cisco logging to syslogd?

Discussion in 'Cisco' started by Didier, Jan 13, 2004.

  1. Didier

    Didier Guest

    Hi,
    I've these entries on my router:
    logging facility local0
    logging source-interface FastEthernet0
    logging x.y.z.y

    In my freebsd box /etc/syslogd.conf file:
    local0.* /var/log/cisco.log

    When running tcpdump, I can see that a syslog message arrives at my freebsd
    box:
    14:37:50.785983 myrouter.57372 > x.y.z.y.syslog: udp 77

    The file /var/log/cisco.log has no entries, why, what did I misconfigure?

    thx a lot?
     
    Didier, Jan 13, 2004
    #1
    1. Advertisements

  2. Didier

    Didier Guest

    Of course :))
     
    Didier, Jan 13, 2004
    #2
    1. Advertisements

  3. And are you passing the switch to syslogd
    which tells it to accept remote messages?
     
    Bob { Goddard }, Jan 13, 2004
    #3
  4. show logg is your friend...

    How many log does it say it have sent ?

    Or try :
    logg on
    logg trap deb
    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Jan 13, 2004
    #4
  5. Typical syslog failure causes (from most to least likely :)
    1 - not restarting syslogd after making changes
    2 - syslogd not configured to log remote systems
    3 - log file specified does not exist
    4 - log file exists but syslogd lacks permission to append to it
    5 - software defects

    Good luck and good hunting!
     
    Vincent C Jones, Jan 13, 2004
    #5
  6. Didier

    Us Guest

    Of course you did restart the syslogd?
     
    Us, Jan 13, 2004
    #6
  7. Make sure you don't have something higher up you config that may be
    swallowing your messages.

    I had:
    *.info;mail.none;authpriv.none;cron.none /var/log/messages

    in mine that was swallowing all the info messages. I had to change it to:
    *.info;mail.none;authpriv.none;cron.none;local5.none
    /var/log/messages

    to not swallow the local5 ones too.

    Richard.
     
    Richard Antony Burton, Jan 13, 2004
    #7
  8. Didier

    Didier Guest

    And are you passing the switch to syslogd
    What do you mean by "passing the switch to syslogd"?
     
    Didier, Jan 13, 2004
    #8
  9. Didier

    vern Guest

    have you restarted syslogd with remote host logging enabled? I think you
    do this by running syslogd -h? If in doubt man syslogd


    vern
     
    vern, Jan 13, 2004
    #9
  10. Didier

    vern Guest

    sorry that should be syslogd -r
     
    vern, Jan 13, 2004
    #10
  11. On linux you need to edit /etc/sysconfig/syslog and add -r to
    SYSLOGD_OPTIONS, else it will only accept local log messages.

    Richard.
     
    Richard Antony Burton, Jan 13, 2004
    #11
  12. Didier

    Boris Guest

    And are you passing the switch to syslogd
    Syslogd is launched with:
    syslogd -a myrouter.ip.address

    Here is my router config:
    logging facility local0
    logging source-interface FastEthernet0
    logging myrouter.ip.address

    Here is freebsd's syslog.conf (see the last line)
    *.err;kern.debug;auth.notice;mail.crit /dev/console
    *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
    /var/log/message
    security.* /var/log/security
    auth.info;authpriv.info /var/log/auth.log
    mail.info /var/log/maillog
    lpr.info /var/log/lpd-errs
    ftp.info /var/log/xferlog
    cron.* /var/log/cron
    local0.informational /var/log/cisco.log


    Here is the output of show log:
    Syslog logging: enabled (0 messages dropped, 10235 messages rate-limited,
    365 flushes, 0 overruns)
    Console logging: disabled
    Monitor logging: level informational, 0 messages logged
    Buffer logging: disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 15143 message lines logged
    Logging to myfreebsd.box.ip, 15143 message lines logged

    I'm using this config on fastethernet0:
    interface FastEthernet0
    ip address myfreebsd.box.ip
    ip access-group 111 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect standard in
    speed auto
    ntp broadcast client
    no cdp enable

    Here is ip inspect standard:
    ip inspect udp idle-time 1800
    ip inspect dns-timeout 7
    ip inspect tcp idle-time 14400
    ip inspect name standard cuseeme
    ip inspect name standard ftp
    ip inspect name standard h323
    ip inspect name standard http
    ip inspect name standard rcmd
    ip inspect name standard realaudio
    ip inspect name standard smtp
    ip inspect name standard sqlnet
    ip inspect name standard streamworks
    ip inspect name standard tcp
    ip inspect name standard tftp
    ip inspect name standard udp
    ip inspect name standard vdolive

    And here is show access-list 111:
    Extended IP access list 111
    permit ip mynetwork any (85973 matches)
    deny ip any any log

    SORRY FOR THE LONG POST, but I really don't now what else to check!
     
    Boris, Jan 13, 2004
    #12
  13. Didier

    Martin Guest

    As stated in an earlier thread... To quote from one of my own /etc/rc.conf
    files:

    syslogd_flags="-a 10.0.0.1/32:*" # Allow Cisco to log stuff..

    See also "man syslogd" ;-)
     
    Martin, Jan 25, 2004
    #13
  14. Didier

    Guest

    make sure your syslogd is running with the option to accept remote
    questions...by default..i think it only allows local..

    -Rob


     
    , Jan 25, 2004
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.