«
»
 

logging cisco ios messages to external freebsd syslog

| February 25th, 2009

our cisco router is at 10.0.0.1 and our freebsd box is at 10.0.0.20.

first cisco configuration:

!adds router’s local time to messages

service timestamps log datetime localtime

!this works on ios 12.4, other versions might use different syntax

logging trap debugging

!our syslog server

logging 10.0.0.20

logging on

now on the freebsd box. first enable syslog to accept messages from external sources, in /etc/rc.conf:

syslogd_flags=”-a 10.0.0.1/32:*”

the “:*” at the end is quite important as it tells syslogd to accept all messages sent from 10.0.0.1 from any source port. Without it it only accepts messages sent from port 514 (syslog)

next create your log file: touch /var/log/router.log and add something similar to the top of your /etc/syslog.conf:

#enter your router’s host name here:

+10.0.0.1

#in fact local7.* should be enough here, as it’s cisco’s default facility

*.*  /var/log/router.log

#this resets the previous +host definition

+*

now restart syslogd:

# /etc/rc.d/syslogd restart

if you can’t see anything in /var/log/router.log (and it’s not because your router has nothing to report), start your syslog in the debugging mode:

# /etc/rc.d/syslogd stop

# syslogd -d -v -a ’10.0.0.1/32:*’

Posted on Wednesday, February 25th, 2009 at 6:06 pm in bsd, other | rss feed for comments| You can skip to the end and leave a response. Pinging is currently not allowed.

2 Responses to “logging cisco ios messages to external freebsd syslog”

  1. March 6th, 2009 at 6:31 pm martin42 Says:

    Thanks for those notes.

    There’s an issue that can stop syslog messages appearing: reverse DNS lookups.

    Example 1: You specify “+10.0.0.1″. RDNS resolves to “cisco.example.org”. Messages from 10.0.0.1 are not logged.

    Example 2: You specify “+cisco.example.org”, which resolves to 10.0.0.1. But the RDNS for 10.0.0.1 is “gw.example.org”. Messages from 10.0.0.1 are not logged.

    I guess it’s hard for syslog to get it right. If it resolved all the hostnames in its config at boot time, they would get stale. If it resolved them all each time a message came in, that could get expensive.

    If you add the syslogd option: “-n : Disable dns query for every request.” then you can safely use IP addresses in /etc/syslog.conf regardless of any reverse DNS entries that might exist.

    Regards,

    - Martin

  2. March 7th, 2009 at 10:07 pm admin Says:

    Thanks for your comment.

    I have to admit that I skipped that option when I was looking at syslog’s configuration and didn’t even think DNS can affect syslog’s decisions on whether to log a message or not.

    thanks again!

Leave a Reply

You must be logged in to post a comment.