====== Syslogging ======

**General Information**

Configure syslog messages on Cisco devices.

**Checklist**
  * Syslog server setup
  * One of the below devices to send logging data

----

===== Scenario =====

In these examples, we want to exclude:
  * LINEPROTO-5-UPDOWN
  * LINK-3-UPDOWN

This is in order to eliminate logging noise, since we want logging levels 5 and below, but don't care about ports going up/down on switches.

The following example assumes this:
  * Syslog server is: 192.168.1.16
  * Sylog server is listening on port: 1030
  * We want to ignore certain messages on IOS edge switches (not core NX-OS switches)

-----

===== Switches IOS =====
<code>
logging discriminator LINKLOGS severity includes 0,1,2,3,4,5 facility drops LINK|LINEPROTO mnemonics drops UPDOWN
logging trap notifications
logging origin-id hostname
logging host 192.168.1.16 transport udp port 1030 discriminator LINKLOGS
</code>

----

===== NX OS =====
<code>
conf t
logging server 192.168.1.16 5
logging source-interface loopback 0
end
copy run start
</code>

----

===== ASA VPN =====

This ASA Firewall syslog example shows how to ONLY send syslogs on VPN connect or disconnect.

  * ASA-4-113019 = VPN Session disconnected Mnemonic
  * ASA-4-722051 = VPN Connection (Shows Group, User, Public IP, Assigned Internal IPv4/6)

<code>
logging list VPN-Log-Events message 722051
logging list VPN-Log-Events message 113019
logging trap VPN-Log-Events
logging host My-DMZ 192.168.1.16
logging device-id hostname
</code>

-----

===== Syslog Server Firewall Config =====

Some devices cannot change the syslog port they log to and by default use udp/514. This is a problem on Linux servers, since privileged ports 1024 and below can only be used by root.
If we want to run a syslog server as a non-root user for security reasons, a higher port must be used.

The legacy devices can still be supported with port redirection at the iptables firewall.

Example Firewall INPUT chain could be:
<code bash>
-A INPUT -i lo -m comment --comment "Loopback Operations" -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Related,Est Connections" -j ACCEPT
-A INPUT -p icmp -m comment --comment "ICMP Requests" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -m comment --comment "Splunk Web Portal" -j ACCEPT
-A INPUT -p udp -m udp --dport 514 -m comment --comment "Legacy Syslog" -j ACCEPT
-A INPUT -p udp -m udp --dport 1030 -m comment --comment "Splunk Syslog Input" -j ACCEPT
-A INPUT -s 192.168.1.50/32 -p udp -m udp --dport 161 -m comment --comment "Monitoring Server SNMP" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
</code>

And the redirect to handle udp/514 to udp/1030:
<code bash>
-A PREROUTING -d 192.168.1.16/32 -p udp -m udp --dport 514 -m comment --comment "Redirect Syslogs(514) to Splunk Syslog port 1030" -j DNAT --to-destination 192.168.1.16:1030
</code>