Logging Cisco devises to syslog on FreeBSD
Overview
What we are going to do here is get a FreeBSD server up and running with syslog-ng, so that we can log information from our Cisco devises to it. This How-To will be pretty detailed and we will be logging data from Cisco Routers Switches and Cisco PIX Firewalls. We are going to get the syslog-ng daemon to create the log files automatically and to log to a new file each day, with a date stamp in the file name.
Installation
This is probable the easiest part
All you have to do is “cd /usr/ports/sysutils/syslog-ng” and run “make install clean”
Now that the port is installed you can edit the syslog-ng startup script to change the following line from NO to YES
: ${syslog_ng_enable:="NO"}
: ${syslog_ng_enable:="YES"}
also add syslog_ng_enable="YES" to your /etc/rc.conf file
Save the file, then edit your /etc/rc.conf file and add syslog_ng_enable="YES" and also add syslogd_enable="NO" this will stop the syslogd that comes with FreeBSD
Don’t bother starting the service yet.
Configuring the Cisco Devices
NB Commands might change depending on your IOS version
Cisco PIX firewalls (This is for Version 6.3)
Lets assume that the syslog server has an IP address of 192.168.2.5 and that the server is on the INSIDE interface, in general syslog information should be logged to something with a higher security level like the INSIDE interface or a DMZ interface. To keep things simple we will use the INSIDE interface, depending on your configuration you might have to adjust some of your firewall rules.
logging on
logging timestamp
logging standby
logging buffered debugging
logging trap debugging
logging host INSIDE 192.168.2.5
Cisco Switches
Make sure that the switch can communicate with the syslog server.
!
logging trap debugging
logging facility local6
logging 192.168.2.5
!
There are various logging facility option from 0 to 7 each one will vive you a different level of logging
Cisco Routers
Once again make sure that the router can see the syslog server in thins example the router can communicate to the syslog server via Loopback 0
logging trap debugging
logging facility local6
logging source-interface Loopback0
logging 192.168.2.5
Configuring the syslog server
By default syslog-ng puts its config file in “/usr/local/etc/syslog-ng” you should see a file called syslog-ng.conf.sample you can simply “cp syslog-ng.conf.sample syslog-ng.conf”
The file is broken up into a few sections:
Destination: This is where the data will be logged
Log level filters: This is where you define the filter of the host
Program filters: This is your last step in the file this just matches everything up.
#
# destinations
#
destination the-pix { file("/var/log/MEXCOM/FIREWALLS/MEXCOM-PIX/mexcom-pix-$YEAR$MONTH$DAY.log"); };
destination the-sw { file("/var/log/MEXCOM/SWITCHES/$HOST-$YEAR$MONTH$DAY.log" owner(root) group(wheel) perm(0644) dir_perm(0644) create_dirs(yes)); };
destination the-rtr { file("/var/log/MEXCOM/ROUTERS/$HOST-$YEAR$MONTH$DAY.log" owner(root) group(wheel) perm(0644) dir_perm(0644) create_dirs(yes)); };
#
# log level filters
#
filter f_the-pix {host(the-pix); };
filter f_the-sw {host(the-sw); };
filter f_the-rtr {host(the-rtr); };
then in program Filters
#
# Firewalls
#
log { source(src); filter(f_the-pix); destination(the-pix); flags(final); };
#
# Switches
#
log { source(src); filter(f_the-sw); destination(the-sw); flags(final); };
#
# Routers
#
log { source(src); filter(f_the-rtr); destination(the-rtr); flags(final); };
Ok start up syslog-ng “/usr/local/etc/rc.d/syslog-ng start”
The above shows how we match the filter or we are matching the hostname that the data is coming from, We have allocated a destination for it i.e my-sw and we are telling it that this log is final this will stop any other log files picking up information relevant to this particular device.
The ordering of the program filters is something to take note of. It really is a filter working from the top down so if some stuff is being logged and not others or some data is being logged to the wrong file just check the flow of the filters through the file.
As a default practically everything that is not logged to a file that is specified will log to your messages file so if your firewall’s switches and routers or anything else is not being logged you can just use tail “tail –f /var/log/messages” and tweak your config from there, in most cases it is just that the filter host is not being resolved to double check the filter host and the content of your /etc/hosts file.
Remember that after any changes you will need to restart the syslog-ng startup script
“/usr/local/etc/rc.d/syslog-ng restart”
Overview
What we are going to do here is get a FreeBSD server up and running with syslog-ng, so that we can log information from our Cisco devises to it. This How-To will be pretty detailed and we will be logging data from Cisco Routers Switches and Cisco PIX Firewalls. We are going to get the syslog-ng daemon to create the log files automatically and to log to a new file each day, with a date stamp in the file name.
Installation
This is probable the easiest part
All you have to do is “cd /usr/ports/sysutils/syslog-ng” and run “make install clean”
Now that the port is installed you can edit the syslog-ng startup script to change the following line from NO to YES
: ${syslog_ng_enable:="NO"}
: ${syslog_ng_enable:="YES"}
also add syslog_ng_enable="YES" to your /etc/rc.conf file
Save the file, then edit your /etc/rc.conf file and add syslog_ng_enable="YES" and also add syslogd_enable="NO" this will stop the syslogd that comes with FreeBSD
Don’t bother starting the service yet.
Configuring the Cisco Devices
NB Commands might change depending on your IOS version
Cisco PIX firewalls (This is for Version 6.3)
Lets assume that the syslog server has an IP address of 192.168.2.5 and that the server is on the INSIDE interface, in general syslog information should be logged to something with a higher security level like the INSIDE interface or a DMZ interface. To keep things simple we will use the INSIDE interface, depending on your configuration you might have to adjust some of your firewall rules.
logging on
logging timestamp
logging standby
logging buffered debugging
logging trap debugging
logging host INSIDE 192.168.2.5
Cisco Switches
Make sure that the switch can communicate with the syslog server.
!
logging trap debugging
logging facility local6
logging 192.168.2.5
!
There are various logging facility option from 0 to 7 each one will vive you a different level of logging
Cisco Routers
Once again make sure that the router can see the syslog server in thins example the router can communicate to the syslog server via Loopback 0
logging trap debugging
logging facility local6
logging source-interface Loopback0
logging 192.168.2.5
Configuring the syslog server
By default syslog-ng puts its config file in “/usr/local/etc/syslog-ng” you should see a file called syslog-ng.conf.sample you can simply “cp syslog-ng.conf.sample syslog-ng.conf”
The file is broken up into a few sections:
Destination: This is where the data will be logged
Log level filters: This is where you define the filter of the host
Program filters: This is your last step in the file this just matches everything up.
#
# destinations
#
destination the-pix { file("/var/log/MEXCOM/FIREWALLS/MEXCOM-PIX/mexcom-pix-$YEAR$MONTH$DAY.log"); };
destination the-sw { file("/var/log/MEXCOM/SWITCHES/$HOST-$YEAR$MONTH$DAY.log" owner(root) group(wheel) perm(0644) dir_perm(0644) create_dirs(yes)); };
destination the-rtr { file("/var/log/MEXCOM/ROUTERS/$HOST-$YEAR$MONTH$DAY.log" owner(root) group(wheel) perm(0644) dir_perm(0644) create_dirs(yes)); };
#
# log level filters
#
filter f_the-pix {host(the-pix); };
filter f_the-sw {host(the-sw); };
filter f_the-rtr {host(the-rtr); };
then in program Filters
#
# Firewalls
#
log { source(src); filter(f_the-pix); destination(the-pix); flags(final); };
#
# Switches
#
log { source(src); filter(f_the-sw); destination(the-sw); flags(final); };
#
# Routers
#
log { source(src); filter(f_the-rtr); destination(the-rtr); flags(final); };
Ok start up syslog-ng “/usr/local/etc/rc.d/syslog-ng start”
The above shows how we match the filter or we are matching the hostname that the data is coming from, We have allocated a destination for it i.e my-sw and we are telling it that this log is final this will stop any other log files picking up information relevant to this particular device.
The ordering of the program filters is something to take note of. It really is a filter working from the top down so if some stuff is being logged and not others or some data is being logged to the wrong file just check the flow of the filters through the file.
As a default practically everything that is not logged to a file that is specified will log to your messages file so if your firewall’s switches and routers or anything else is not being logged you can just use tail “tail –f /var/log/messages” and tweak your config from there, in most cases it is just that the filter host is not being resolved to double check the filter host and the content of your /etc/hosts file.
Remember that after any changes you will need to restart the syslog-ng startup script
“/usr/local/etc/rc.d/syslog-ng restart”
Comments