SYSLOG UDP 514

MJonkers · ‎08-24-2004

Hi,

We want our Cisco router to syslog to a Kiwi server on the LAN. The Cisco router is in the DMZ. Internal firewall is say 192.xxx.xxx.xxx. The Kiwi server is 10.xxx.xxx.xxx on the LAN. Kiwi listens to UDP 514. When we publish a rule on the internal firewall all packets from the cisco router to ip 192.xxx.xxx.xxx must be forwarded to 10.xxx.xxx.xxx. It seems not to work. On the DMZ I can see the UDP packets. When we disable the rule We can see in the log that UDP 514 is blocked. When we enable it nothing is logged in the log. Is this a issue with UDP 514? How can we resolve this problem?

Thanks

Marc

peter.mainwaring · ‎08-24-2004

I don't think it is a problem with UDP 514. We send syslog messages from a 3640 router to a CW2000 system (but I did test it using Kiwi before) via a firewall. Our firewall is a Checkpoint FW-1 system, but the principle will be the same. The rule that allows the syslog messages through is simply src=router dest=CW2000 port=UDP/514.

Could you be having a problem with routing rather than the rulebase?

Pete

MJonkers · ‎08-24-2004

We have a ISA server maybe that the problem.

How do you like Kiwi server?

MJonkers · ‎08-24-2004

We have a ISA server maybe that the problem.

How do you like Kiwi server?

MJonkers · ‎08-24-2004

Maybe the problem is that I do not send the syslog directly to the kiwi server but to the ip number of external NIC of the firewall.

peter.mainwaring · ‎08-24-2004

Yes - that will be the problem. You must send your syslogs to the IP address of the Kiwi server and the rule in the firewall must allow UDP/514 from the router to the Kiwi server.

Kiwi syslog server is very good, but for our requirements, we use CW2000 (which incidentally I don't think is very good - it's just that it also holds all of the switch and router backup configs).

Pete