====== Syslogging ======
**General Information**
Configure syslog messages on Cisco devices.
**Checklist**
* Syslog server setup
* One of the below devices to send logging data
----
===== Scenario =====
In these examples, we want to exclude:
* LINEPROTO-5-UPDOWN
* LINK-3-UPDOWN
This is in order to eliminate logging noise, since we want logging levels 5 and below, but don't care about ports going up/down on switches.
The following example assumes this:
* Syslog server is: 192.168.1.16
* Sylog server is listening on port: 1030
* We want to ignore certain messages on IOS edge switches (not core NX-OS switches)
-----
===== Switches IOS =====
logging discriminator LINKLOGS severity includes 0,1,2,3,4,5 facility drops LINK|LINEPROTO mnemonics drops UPDOWN
logging trap notifications
logging origin-id hostname
logging host 192.168.1.16 transport udp port 1030 discriminator LINKLOGS
----
===== NX OS =====
conf t
logging server 192.168.1.16 5
logging source-interface loopback 0
end
copy run start
----
===== ASA VPN =====
This ASA Firewall syslog example shows how to ONLY send syslogs on VPN connect or disconnect.
* ASA-4-113019 = VPN Session disconnected Mnemonic
* ASA-4-722051 = VPN Connection (Shows Group, User, Public IP, Assigned Internal IPv4/6)
logging list VPN-Log-Events message 722051
logging list VPN-Log-Events message 113019
logging trap VPN-Log-Events
logging host My-DMZ 192.168.1.16
logging device-id hostname
-----
===== Syslog Server Firewall Config =====
Some devices cannot change the syslog port they log to and by default use udp/514. This is a problem on Linux servers, since privileged ports 1024 and below can only be used by root.
If we want to run a syslog server as a non-root user for security reasons, a higher port must be used.
The legacy devices can still be supported with port redirection at the iptables firewall.
Example Firewall INPUT chain could be:
-A INPUT -i lo -m comment --comment "Loopback Operations" -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Related,Est Connections" -j ACCEPT
-A INPUT -p icmp -m comment --comment "ICMP Requests" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -m comment --comment "Splunk Web Portal" -j ACCEPT
-A INPUT -p udp -m udp --dport 514 -m comment --comment "Legacy Syslog" -j ACCEPT
-A INPUT -p udp -m udp --dport 1030 -m comment --comment "Splunk Syslog Input" -j ACCEPT
-A INPUT -s 192.168.1.50/32 -p udp -m udp --dport 161 -m comment --comment "Monitoring Server SNMP" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
And the redirect to handle udp/514 to udp/1030:
-A PREROUTING -d 192.168.1.16/32 -p udp -m udp --dport 514 -m comment --comment "Redirect Syslogs(514) to Splunk Syslog port 1030" -j DNAT --to-destination 192.168.1.16:1030