How to enabled audit log

ersin erol · ‎04-10-2013

Hi everyone,

In our network we use cisco WS-C6509-E (R7000) Backbobe switch. We want to route syslog to log server.But I couldn't do it. How can solve this problem?

ersin erol · ‎04-10-2013

ersin erol · ‎04-10-2013

Any one help me ?

Steve Fuller · ‎04-10-2013

Hi,

The command you need to add in the global context is logging where ip-addr is the IP address of one or more SYSLOG servers. In addition you can specify the source of the log messages with the logging source-interface such that irrespective of which interface the SYSLOG message is routed via, the SYSLOG server will see all messages originating from a single, consistent IP address.

There are other options with the logging command e.g., the level of the SYSLOG messages that will be sent. Let me know if you need any additional information.

Regards

ersin erol · ‎04-10-2013

I wrote these commands:

-logging on

-logging

are commans not enough ?

Steve Fuller · ‎04-10-2013

Hi,

That's all that is required to send log messages to the SYSLOG server, and as can be seen from your extract, 16,060 messages have already been logged.

Do these messages not appear in your SYSLOG? Do you have a route toward the IP address you're using for the SYSLOG server. I assume you can ping the server from the router?

Regards

ersin erol · ‎04-10-2013

Steve,

you are right there are log files on switch. But these logs not appear on log server.I thought that maybe ; Because of "audit log disabled".

On log server (ubuntu) I listen(tcpdump) logs but from backbone switch any log appear.

Steve Fuller · ‎04-10-2013

The audit disabled should not affect this.

Do you have logging source-interface command configured on this router such that all logging is sent from a known IP address i.e., that assigned to the loopback interface? If so can you ping the SYSLOG server using the command ping source and make sure you can see this traffic on your server with the command tcpdump host and icmp.

If you don't have the logging source-interface configured, can you run show ip route and check which interface(s) the traffic would take towards the server. Then run the same tcpdump command as above, but substitute the with the address of the interface from the show ip route above.

One other question. Do you use VRF on this router?

Regards

The_Nirvana · ‎01-26-2018

Hello Ersin,

You should start by deciding what IP on the switch you will use to represent the switch on the syslog server. (If your switch has only one IP address configured, it will use this IP by default). However, core switches usually have many IP addresses and your management VLAN interface is usually the one to choose.

Your syslog server should be able to reach the switch. By default, syslog uses UDP port 514. Traffic on these ports should be allowed in case there is an access-list or firewall in between your switch management vlan and the syslog server.

Note: You can manually configure the switch to send logs using a diffferent layer 4 (TCP or UDP) and on a customized port.

The first step is to enable the logging with the command:

!

R1(config)#logging on
!

Specify your syslog server

!

R1(config)#logging 10.1.1.1

!

You can change the transport layer protocol and the port

!

R1(config)#logging host 10.1.1.1 transport tcp port 59999

!

If your switch has more than one interfaces, you can choose which one will represent your switch

!

R1(config)#logging source-interface vlan100

!

You can also log any configuration changes done on the device by the various administrators in your team.

!
R1(config)#logging userinfo

R1(config)#archive
R1(config-archive)#log config
R1(config-archive-log-cfg)#logging enable

!

Usually you do not need to specify your device ip address in the syslog server. However, If you are using PRTG as your syslog server, you will need to add a sensor for your switch using the ip address you mentioned in the source-interface.

I hope this helps

Best Regards

Ashaan