This is an old revision of the document!
Syslogging
Configure syslog messages on Cisco devices.
In these examples, we want to exclude:
- LINEPROTO-5-UPDOWN
- LINK-3-UPDOWN
This is in order to eliminate logging noise, since we want logging levels 5 and below, but don't care about ports going up/down on switches.
The following example assumes this:
- Syslog server is: 192.168.1.16
- Sylog server is listening on port: 1030
- We want to ignore certain messages on IOS edge switches (not core NX-OS switches)
Switches IOS
logging discriminator LINKLOGS severity includes 0,1,2,3,4,5 facility drops LINK|LINEPROTO mnemonics drops UPDOWN logging trap notifications logging origin-id hostname logging host 192.168.1.16 transport udp port 1030 discriminator LINKLOGS
NX OS
conf t logging server 192.168.1.16 5 logging source-interface loopback 0 end copy run start
ASA VPN
This ASA Firewall syslog example shows how to ONLY send syslogs on VPN connect or disconnect.
- ASA-4-113019 = VPN Session disconnected Mnemonic
- ASA-4-722051 = VPN Connection (Shows Group, User, Public IP, Assigned Internal IPv4/6)
logging list VPN-Log-Events message 722051 logging list VPN-Log-Events message 113019 logging trap VPN-Log-Events logging host My-DMZ 192.168.1.16 logging device-id hostname
Syslog Server Firewall Config
Some devices cannot change the syslog port they log to and by default use udp/514. This is a problem on Linux servers, since privileged ports 1024 and below can only be used by root. If we want to run a syslog server as a non-root user for security reasons, a higher port must be used.
The legacy devices can still be supported with port redirection at the iptables firewall.
Example Firewall INPUT chain could be:
-A INPUT -i lo -m comment --comment "Loopback Operations" -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Related,Est Connections" -j ACCEPT -A INPUT -p icmp -m comment --comment "ICMP Requests" -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" -j ACCEPT -A INPUT -p tcp -m tcp --dport 8000 -m comment --comment "Splunk Web Portal" -j ACCEPT -A INPUT -p udp -m udp --dport 514 -m comment --comment "Legacy Syslog" -j ACCEPT -A INPUT -p udp -m udp --dport 1030 -m comment --comment "Splunk Syslog Input" -j ACCEPT -A INPUT -s 192.168.1.50/32 -p udp -m udp --dport 161 -m comment --comment "Monitoring Server SNMP" -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited
And the redirect to handle udp/514 to udp/1030:
-A PREROUTING -d 192.168.1.16/32 -p udp -m udp --dport 514 -m comment --comment "Redirect Syslogs(514) to Splunk Syslog port 1030" -j DNAT --to-destination 192.168.1.16:1030