Skip to main content

Logging to syslog-ng on FreeBSD

Logging Cisco devises to syslog on FreeBSD

Overview
What we are going to do here is get a FreeBSD server up and running with syslog-ng, so that we can log information from our Cisco devises to it. This How-To will be pretty detailed and we will be logging data from Cisco Routers Switches and Cisco PIX Firewalls. We are going to get the syslog-ng daemon to create the log files automatically and to log to a new file each day, with a date stamp in the file name.

Installation

This is probable the easiest part
All you have to do is “cd /usr/ports/sysutils/syslog-ng” and run “make install clean”
Now that the port is installed you can edit the syslog-ng startup script to change the following line from NO to YES

: ${syslog_ng_enable:="NO"}
: ${syslog_ng_enable:="YES"}

also add syslog_ng_enable="YES" to your /etc/rc.conf file




Save the file, then edit your /etc/rc.conf file and add syslog_ng_enable="YES" and also add syslogd_enable="NO" this will stop the syslogd that comes with FreeBSD
Don’t bother starting the service yet.

Configuring the Cisco Devices

NB Commands might change depending on your IOS version

Cisco PIX firewalls (This is for Version 6.3)
Lets assume that the syslog server has an IP address of 192.168.2.5 and that the server is on the INSIDE interface, in general syslog information should be logged to something with a higher security level like the INSIDE interface or a DMZ interface. To keep things simple we will use the INSIDE interface, depending on your configuration you might have to adjust some of your firewall rules.

logging on
logging timestamp
logging standby
logging buffered debugging
logging trap debugging
logging host INSIDE 192.168.2.5

Cisco Switches
Make sure that the switch can communicate with the syslog server.
!
logging trap debugging
logging facility local6
logging 192.168.2.5
!
There are various logging facility option from 0 to 7 each one will vive you a different level of logging

Cisco Routers
Once again make sure that the router can see the syslog server in thins example the router can communicate to the syslog server via Loopback 0
logging trap debugging
logging facility local6
logging source-interface Loopback0
logging 192.168.2.5

Configuring the syslog server

By default syslog-ng puts its config file in “/usr/local/etc/syslog-ng” you should see a file called syslog-ng.conf.sample you can simply “cp syslog-ng.conf.sample syslog-ng.conf”

The file is broken up into a few sections:

Destination: This is where the data will be logged
Log level filters: This is where you define the filter of the host
Program filters: This is your last step in the file this just matches everything up.

#
# destinations
#
destination the-pix { file("/var/log/MEXCOM/FIREWALLS/MEXCOM-PIX/mexcom-pix-$YEAR$MONTH$DAY.log"); };
destination the-sw { file("/var/log/MEXCOM/SWITCHES/$HOST-$YEAR$MONTH$DAY.log" owner(root) group(wheel) perm(0644) dir_perm(0644) create_dirs(yes)); };
destination the-rtr { file("/var/log/MEXCOM/ROUTERS/$HOST-$YEAR$MONTH$DAY.log" owner(root) group(wheel) perm(0644) dir_perm(0644) create_dirs(yes)); };
#
# log level filters
#
filter f_the-pix {host(the-pix); };
filter f_the-sw {host(the-sw); };
filter f_the-rtr {host(the-rtr); };

then in program Filters

#
# Firewalls
#
log { source(src); filter(f_the-pix); destination(the-pix); flags(final); };
#
# Switches
#
log { source(src); filter(f_the-sw); destination(the-sw); flags(final); };
#
# Routers
#
log { source(src); filter(f_the-rtr); destination(the-rtr); flags(final); };

Ok start up syslog-ng “/usr/local/etc/rc.d/syslog-ng start”

The above shows how we match the filter or we are matching the hostname that the data is coming from, We have allocated a destination for it i.e my-sw and we are telling it that this log is final this will stop any other log files picking up information relevant to this particular device.

The ordering of the program filters is something to take note of. It really is a filter working from the top down so if some stuff is being logged and not others or some data is being logged to the wrong file just check the flow of the filters through the file.
As a default practically everything that is not logged to a file that is specified will log to your messages file so if your firewall’s switches and routers or anything else is not being logged you can just use tail “tail –f /var/log/messages” and tweak your config from there, in most cases it is just that the filter host is not being resolved to double check the filter host and the content of your /etc/hosts file.

Remember that after any changes you will need to restart the syslog-ng startup script
“/usr/local/etc/rc.d/syslog-ng restart”

Comments

Popular posts from this blog

Setting up and Installing Rancid on FreeBSD for Cisco Products

Setting up and Installing Rancid on FreeBSD for Cisco Products What is Rancid? Rancid is an application that monitors a devices configuration including software and hardware. The configuration is then stored in a Concurrent Version System or CVS. Most of the time it is used to back up router, switch and firewall configurations, as well as notify you when a configuration has changed, i.e a firewall rule or a routers IP address or access list change. here is an example of the output =================================================================== retrieving revision 1.29 diff -u -4 -r1.29 mpls-jhb-pe1 @@ -288,9 +288,9 @@ ! interface Serial0/0 description Link to Client X bandwidth 2048 - ip address 192.168.1.244 255.255.255.254 + ip address 192.168.1.234 255.255.255.254 ip route-cache flow ip tcp header-compression iphc-format ip tcp compression-connections 256 ! ip ospf message-digest-key 1 md5 the - symbol represents what was removed the + symbol represents what was added The abo...

Tacacs+ Install and Config Guide

Tacacs+ Install and Config Guide What is TACACS As per wikipedia Terminal access controller access control system (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Installing Tacacs on FreeBSD This guide is intended to be a basic implementation of TACACS+, so although there are may features I am just going to document what I generally use. Please note that tac_plus is also available from Shrubbery Networks if you would like to install and configure on another platform. You may also want to check out my Rancid How-To Once again its in your ports directory. cd to /usr/ports/net/tac_plus4/ run a "make install clean" Once installed vi /usr/local/etc/rc.d/tac_plus.sh Then Change the following line from NO to YES tac_plus_enable=$ Save the file, then vi /e...

FreeBSD, Postfix, Mailscanner and Mailwatch Installation

Installing postfix, mailscanner and mailwatch on FreeBSD I have setup a number of servers using mailscanner and postfix to do antispam and antivirus checking. This particular example will show you how to set the server up as a mail gateway. i.e. all inbound and outbound mail will go via this server. You can also use the server as a pop3/imap4 server and doing so, does make life a little easier as you don't have to worry about the transport and relay_hosts files. At a later stage I will show that info too..... when I get a chance. This my seem strange but as there is quite a bit involved in installing and configuring I am splitting this into two How-To's this one, The install How-To and the configuration How-To First off its probably best to start on a new install of FreeBSD. Once you have done the initial portsnap fetch and portsnap extract Right here we go. Two things you might want to do is force your NIC to 100MB full duplex and install lsof Type in ifconfig and check if the...