Re: cisco logging to syslogd?

Discussion in 'Cisco' started by Didier, Jan 13, 2004.

  1. Didier

    Didier Guest

    > And are you passing the switch to syslogd
    > which tells it to accept remote messages?
    >

    Some additional info, I've checked the file permission of cisco.log, it's ok
    rw-rw-rw so this can't be the problem.

    Syslogd is launched with:
    syslogd -a myrouter.ip.address

    Here is my router config:
    logging facility local0
    logging source-interface FastEthernet0
    logging myrouter.ip.address

    Here is freebsd's syslog.conf (see the last line)
    *.err;kern.debug;auth.notice;mail.crit /dev/console
    *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
    /var/log/message
    security.* /var/log/security
    auth.info;authpriv.info /var/log/auth.log
    mail.info /var/log/maillog
    lpr.info /var/log/lpd-errs
    ftp.info /var/log/xferlog
    cron.* /var/log/cron
    local0.informational /var/log/cisco.log


    Here is the output of show log:
    Syslog logging: enabled (0 messages dropped, 10235 messages rate-limited,
    365 flushes, 0 overruns)
    Console logging: disabled
    Monitor logging: level informational, 0 messages logged
    Buffer logging: disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 15143 message lines logged
    Logging to myfreebsd.box.ip, 15143 message lines logged

    I'm using this config on fastethernet0:
    interface FastEthernet0
    ip address myfreebsd.box.ip
    ip access-group 111 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect standard in
    speed auto
    ntp broadcast client
    no cdp enable

    Here is ip inspect standard:
    ip inspect udp idle-time 1800
    ip inspect dns-timeout 7
    ip inspect tcp idle-time 14400
    ip inspect name standard cuseeme
    ip inspect name standard ftp
    ip inspect name standard h323
    ip inspect name standard http
    ip inspect name standard rcmd
    ip inspect name standard realaudio
    ip inspect name standard smtp
    ip inspect name standard sqlnet
    ip inspect name standard streamworks
    ip inspect name standard tcp
    ip inspect name standard tftp
    ip inspect name standard udp
    ip inspect name standard vdolive

    And here is show access-list 111:
    Extended IP access list 111
    permit ip mynetwork any (85973 matches)
    deny ip any any log

    SORRY FOR THE LONG POST, but I really don't now what else to check!
     
    Didier, Jan 13, 2004
    #1
    1. Advertising

  2. Didier

    Didier Guest

    Hmm,
    I think that this must be a freebsd related configuration problem here is a
    tcpdump:
    route.ip.address = router ip address
    freebsd.ip.address = freebsd box
    tcpdump: listening on fxp0
    00:05:48.156942 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
    00:05:50.888792 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
    00:05:55.160610 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
    00:06:03.160184 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
    00:06:26.103070 route.ip.address.51088 > freebsd.ip.address.syslog: udp 118
    00:06:27.103010 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
    00:06:30.834818 route.ip.address.51088 > freebsd.ip.address.syslog: udp 81
    00:06:36.190521 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
    00:06:44.190152 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
    00:06:45.190057 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
    00:07:29.979662 route.ip.address.51088 > freebsd.ip.address.syslog: udp 80
    00:07:30.979669 route.ip.address.51088 > freebsd.ip.address.syslog: udp 119
    00:07:30.980093 route.ip.address.51088 > freebsd.ip.address.syslog: udp 117


    The syslog udp packets do arrive at the freebsd box.
    Hmm, what do I have to check else?!
    Many, many thanks!
     
    Didier, Jan 13, 2004
    #2
    1. Advertising

  3. "Didier" <> wrote in message
    news:40046f3d$...

    > Syslogd is launched with:
    > syslogd -a myrouter.ip.address


    As stated by several people, you need to run with the -r parameter. I
    couldn't quite work out from the manual what the -a parameter does, but I
    don't think it does what you want it to.

    > logging myrouter.ip.address


    This should be the ip address of the machine running syslogd, not the ip
    address of the router.

    > *.err;kern.debug;auth.notice;mail.crit /dev/console
    > *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err

    /var/log/message

    These lines will match any err and notice messages from your router.

    > local0.informational /var/log/cisco.log


    This line will only catch the info messages from your router, is that the
    class of message you are being sent by your router?

    Richard.
     
    Richard Antony Burton, Jan 13, 2004
    #3
  4. "Didier" <> wrote in message
    news:40047b9d$...

    > The syslog udp packets do arrive at the freebsd box.


    Yes, but that doesn't mean there is anything listening for them. Remember
    the -r parameter?

    Richard.
     
    Richard Antony Burton, Jan 13, 2004
    #4
  5. Didier

    Per Hedeland Guest

    In article <r__Mb.4536313$> "Richard Antony
    Burton" <> writes:
    >
    >"Didier" <> wrote in message
    >news:40046f3d$...


    >> *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err

    >/var/log/message
    >
    >These lines will match any err and notice messages from your router.


    Also warning, crit, alert, and emerg.

    >> local0.informational /var/log/cisco.log

    >
    >This line will only catch the info messages from your router, is that the
    >class of message you are being sent by your router?


    Actually it won't catch anything at all, since there is no priority
    called "informational" - the name is "info", just like in all the other
    entries. It seems syslogd only complains about in debug mode though:

    syslogd: unknown priority name "informational"

    - but then syslogd was never a very forgiving program... Btw, once it is
    changed to "info", it will "catch" anything with "info" *or higher*
    priority (i.e. info + all the above). Every match counts, earlier
    matches do not prevent later ones.

    --Per Hedeland
     
    Per Hedeland, Jan 14, 2004
    #5
  6. Didier

    Didier Guest

    Re: cisco logging to syslogd? YES :))

    Found it!
    Thx a lot guys for the help!!
    For those who want to know:

    Here is the answer:
    snip from freebsd mailing list:
    You have to specify a 'service' of * on the syslogd commandline (with
    the -a option). By default syslogd only accepts packets coming from
    the sysog port on the remote host. Cisco uses a dynamicly allocated
    port for sending the logging.
    end snip

    So your rc.conf has to look like (my router is 10.0.0.1/255.255.255.240)
    syslogd_flags="-a 10.0.0.1/28:*"
    That solved the problem
     
    Didier, Jan 14, 2004
    #6
  7. Didier

    Masud Reza Guest

    Re: cisco logging to syslogd? YES :))

    "Didier" <> wrote in message news:<40048807$>...
    > Found it!
    > Thx a lot guys for the help!!
    > For those who want to know:
    >
    > Here is the answer:
    > snip from freebsd mailing list:
    > You have to specify a 'service' of * on the syslogd commandline (with
    > the -a option). By default syslogd only accepts packets coming from
    > the sysog port on the remote host. Cisco uses a dynamicly allocated
    > port for sending the logging.
    > end snip
    >
    > So your rc.conf has to look like (my router is 10.0.0.1/255.255.255.240)
    > syslogd_flags="-a 10.0.0.1/28:*"
    > That solved the problem


    This problem might be specific to the freebsd syslogd. The default
    syslog port is 514 and daemon running on this port uses udp transport.
    It does not make any sense on the freebsd syslog daemon part to accept
    data from port 514 only!

    Any machine sending a syslog message is bound to use a port other than
    514 (usually a 'normal' port > 1023).

    If you are using Windows, try the kiwisyslog from www.kiwisyslog.com.

    It supports syslog over tcp as well which is currently only supported
    by the PIX firewall.

    Masud
     
    Masud Reza, Jan 14, 2004
    #7
  8. Didier

    Per Hedeland Guest

    Re: cisco logging to syslogd? YES :))

    In article <>
    (Masud Reza) writes:
    >"Didier" <> wrote in message news:<40048807$>...
    >> Found it!
    >> Thx a lot guys for the help!!
    >> For those who want to know:
    >>
    >> Here is the answer:
    >> snip from freebsd mailing list:
    >> You have to specify a 'service' of * on the syslogd commandline (with
    >> the -a option). By default syslogd only accepts packets coming from
    >> the sysog port on the remote host. Cisco uses a dynamicly allocated
    >> port for sending the logging.
    >> end snip
    >>
    >> So your rc.conf has to look like (my router is 10.0.0.1/255.255.255.240)
    >> syslogd_flags="-a 10.0.0.1/28:*"
    >> That solved the problem

    >
    >This problem might be specific to the freebsd syslogd.


    Probably (or at least *BSD).

    > The default
    >syslog port is 514 and daemon running on this port uses udp transport.
    >It does not make any sense on the freebsd syslog daemon part to accept
    >data from port 514 only!


    I guess it makes about as much sense as restricting the source address -
    makes it a little bit harder (but certainly not much) to flood the
    server.

    >Any machine sending a syslog message is bound to use a port other than
    >514 (usually a 'normal' port > 1023).


    Not really - on a machine that has a local syslog daemon (e.g. your
    typical *nix), programs syslog to the local daemon, which may be
    configured to forward messages to a central log server or somesuch.
    Such forwarded messages will have source port 514 on all syslogd
    implementations I've seen - the daemon sends these on the same socket
    that it uses to listen for incoming messages (assuming it does listen -
    otherwise it will typically have an open socket bound to that port
    anyway, at least if it's expected to forward any messages).

    Machines that don't have a syslog daemon can certainly send syslog
    messages with source port 514 too - and according to RFC 3164 they
    should.

    --Per Hedeland
     
    Per Hedeland, Jan 14, 2004
    #8
  9. Didier

    Masud Reza Guest

    Re: cisco logging to syslogd? YES :))

    (Per Hedeland) wrote in message news:<bu4ib2$pc0$>...

    > Not really - on a machine that has a local syslog daemon (e.g. your
    > typical *nix), programs syslog to the local daemon, which may be
    > configured to forward messages to a central log server or somesuch.
    > Such forwarded messages will have source port 514 on all syslogd


    Yes, in this particular case it is possible for the messages to be
    reaching the 'master' syslog server FROM port 514 because they are
    being forwarded.

    > Machines that don't have a syslog daemon can certainly send syslog
    > messages with source port 514 too - and according to RFC 3164 they
    > should.


    This is correct.

    Also important is the fact that using udp spoofing, it is easy to send
    fake logs to a syslog server if the syslog server is accepting
    messages from all devices. Alternatives are using an IPSec tunnel
    between the device and the syslog server or using tcp as the syslog
    transport (which is of course less secure).

    Masud
     
    Masud Reza, Jan 15, 2004
    #9
  10. Didier

    Per Hedeland Guest

    Re: cisco logging to syslogd? YES :))

    In article <>
    (Masud Reza) writes:
    > (Per Hedeland) wrote in message
    >news:<bu4ib2$pc0$>...
    >
    >> Not really - on a machine that has a local syslog daemon (e.g. your
    >> typical *nix), programs syslog to the local daemon, which may be
    >> configured to forward messages to a central log server or somesuch.
    >> Such forwarded messages will have source port 514 on all syslogd

    >
    >Yes, in this particular case it is possible for the messages to be
    >reaching the 'master' syslog server FROM port 514 because they are
    >being forwarded.
    >
    >> Machines that don't have a syslog daemon can certainly send syslog
    >> messages with source port 514 too - and according to RFC 3164 they
    >> should.

    >
    >This is correct.


    So if both cases are correct, what do you mean by "in this particular
    case" for the first one?

    --Per Hedeland
     
    Per Hedeland, Jan 16, 2004
    #10
  11. Didier

    Masud Reza Guest

    Re: cisco logging to syslogd? YES :))

    (Per Hedeland) wrote in message news:<bu84m5$r9o$>...
    > >Yes, in this particular case it is possible for the messages to be
    > >reaching the 'master' syslog server FROM port 514 because they are
    > >being forwarded.
    > >

    > So if both cases are correct, what do you mean by "in this particular
    > case" for the first one?


    I was referring to the particular scenario in which a syslog server is
    configured to recieve syslog messages from a lot of devices and
    forwarding these messages to another 'master' or central syslog
    server.

    Masud
     
    Masud Reza, Jan 16, 2004
    #11
  12. Re: cisco logging to syslogd? YES :))

    Masud Reza wrote:
    > Also important is the fact that using udp spoofing, it is easy to send
    > fake logs to a syslog server if the syslog server is accepting
    > messages from all devices.

    ~~~~~~~~~~~~~~~~
    Make that: "from any device other than himself." UDP source address can
    be set by the sender to any value it likes.

    --
    Tilman Schmidt
    Phoenix Software GmbH Tel. +49 228 97199 0
    Adolf-Hombitzer-Str. 12 Fax +49 228 97199 99
    53227 Bonn, Germany http://www.phoenixsoftware.de
     
    Tilman Schmidt, Jan 16, 2004
    #12
  13. Didier

    Per Hedeland Guest

    Re: cisco logging to syslogd? YES :))

    In article <> (Masud Reza) writes:
    > (Per Hedeland) wrote in message
    >news:<bu84m5$r9o$>...
    >> >Yes, in this particular case it is possible for the messages to be
    >> >reaching the 'master' syslog server FROM port 514 because they are
    >> >being forwarded.
    >> >

    >> So if both cases are correct, what do you mean by "in this particular
    >> case" for the first one?

    >
    >I was referring to the particular scenario in which a syslog server is
    >configured to recieve syslog messages from a lot of devices and
    >forwarding these messages to another 'master' or central syslog
    >server.


    That was obvious, but saying "in this particular case it is possible for
    the messages to be reaching the 'master' syslog server FROM port 514"
    implies that in the general case / other cases it is *not* possible. So,
    since you already agreed that programs sending "directly" to a remote
    syslog server could also use 514 as source port, which cases are left?

    --Per Hedeland
     
    Per Hedeland, Jan 16, 2004
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    857
  2. Didier

    cisco logging to syslogd?

    Didier, Jan 13, 2004, in forum: Cisco
    Replies:
    13
    Views:
    12,985
  3. Martin Bilgrav

    CiscoWorks LMS 2.2 - SyslogD ?

    Martin Bilgrav, Jun 27, 2005, in forum: Cisco
    Replies:
    0
    Views:
    1,013
    Martin Bilgrav
    Jun 27, 2005
  4. Mr Ping

    pix and syslogd problem

    Mr Ping, Aug 24, 2005, in forum: Cisco
    Replies:
    3
    Views:
    889
    Mr Ping
    Aug 25, 2005
  5. Christian Roos

    logging buffered vs. logging history

    Christian Roos, Feb 5, 2006, in forum: Cisco
    Replies:
    4
    Views:
    15,255
Loading...

Share This Page