12-29-2008 03:09 AM
I have Router 3800 series and Linux box, and cant write CISCO logging to syslog-ng. Can you help me?
I am sure that Cisco is sending messages, look at it:
extranet:/etc/syslog-ng # tcpdump -nn host 192.168.6.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:53:28.002868 IP 192.168.6.5.56121 > 192.168.1.141.514: SYSLOG local6.notice, length: 79
my Router config is:
logging buffered 128000
no logging rate-limit
no logging console
no logging monitor
logging trap debugging
logging facility local6
logging source-interface Loopback0
logging 192.168.1.141
and my linux box is:
extranet:/etc/syslog-ng # cat syslog-ng.conf
options {
long_hostnames(off);
sync(0);
perm(0640);
stats(3600);
};
source src {
internal();
udp(ip("0.0.0.0") port(514));
};
filter f_router { facility(local6);};
filter f_ROUTER01 { host("192.168.6.5"); };
destination ROUTER01 {
file("/var/log/router");
};
log {
source(src);
filter(f_router);
filter(f_ROUTER01);
destination(ROUTER01);
};
12-29-2008 09:59 AM
Make sure syslog-ng is running, and that lsof shows that it is the process bound to udp/514. If so, try restarting it. If the inode of /var/log/router changed since syslog-ng was last started, no further messages will be seen.
12-30-2008 01:37 AM
I am 100% sure that syslog-ng is runing.
extranet:/etc/syslog-ng # ps aux | grep syslog
root 17031 0.0 0.0 1992 484 ? Ss 10:35 0:00 /sbin/syslog-ng
root 17037 0.0 0.1 1956 656 pts/2 R+ 10:35 0:00 grep syslog
extranet:/etc/syslog-ng #
I have restarted it several times over and over, after each config changes.
extranet:/etc/syslog-ng # lsof | grep syslog
bash 16964 root cwd DIR 8,2 4096 231842 /etc/syslog-ng
syslog-ng 17031 root cwd DIR 8,2 4096 2 /
syslog-ng 17031 root rtd DIR 8,2 4096 2 /
syslog-ng 17031 root txt REG 8,2 141936 685506 /sbin/syslog-ng
syslog-ng 17031 root mem REG 0,0 0 [heap] (stat: No such file or directory)
syslog-ng 17031 root mem REG 8,2 121246 97964 /lib/libpthread-2.5.so
syslog-ng 17031 root mem REG 8,2 1491141 97938 /lib/libc-2.5.so
syslog-ng 17031 root mem REG 8,2 74840 97966 /lib/libresolv-2.5.so
syslog-ng 17031 root mem REG 8,2 94097 97949 /lib/libnsl-2.5.so
syslog-ng 17031 root mem REG 8,2 41349 97968 /lib/librt-2.5.so
syslog-ng 17031 root mem REG 8,2 129767 100968 /lib/ld-2.5.so
syslog-ng 17031 root 0u CHR 1,3 2907 /dev/null
syslog-ng 17031 root 1u CHR 1,3 2907 /dev/null
syslog-ng 17031 root 2u CHR 1,3 2907 /dev/null
syslog-ng 17031 root 3u IPv4 2915091 UDP *:syslog
lsof 17040 root cwd DIR 8,2 4096 231842 /etc/syslog-ng
grep 17041 root cwd DIR 8,2 4096 231842 /etc/syslog-ng
lsof 17042 root cwd DIR 8,2 4096 231842 /etc/syslog-ng
extranet:/etc/syslog-ng #
12-30-2008 09:31 AM
I see nothing wrong with the device config, and the syslog-ng config looks okay, too. Do you have a packet filter enabled on this box which could be dropping the packets before they make it to syslog-ng?
12-31-2008 01:23 AM
Thanx!! It works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide