. Marc

    Marc Guest

    Anyone have an idea why I'm not getting messages to syslog?

    "Marc" <> wrote in message
    news:...
    > I've got a Cisco 837 acting as my firewall too and Kiwi Syslog on my pc
    > (192.168.1.7) I've got logging on and, I think, everthing set up
    > correctly. Yet the only messages I receive from the router to syslog are
    > when I wr to the console or do a local test. This is driving me crazy. I
    > can't figure out wny I'm not getting any messages. The logging trap is set
    > at debugging. Syslog is set to listen on port 514 for UDP and TCP on port
    > 1468. My AV/Spy program is disabled. Here's my router config:
    >
    > version 12.3
    > no service pad
    > service timestamps debug uptime
    > service timestamps log datetime
    > service password-encryption
    > !
    > hostname Cisco837
    > !
    > boot-start-marker
    > boot-end-marker
    >
    > clock timezone CST -6
    > no aaa new-model
    > ip subnet-zero
    > !
    > ip dhcp excluded-address 192.168.1.1 192.168.1.49
    > !
    > ip dhcp pool CLIENT
    > import all
    > network 192.168.1.0 255.255.255.0
    > default-router 192.168.1.1
    > dns-server 66.90.138.145 66.228.128.69
    > lease 0 8
    > !
    > !
    > ip name-server 66.90.138.145
    > ip name-server 66.228.128.69
    > ip multicast-routing
    > ip inspect name myfw cuseeme timeout 3600
    > ip inspect name myfw rcmd timeout 3600
    > ip inspect name myfw realaudio timeout 3600
    > ip inspect name myfw smtp timeout 3600
    > ip inspect name myfw udp timeout 15
    > ip inspect name myfw tcp timeout 3600
    > ip inspect name myfw h323 timeout 3600
    > ip inspect name myfw ftp timeout 3600
    > ip inspect name myfw tftp timeout 30
    > ip ips po max-events 100
    > vpdn enable
    > vpdn softshut
    > !
    > vpdn-group 1
    > request-dialin
    > protocol pppoe
    > ip mtu adjust
    > !
    > no ftp-server write-enable
    > !
    > no crypto isakmp enable
    > no crypto isakmp ccm
    > !
    > crypto ipsec nat-transparency spi-matching
    > !
    > interface Ethernet0
    > description Connection to LAN
    > ip address 192.168.1.1 255.255.255.0
    > ip mtu 1452
    > ip pim sparse-dense-mode
    > ip nat inside
    > ip virtual-reassembly
    > ip tcp adjust-mss 1452
    > ip igmp helper-address udl Dialer1
    > ipv6 mtu 1452
    > no cdp enable
    > hold-queue 100 out
    > !
    > interface ATM0
    > mtu 1492
    > no ip address
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > dsl operating-mode auto
    > hold-queue 224 in
    > pvc 0/35
    > pppoe-client dial-pool-number 1
    > !
    > interface FastEthernet1
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet2
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet3
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet4
    > duplex auto
    > speed auto
    > !
    > interface Virtual-Template1
    > no ip address
    > !
    > interface Dialer1
    > description DSL Dialer
    > mtu 1492
    > ip address negotiated
    > ip pim sparse-dense-mode
    > ip nat outside
    > ip inspect myfw out
    > ip virtual-reassembly
    > encapsulation ppp
    > ip tcp adjust-mss 1400
    > ip igmp unidirectional-link
    > dialer pool 1
    > dialer remote-name redback
    > dialer-group 1
    > ppp ipcp dns request
    > ppp ipcp wins request
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > !
    > ip http server
    > ip http secure-server
    > !
    > ip nat inside source list 102 interface Dialer1 overload
    > ip nat inside source static tcp 192.168.1.7 52975 interface Dialer1 52975
    > ip nat inside source static udp 192.168.1.7 52965 interface Dialer1 52965
    > ip nat inside source static tcp 192.168.1.7 52965 interface Dialer1 52965
    > ip nat inside source static udp 192.168.1.7 52975 interface Dialer1 52975
    > ip nat inside source static udp 192.168.1.7 52875 interface Dialer1 52875
    > ip nat inside source static tcp 192.168.1.7 52865 interface Dialer1 52865
    > ip nat inside source static tcp 192.168.1.7 4711 interface Dialer1 4711
    > ip nat inside source static udp 192.168.1.7 4672 interface Dialer1 4672
    > ip nat inside source static tcp 192.168.1.7 4662 interface Dialer1 4662
    > ip nat inside source static tcp 192.168.1.7 3389 interface Dialer1 3389
    > !
    > ip access-list log-update threshold 1
    > logging trap debugging
    > logging facility syslog
    > logging source-interface Ethernet0
    > logging 192.168.1.7
    >
    > access-list 102 remark permit internal network internet access
    > access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    > access-list 111 permit tcp any any eq 3389 log
    > access-list 111 permit tcp any any eq 4662
    > access-list 111 permit tcp any any eq 52865 log
    > access-list 111 permit udp any any eq 52875 log
    > access-list 111 permit tcp any any eq 52965 log
    > access-list 111 permit udp any any eq 52965 log
    > access-list 111 permit tcp any any eq 52975 log
    > access-list 111 permit udp any any eq 52975 log
    > access-list 111 permit udp any any eq netbios-ns
    > access-list 111 permit udp any any eq netbios-dgm
    > access-list 111 permit gre any any
    > access-list 111 remark Block all Outside traffic In
    > access-list 111 deny ip any any log
    > dialer-list 1 protocol ip permit
    >
    > snmp-server community marcwrite RW
    > snmp-server community public RO
    > snmp-server community marcread RO
    > snmp-server contact xxx
    > snmp-server enable traps tty
    > snmp-server host 192.168.1.7 marcwrite
    > !
    > !
    > control-plane
    > !
    > banner motd ^C*********************!!!IMPORTANT
    > NOTICE!!!***********************
    > *
    > * This is a restricted system. All connections are logged. *
    > * If you are not authorized to connect to this system, log *
    > * off now.
    > * *
    > * Violators will be prosecuted to the full extent of the law. *
    > *******************************************************************
    > * *
    > **********************!!!AVIS IMPORTANT!!!*************************
    > * L'acces au present systeme est limite et tous ses acces sont *
    > * actuellement utilises. Si vous n'etes pas autorise a vous y *
    > * raccorder, veuillez quitter ce systeme immediatement. *
    > * *
    > * Tout contrevenant sera poursuivi en vertu des mesures prevues *
    > * par la loi. *
    > *******************************************************************^C
    > !
    > line con 0
    > exec-timeout 120 0
    > password 7 051C091D704A4B0D
    > no modem enable
    > stopbits 1
    > line aux 0
    > line vty 0 4
    > exec-timeout 120 0
    > password 7 1059060B5411170F
    > login local
    > length 0
    > !
    > scheduler max-task-time 5000
    > end
    >
     
    Marc, May 15, 2007
    #2
    1. Advertising

  3. "Marc" <> writes:
    >Anyone have an idea why I'm not getting messages to syslog?


    What messages? cisco routers aren't exactly all that chatty for their
    logging unless you start turning debugging on. I have 7200's that go
    for months without a syslog entry because they don't generate any logs..

    >> logging trap debugging
    >> logging facility syslog
    >> logging source-interface Ethernet0
    >> logging 192.168.1.7


    'logging facility syslog' is probably wrong, it depends on your syslog
    daemon. This is the facility code it will log events at.

    My unix ones use one of the 'local' ones to route their logs to the
    appropriate logfile. You have to match the name after facility with
    the appropriate thing for the way you configure your syslog server.
     
    Doug McIntyre, May 15, 2007
    #3
  4. Marc

    Thrill5 Guest

    "logging buffered debugging"

    You are only logging traps, and the only traps you have enabled are tty.

    Also do a "no logging facility syslog". You don't need that either.

    Scott

    "Marc" <> wrote in message
    news:...
    > I've got a Cisco 837 acting as my firewall too and Kiwi Syslog on my pc
    > (192.168.1.7) I've got logging on and, I think, everthing set up
    > correctly. Yet the only messages I receive from the router to syslog are
    > when I wr to the console or do a local test. This is driving me crazy. I
    > can't figure out wny I'm not getting any messages. The logging trap is set
    > at debugging. Syslog is set to listen on port 514 for UDP and TCP on port
    > 1468. My AV/Spy program is disabled. Here's my router config:
    >
    > version 12.3
    > no service pad
    > service timestamps debug uptime
    > service timestamps log datetime
    > service password-encryption
    > !
    > hostname Cisco837
    > !
    > boot-start-marker
    > boot-end-marker
    >
    > clock timezone CST -6
    > no aaa new-model
    > ip subnet-zero
    > !
    > ip dhcp excluded-address 192.168.1.1 192.168.1.49
    > !
    > ip dhcp pool CLIENT
    > import all
    > network 192.168.1.0 255.255.255.0
    > default-router 192.168.1.1
    > dns-server 66.90.138.145 66.228.128.69
    > lease 0 8
    > !
    > !
    > ip name-server 66.90.138.145
    > ip name-server 66.228.128.69
    > ip multicast-routing
    > ip inspect name myfw cuseeme timeout 3600
    > ip inspect name myfw rcmd timeout 3600
    > ip inspect name myfw realaudio timeout 3600
    > ip inspect name myfw smtp timeout 3600
    > ip inspect name myfw udp timeout 15
    > ip inspect name myfw tcp timeout 3600
    > ip inspect name myfw h323 timeout 3600
    > ip inspect name myfw ftp timeout 3600
    > ip inspect name myfw tftp timeout 30
    > ip ips po max-events 100
    > vpdn enable
    > vpdn softshut
    > !
    > vpdn-group 1
    > request-dialin
    > protocol pppoe
    > ip mtu adjust
    > !
    > no ftp-server write-enable
    > !
    > no crypto isakmp enable
    > no crypto isakmp ccm
    > !
    > crypto ipsec nat-transparency spi-matching
    > !
    > interface Ethernet0
    > description Connection to LAN
    > ip address 192.168.1.1 255.255.255.0
    > ip mtu 1452
    > ip pim sparse-dense-mode
    > ip nat inside
    > ip virtual-reassembly
    > ip tcp adjust-mss 1452
    > ip igmp helper-address udl Dialer1
    > ipv6 mtu 1452
    > no cdp enable
    > hold-queue 100 out
    > !
    > interface ATM0
    > mtu 1492
    > no ip address
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > dsl operating-mode auto
    > hold-queue 224 in
    > pvc 0/35
    > pppoe-client dial-pool-number 1
    > !
    > interface FastEthernet1
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet2
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet3
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet4
    > duplex auto
    > speed auto
    > !
    > interface Virtual-Template1
    > no ip address
    > !
    > interface Dialer1
    > description DSL Dialer
    > mtu 1492
    > ip address negotiated
    > ip pim sparse-dense-mode
    > ip nat outside
    > ip inspect myfw out
    > ip virtual-reassembly
    > encapsulation ppp
    > ip tcp adjust-mss 1400
    > ip igmp unidirectional-link
    > dialer pool 1
    > dialer remote-name redback
    > dialer-group 1
    > ppp ipcp dns request
    > ppp ipcp wins request
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > !
    > ip http server
    > ip http secure-server
    > !
    > ip nat inside source list 102 interface Dialer1 overload
    > ip nat inside source static tcp 192.168.1.7 52975 interface Dialer1 52975
    > ip nat inside source static udp 192.168.1.7 52965 interface Dialer1 52965
    > ip nat inside source static tcp 192.168.1.7 52965 interface Dialer1 52965
    > ip nat inside source static udp 192.168.1.7 52975 interface Dialer1 52975
    > ip nat inside source static udp 192.168.1.7 52875 interface Dialer1 52875
    > ip nat inside source static tcp 192.168.1.7 52865 interface Dialer1 52865
    > ip nat inside source static tcp 192.168.1.7 4711 interface Dialer1 4711
    > ip nat inside source static udp 192.168.1.7 4672 interface Dialer1 4672
    > ip nat inside source static tcp 192.168.1.7 4662 interface Dialer1 4662
    > ip nat inside source static tcp 192.168.1.7 3389 interface Dialer1 3389
    > !
    > ip access-list log-update threshold 1
    > logging trap debugging
    > logging facility syslog
    > logging source-interface Ethernet0
    > logging 192.168.1.7
    >
    > access-list 102 remark permit internal network internet access
    > access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    > access-list 111 permit tcp any any eq 3389 log
    > access-list 111 permit tcp any any eq 4662
    > access-list 111 permit tcp any any eq 52865 log
    > access-list 111 permit udp any any eq 52875 log
    > access-list 111 permit tcp any any eq 52965 log
    > access-list 111 permit udp any any eq 52965 log
    > access-list 111 permit tcp any any eq 52975 log
    > access-list 111 permit udp any any eq 52975 log
    > access-list 111 permit udp any any eq netbios-ns
    > access-list 111 permit udp any any eq netbios-dgm
    > access-list 111 permit gre any any
    > access-list 111 remark Block all Outside traffic In
    > access-list 111 deny ip any any log
    > dialer-list 1 protocol ip permit
    >
    > snmp-server community marcwrite RW
    > snmp-server community public RO
    > snmp-server community marcread RO
    > snmp-server contact xxx
    > snmp-server enable traps tty
    > snmp-server host 192.168.1.7 marcwrite
    > !
    > !
    > control-plane
    > !
    > banner motd ^C*********************!!!IMPORTANT
    > NOTICE!!!***********************
    > *
    > * This is a restricted system. All connections are logged. *
    > * If you are not authorized to connect to this system, log *
    > * off now.
    > * *
    > * Violators will be prosecuted to the full extent of the law. *
    > *******************************************************************
    > * *
    > **********************!!!AVIS IMPORTANT!!!*************************
    > * L'acces au present systeme est limite et tous ses acces sont *
    > * actuellement utilises. Si vous n'etes pas autorise a vous y *
    > * raccorder, veuillez quitter ce systeme immediatement. *
    > * *
    > * Tout contrevenant sera poursuivi en vertu des mesures prevues *
    > * par la loi. *
    > *******************************************************************^C
    > !
    > line con 0
    > exec-timeout 120 0
    > password 7 051C091D704A4B0D
    > no modem enable
    > stopbits 1
    > line aux 0
    > line vty 0 4
    > exec-timeout 120 0
    > password 7 1059060B5411170F
    > login local
    > length 0
    > !
    > scheduler max-task-time 5000
    > end
    >
     
    Thrill5, May 15, 2007
    #4
  5. Marc

    Marc Guest

    "Doug McIntyre" <> wrote in message
    news:4648f5cc$0$36733$...
    > "Marc" <> writes:
    >>Anyone have an idea why I'm not getting messages to syslog?

    >
    > What messages? cisco routers aren't exactly all that chatty for their
    > logging unless you start turning debugging on. I have 7200's that go
    > for months without a syslog entry because they don't generate any logs..
    >
    >>> logging trap debugging
    >>> logging facility syslog
    >>> logging source-interface Ethernet0
    >>> logging 192.168.1.7

    >
    > 'logging facility syslog' is probably wrong, it depends on your syslog
    > daemon. This is the facility code it will log events at.
    >
    > My unix ones use one of the 'local' ones to route their logs to the
    > appropriate logfile. You have to match the name after facility with
    > the appropriate thing for the way you configure your syslog server.
    >


    It took out the logging facility syslog and changed the applicable entries
    in Kiwi to Local7. Still no change in messages but I see that the logging
    facility statement is indeed not needed.

    The messages I'm trying to see are all incoming denied traffic. Which I
    thought would be generated from: access-list 111 deny ip any any log. Still
    nothing.

    Messages poured in when I put 'log at the end of this: access-list 102
    permit ip 192.168.1.0 0.0.0.255 any But no messages are generated from
    outside > in. \

    I also added a trap for debugging. Still nothing.
     
    Marc, May 15, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,772
    Confused
    Jul 9, 2003
  2. mikester

    Syslog messages repeated

    mikester, Dec 3, 2003, in forum: Cisco
    Replies:
    2
    Views:
    8,513
    mikester
    Dec 4, 2003
  3. Suppa Lamah
    Replies:
    8
    Views:
    1,649
  4. Replies:
    4
    Views:
    4,207
  5. Replies:
    6
    Views:
    8,763
    haimko
    Feb 11, 2010
Loading...

Share This Page