Differences
This shows you the differences between two versions of the page.
networking_wiki:syslogging [2014/11/18 22:51] billdozor created |
networking_wiki:syslogging [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Syslogging ====== | ||
- | Configure syslog messages on Cisco devices. | ||
- | In these examples, we want to exclude: | ||
- | * LINEPROTO-5-UPDOWN | ||
- | * LINK-3-UPDOWN | ||
- | |||
- | This is in order to eliminate logging noise, since we want logging levels 5 and below, but don't care about ports going up/down on switches. | ||
- | |||
- | The following example assumes this: | ||
- | * Syslog server is: 192.168.1.16 | ||
- | * Sylog server is listening on port: 1030 | ||
- | * We want to ignore certain messages on IOS edge switches (not core NX-OS switches) | ||
- | |||
- | |||
- | __Switches IOS__ | ||
- | < | ||
- | logging discriminator LINKLOGS severity includes 0,1,2,3,4,5 facility drops LINK|LINEPROTO mnemonics drops UPDOWN | ||
- | logging trap notifications | ||
- | logging origin-id hostname | ||
- | logging host 192.168.1.16 transport udp port 1030 discriminator LINKLOGS | ||
- | </ | ||
- | |||
- | __NX OS__ | ||
- | < | ||
- | conf t | ||
- | logging server 192.168.1.16 5 | ||
- | logging source-interface loopback 0 | ||
- | end | ||
- | copy run start | ||
- | </ | ||
- | |||
- | __ASA VPN__ | ||
- | |||
- | This ASA Firewall syslog example shows how to ONLY send syslogs on VPN connect or disconnect. | ||
- | |||
- | * ASA-4-113019 = VPN Session disconnected Mnemonic | ||
- | * ASA-4-722051 = VPN Connection (Shows Group, User, Public IP, Assigned Internal IPv4/6) | ||
- | |||
- | < | ||
- | logging list VPN-Log-Events message 722051 | ||
- | logging list VPN-Log-Events message 113019 | ||
- | logging trap VPN-Log-Events | ||
- | logging host My-DMZ 192.168.1.16 | ||
- | logging device-id hostname | ||
- | </ | ||
- | |||
- | __Syslog Server Firewall Config__ | ||
- | |||
- | Some devices cannot change the syslog port they log to and by default use udp/514. This is a problem on Linux servers, since privileged ports 1024 and below can only be used by root. | ||
- | If we want to run a syslog server as a non-root user for security reasons, a higher port must be used. | ||
- | |||
- | The legacy devices can still be supported with port redirection at the iptables firewall. | ||
- | |||
- | Example Firewall INPUT chain could be: | ||
- | < | ||
- | -A INPUT -i lo -m comment --comment " | ||
- | -A INPUT -m conntrack --ctstate RELATED, | ||
- | -A INPUT -p icmp -m comment --comment "ICMP Requests" | ||
- | -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" | ||
- | -A INPUT -p tcp -m tcp --dport 8000 -m comment --comment " | ||
- | -A INPUT -p udp -m udp --dport 514 -m comment --comment " | ||
- | -A INPUT -p udp -m udp --dport 1030 -m comment --comment " | ||
- | -A INPUT -s 192.168.1.50/ | ||
- | -A INPUT -j REJECT --reject-with icmp-host-prohibited | ||
- | </ | ||
- | |||
- | And the redirect to handle udp/514 to udp/1030: | ||
- | < | ||
- | -A PREROUTING -d 192.168.1.16/ | ||
- | </ |