Differences
This shows you the differences between two versions of the page.
|
networking_wiki:syslogging [2014/11/18 22:51] billdozor created |
networking_wiki:syslogging [2019/05/25 23:50] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Syslogging ====== | ||
| - | Configure syslog messages on Cisco devices. | ||
| - | In these examples, we want to exclude: | ||
| - | * LINEPROTO-5-UPDOWN | ||
| - | * LINK-3-UPDOWN | ||
| - | |||
| - | This is in order to eliminate logging noise, since we want logging levels 5 and below, but don't care about ports going up/down on switches. | ||
| - | |||
| - | The following example assumes this: | ||
| - | * Syslog server is: 192.168.1.16 | ||
| - | * Sylog server is listening on port: 1030 | ||
| - | * We want to ignore certain messages on IOS edge switches (not core NX-OS switches) | ||
| - | |||
| - | |||
| - | __Switches IOS__ | ||
| - | < | ||
| - | logging discriminator LINKLOGS severity includes 0,1,2,3,4,5 facility drops LINK|LINEPROTO mnemonics drops UPDOWN | ||
| - | logging trap notifications | ||
| - | logging origin-id hostname | ||
| - | logging host 192.168.1.16 transport udp port 1030 discriminator LINKLOGS | ||
| - | </ | ||
| - | |||
| - | __NX OS__ | ||
| - | < | ||
| - | conf t | ||
| - | logging server 192.168.1.16 5 | ||
| - | logging source-interface loopback 0 | ||
| - | end | ||
| - | copy run start | ||
| - | </ | ||
| - | |||
| - | __ASA VPN__ | ||
| - | |||
| - | This ASA Firewall syslog example shows how to ONLY send syslogs on VPN connect or disconnect. | ||
| - | |||
| - | * ASA-4-113019 = VPN Session disconnected Mnemonic | ||
| - | * ASA-4-722051 = VPN Connection (Shows Group, User, Public IP, Assigned Internal IPv4/6) | ||
| - | |||
| - | < | ||
| - | logging list VPN-Log-Events message 722051 | ||
| - | logging list VPN-Log-Events message 113019 | ||
| - | logging trap VPN-Log-Events | ||
| - | logging host My-DMZ 192.168.1.16 | ||
| - | logging device-id hostname | ||
| - | </ | ||
| - | |||
| - | __Syslog Server Firewall Config__ | ||
| - | |||
| - | Some devices cannot change the syslog port they log to and by default use udp/514. This is a problem on Linux servers, since privileged ports 1024 and below can only be used by root. | ||
| - | If we want to run a syslog server as a non-root user for security reasons, a higher port must be used. | ||
| - | |||
| - | The legacy devices can still be supported with port redirection at the iptables firewall. | ||
| - | |||
| - | Example Firewall INPUT chain could be: | ||
| - | < | ||
| - | -A INPUT -i lo -m comment --comment " | ||
| - | -A INPUT -m conntrack --ctstate RELATED, | ||
| - | -A INPUT -p icmp -m comment --comment "ICMP Requests" | ||
| - | -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" | ||
| - | -A INPUT -p tcp -m tcp --dport 8000 -m comment --comment " | ||
| - | -A INPUT -p udp -m udp --dport 514 -m comment --comment " | ||
| - | -A INPUT -p udp -m udp --dport 1030 -m comment --comment " | ||
| - | -A INPUT -s 192.168.1.50/ | ||
| - | -A INPUT -j REJECT --reject-with icmp-host-prohibited | ||
| - | </ | ||
| - | |||
| - | And the redirect to handle udp/514 to udp/1030: | ||
| - | < | ||
| - | -A PREROUTING -d 192.168.1.16/ | ||
| - | </ | ||