syslog question

Discussion in 'Cisco' started by Matt, Apr 27, 2004.

  1. Matt

    Matt Guest

    Hi,
    I'm currently working on setting up my routers and firewalls to log to a
    syslog server.

    logging facility local5
    logging source-interface FastEthernet0/0
    logging x.x.x.x

    I'm not entirely sure I understand the local0-7.

    I can get this one (local5) to log by putting local5.* into the syslog
    config... but that only allows for 8 routers... how do I do more defined
    logging for more routers?
     
    Matt, Apr 27, 2004
    #1
    1. Advertising

  2. In article <>,
    Matt <> wrote:
    :I'm currently working on setting up my routers and firewalls to log to a
    :syslog server.

    :logging facility local5
    :logging source-interface FastEthernet0/0
    :logging x.x.x.x

    :I'm not entirely sure I understand the local0-7.

    :I can get this one (local5) to log by putting local5.* into the syslog
    :config... but that only allows for 8 routers... how do I do more defined
    :logging for more routers?

    You can set any number of routers to the same 'facility'. If you were
    to take no other action than that, then the outputs from the various
    routers would all go to the same file on your syslog server.
    If you need the outputs to go to individual files, then you would
    configure your syslog to examine the -source- address in order to
    determine which file to log to. Some syslog utilities are designed
    to make that very simple; for others, what you have to do is
    send the output to a 'filter' that does the work for you.

    I would suggest that you do not try differentiate routers by the
    facility for more than 2 or 3 devices, as you will likely find that
    various services on your syslog machine use some of the local*
    facilities. For example, our Storage Area Network happens to log
    with facility 23, which is what I had been using for the firewall logs,
    so I recently had to change the facility the firewall logs to.

    --
    Everyone has a "Good Cause" for which they are prepared to spam.
    -- Roberson's Law of the Internet
     
    Walter Roberson, Apr 27, 2004
    #2
    1. Advertising

  3. -cnrc.gc.ca (Walter Roberson) wrote in message news:<c6lsmv$9hf$>...
    > In article <>,
    > Matt <> wrote:
    > :I'm currently working on setting up my routers and firewalls to log to a
    > :syslog server.
    >
    > :logging facility local5
    > :logging source-interface FastEthernet0/0
    > :logging x.x.x.x
    >
    > :I'm not entirely sure I understand the local0-7.
    >
    > :I can get this one (local5) to log by putting local5.* into the syslog
    > :config... but that only allows for 8 routers... how do I do more defined
    > :logging for more routers?
    >
    > You can set any number of routers to the same 'facility'. If you were
    > to take no other action than that, then the outputs from the various
    > routers would all go to the same file on your syslog server.
    > If you need the outputs to go to individual files, then you would
    > configure your syslog to examine the -source- address in order to
    > determine which file to log to. Some syslog utilities are designed
    > to make that very simple; for others, what you have to do is
    > send the output to a 'filter' that does the work for you.
    >
    > I would suggest that you do not try differentiate routers by the
    > facility for more than 2 or 3 devices, as you will likely find that
    > various services on your syslog machine use some of the local*
    > facilities. For example, our Storage Area Network happens to log
    > with facility 23, which is what I had been using for the firewall logs,
    > so I recently had to change the facility the firewall logs to.


    Further to Walter's reply, think of local0-7 as "folder labels" that
    point to files to store syslog messages in. The facility numbers 16-23
    map to local0-7 on the syslog server (facility 16 goes to the local0
    file, 17 to 1 etc.)

    Keeping devices in groups is probably the best way to approach it, so
    all your Storage Area Network devices send their syslog messages to
    one local-n file, firewall syslog messages go to another local-n file
    etc., just as Walter suggests.

    You can also decide the level of severity (above) which you want to
    log messages. So you could store only warnings and above in one
    local-n file, but informational and above in another local-n file. I
    tend to use debug on all files to get the maximum information, but
    this does of course require more disc space.

    Pete
     
    Pete Mainwaring, Apr 28, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CPJ
    Replies:
    1
    Views:
    714
    Walter Roberson
    Jul 16, 2003
  2. Illusion

    Syslog or SNMP traps?

    Illusion, Oct 31, 2003, in forum: Cisco
    Replies:
    3
    Views:
    15,413
    Pete Mainwaring
    Nov 4, 2003
  3. Anthony V. Ercolano

    CISCO 678 syslog

    Anthony V. Ercolano, Nov 7, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,150
    Nate Slater
    Nov 21, 2003
  4. Haitingus

    SYSLOG Question

    Haitingus, Jun 28, 2007, in forum: Cisco
    Replies:
    8
    Views:
    478
    Aaron Leonard
    Jul 2, 2007
  5. Replies:
    3
    Views:
    3,735
    Scott Perry
    Oct 26, 2007
Loading...

Share This Page