Syslogging

Syslogging

General Information

Configure syslog messages on Cisco devices.

Checklist

Syslog server setup
One of the below devices to send logging data

Scenario

In these examples, we want to exclude:

LINEPROTO-5-UPDOWN
LINK-3-UPDOWN

This is in order to eliminate logging noise, since we want logging levels 5 and below, but don't care about ports going up/down on switches.

The following example assumes this:

Syslog server is: 192.168.1.16
Sylog server is listening on port: 1030
We want to ignore certain messages on IOS edge switches (not core NX-OS switches)

Switches IOS

logging discriminator LINKLOGS severity includes 0,1,2,3,4,5 facility drops LINK|LINEPROTO mnemonics drops UPDOWN
logging trap notifications
logging origin-id hostname
logging host 192.168.1.16 transport udp port 1030 discriminator LINKLOGS

NX OS

conf t
logging server 192.168.1.16 5
logging source-interface loopback 0
end
copy run start

ASA VPN

This ASA Firewall syslog example shows how to ONLY send syslogs on VPN connect or disconnect.

ASA-4-113019 = VPN Session disconnected Mnemonic
ASA-4-722051 = VPN Connection (Shows Group, User, Public IP, Assigned Internal IPv4/6)

logging list VPN-Log-Events message 722051
logging list VPN-Log-Events message 113019
logging trap VPN-Log-Events
logging host My-DMZ 192.168.1.16
logging device-id hostname

Syslog Server Firewall Config

Some devices cannot change the syslog port they log to and by default use udp/514. This is a problem on Linux servers, since privileged ports 1024 and below can only be used by root. If we want to run a syslog server as a non-root user for security reasons, a higher port must be used.

The legacy devices can still be supported with port redirection at the iptables firewall.

Example Firewall INPUT chain could be:

-A INPUT -i lo -m comment --comment "Loopback Operations" -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Related,Est Connections" -j ACCEPT
-A INPUT -p icmp -m comment --comment "ICMP Requests" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -m comment --comment "Splunk Web Portal" -j ACCEPT
-A INPUT -p udp -m udp --dport 514 -m comment --comment "Legacy Syslog" -j ACCEPT
-A INPUT -p udp -m udp --dport 1030 -m comment --comment "Splunk Syslog Input" -j ACCEPT
-A INPUT -s 192.168.1.50/32 -p udp -m udp --dport 161 -m comment --comment "Monitoring Server SNMP" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

And the redirect to handle udp/514 to udp/1030:

-A PREROUTING -d 192.168.1.16/32 -p udp -m udp --dport 514 -m comment --comment "Redirect Syslogs(514) to Splunk Syslog port 1030" -j DNAT --to-destination 192.168.1.16:1030