Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1369
Views
0
Helpful
8
Replies

rsyslog on router/switch and "syslog facility"

roncro
Level 3
Level 3

‎02-17-2024 09:46 PM

Hello,

I am trying to set up remote logging with rsyslog. But all the messages form the router (Cisco 2952) and switches (Cisco 2960) keep ending up in /var/log/messages (RHEL) is that because of the "Syslog Facility" I use, 'local7'? I want the log messages for each individual host (router, switch, AP) to be logged into a separate file, not all n messages.  (probably a little off topic, since I think it might be  a RHEL issue rather than a cisco ios issue).

 

thanks,

 

Ron

 

Labels:
0 Helpful
8 Replies 8

marce1000
VIP
VIP

‎02-18-2024 12:07 AM

 

You should define a template for log files in syslog.conf , something like e.g :

# log every host in its own directory
$template RemoteHost,"/var/syslog/hosts/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"

Then apply this template to messages coming from remote hosts :

# Remote Logging
$RuleSet remote
*.* ?RemoteHost

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

roncro
Level 3
Level 3
In response to marce1000

‎02-18-2024 12:20 AM - edited ‎02-18-2024 12:22 AM

I did that,  originally I put this script in /etc/rsyslog.d :

$template NetworkLogs,"/var/log/network/%HOSTNAME%-messages.log"
*.* ?NetworkLogs

& stop

 

but the "& stop" seemed to break it.   After I removed it, it started working.  However it is also logging the "local host" as if it is a remote host.

Also, I managed to get the router logging, but it logs as "gateway",  can that be changed to the name of the router?

And also, I turned  rsyslog on, on both of my switches (Cisco 2960)  but they don't seem to be logging anything

I set:

logging trap errors
logging 192.168.2.8

but I don't see "anything"  what is the best level for logging on a Cisco 2960 switch?

(if I set logging to 'informational' severity=6,  do I get everything lower than that too?)

thanks,

Ron

 

0 Helpful

marce1000
VIP
VIP
In response to roncro

‎02-18-2024 02:27 AM

 

      >...but I don't see "anything"  what is the best level for logging on a Cisco 2960 switch?
 - Depends on how verbose you want the logging to be ; the most verbose level is :
                              logging trap debugging , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

roncro
Level 3
Level 3
In response to marce1000

‎02-18-2024 10:33 AM

yes, but if I set it to 6, informational, do I get everything but debugging?  or just the informational messages?

0 Helpful

liviu.gheorghe
Spotlight
Spotlight

‎02-18-2024 05:01 AM

Using Ububtu as a syslog server, I did the following:

1. In /etc/rsyslog.conf, you should have a line at the end of the file

$IncludeConfig /etc/rsyslog.d/*.conf

2. In /etc/rsyslog.d/ create a file named 25-cisco.conf with the following content:

#Logging messages from FPR appliance
if $fromhost-ip startswith '172.25.25.200' then /var/log/cisco/fpr.log
& stop
if $fromhost-ip startswith '172.25.25.199' then /var/log/cisco/fpr.log
& stop
#Logging messages from Catalyst 9200 switch
if $fromhost-ip startswith '172.25.25.202' then /var/log/cisco/cat9200.log
& stop
#Logging messages from ISR1111
if $fromhost-ip startswith '192.168.1.1' then /var/log/cisco/isr.log
& stop
#Logging messages from terminal server
if $fromhost-ip startswith '172.25.25.211' then /var/log/cisco/c2611ts.log
& stop

3. Restart the rsyslog daemon:

sudo systemctl restart rsyslog.service

4. On the devices you configure:

logging host <IP_address>

logging trap <level>

Now you should have in /var/log/cisco/ the individual files for the equipment defined in the file /etc/rsyslog.d/25-cisco.conf

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

roncro
Level 3
Level 3
In response to liviu.gheorghe

‎02-18-2024 10:32 AM

thanks,  I tried this earlier:

$template NetworkLogs,"/var/log/network/%HOSTNAME%-messages.log"
 *.* ?NetworkLogs

but apparently the hostname doesn't resolve correctly all the time it seems.

if I set logging trap to "informational"  (severity 6)  does it log everything except debugging?

thanks,

Ron

0 Helpful

roncro
Level 3
Level 3

‎02-18-2024 10:44 AM

btw:  I noticed something "odd".   the router is 192.168.1.1, switch1 is 192.168.1.2 switch2 is 192.168.1.3 and the logging server is 192.168.2.8

the messages from the router seem to be coming from 192.168.2.1 and the switches 192.168.2.2 and 192.168.2.3 according to syslog

Ron

0 Helpful

liviu.gheorghe
Spotlight
Spotlight
In response to roncro

‎02-18-2024 11:00 AM

Can you share the config from the router and one of the switches in order to verify if it's normal or not?

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card