Setting Up Syslog on a Linux Box for Your IOS Devices
A few articles ago, we discussed getting logging up and running on your IOS box. Part of the discussion was actually having the device log remotely to a box somewhere, but that’s kind of worthless without a properly (for definitions of proper) configured syslog server. A low-end Linux box with an appropriate amount of disk space is a really good candidate to do this for you. I’ll assume you’re running some Redhat-based distro.
I won’t go through the installation, but it should be easy. Just look for the syslog packages for your distro and you should wind up with a working copy on your box. On a Redhat distro, you’ll probably just do a yum install syslog to get it working.
The first thing you need to do is to configure the daemon to listen for remote machines, so open in /etc/sysconfig/syslog in your favorite editor (read: vi) and change the SYSLOGD_OPTIONS line to read this.
SYSLOGD_OPTIONS=”-m 0 -r”
By default, if you restarted the daemon now, you’d wind up sending all your syslog messages to /var/log/boot.log. That may be alright for you, but, if you have a lot of devices, you may want to log them to another file. To do that, you need to change the local7 line at the bottom of /etc/syslog.conf. Just add this and comment out the original line.
# Write router messages to /var/log/cisco.log
local7.* /var/log/cisco.log
<NOTE>
This is not the best way to do handles messages from IOS devices, but it’ll get your started. You’ll want to look at changing the facility or further filtering the logging based on facility and severity. In several setups I’ve done, the devices all log to files based on function — routers to one file, firewalls to another, switches to another, etc. — and those files are rotated every X hours.
</NOTE>
That’s all the configuration you need, so let’s restart the service for everything to spring into action.
/etc/init.d/syslogd restart
In a perfect world, when your IOS devices are configured properly, you’ll have a nice log of IOS messages to keep for posterity.
- Generating Network Diagrams from Netbox with Pynetbox - August 23, 2023
- Out-of-band Management – Useful Beyond Catastrophe - July 13, 2023
- Overlay Management - July 12, 2023
If you need more advanced options, you can go with syslog-ng on the server. It can allow you to do things like direct syslog messages from different sources into different log files or use regular expressions to determine where to write a message.
I should really write an article on that. 🙂
I am running a Linix Ubuntu server 7, there is no ” /etc/sysconfig/syslog ” all I see is /etc/syslog.conf
I don’t use Ubuntu for a syslog server, but I did find this article.
http://www.ubuntugeek.com/ubuntu-linux-apache2-virtual-hosts-syslog-server.html
It mentions changing /etc/init.d/ksyslogd instead of /etc/sysconfig/syslog. Give that a shot and see what happens.
I found it, it is in ” /etc/init.d/sysklogd”, it worked Thanks
Awesome! Glad to be of service.
I 2nd using syslog-ng. A good primer on it is located at the link below, and allows much more customization such as a seperate file for each device. Also, with syslog-ng, you can use thing like SWATCH (which can e-mail you certain events based on regular expressions, such as when an interface goes down, or a fan has failed).
http://www.campin.net/newlogcheck.html
im not 100% on unbuntu, but since it is almost alike with debian.
Look in /etc/default/syslogd
or run, “dpk-reconfigure syslogd”
There shouldnt be any need to edit your init.d scripts directly and these will be replaced when you update your syslog.
Another easy way to find the location of your syslog config is to look at the init.d script. It will have something like this
# include config
. /etc/syslogd.conf