cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12969
Views
15
Helpful
10
Replies

Logging traps

Fotiosmark
Level 1
Level 1

Hello,

 

If someone can assist with a question about logging server.

I managed to build a Server that Captures syslog from router (not in the same network)

What I am basically trying to do is to Capture the Debug information to sent to my server. Now it only sents if links are up and down, and all the commands the users are typing in the router.

Can someone assist?

I know that logs the keys on router

***************************

archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
***********************************

Also can I sent my IP SLA to my syslog server?

 

ip sla reaction-configuration 1 react timeout threshold-type immediate action-type trapAndTrigger
ip sla schedule 1 start-time now
logging history notifications
logging trap debugging
logging facility syslog
logging source-interface Vlan1
logging "publicIP"
logging host publicIP transport udp port 161

It won't sent the debug info to syslog server :( anyony?

10 Replies 10

Mark Malone
VIP Alumni
VIP Alumni
You have the correct commands in place , trap debugging and pointing to your external server , the server is reachable from the router yes ? nwhat debugging is enabled locally and do you see it in buffer too ? try logging on too in cli

Hi and thank you for the quick responce.

Well I assume it is working since I receive on my Remote Server messages from Syslog but only the commands the users are typing, and also link up/down.

I enabled debug crypto isakamp (only for test purposes) since ther are allot of new Syslog messages on tunnels, but nothing reach to server.

The only thing that reached on server are the  %PARSER-5-CFGLOG_LOGGEDCMD:

 

I cant understand why the Parsers are reaching the server but not the Debugs.

maybe SNMP server needs to be enabled? This is were I am confused also, is Logging host ****

same as SNMP server?

snmp-server community key  RW
snmp-server community key  RO
snmp-server trap-source Dialer0
snmp-server contact ******** IT Services
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps syslog
snmp-server host PublicIP version 2c key
snmp-server host PublicIP key
!

Also I did a debug snmp packets and reachability seems to be on place.

 

*Jun 14 21:19:52.585: SNMP: Packet sent via UDP to PublicIPServer
*Jun 14 21:19:52.673: %SYS-5-CONFIG_I: Configured from console by mnemonic on vty0 (91.138.192.1)
*Jun 14 21:19:52.677: SNMP: Queuing packet to PublicIPServer
*Jun 14 21:19:52.677: SNMP: V2 Trap, reqid 257, errstat 0, erridx 0
 sysUpTime.0 = 32851331
 snmpTrapOID.0 = ciscoSyslogMIB.2.0.1
 clogHistoryEntry.2.175 = SYS
 clogHistoryEntry.3.175 = 6
 clogHistoryEntry.4.175 = CONFIG_I
 clogHistoryEntry.5.175 = Configured from console by mnemonic on vty0 (PublicIPSource)
 clogHistoryEntry.6.175 = 32851331
*Jun 14 21:19:52.713: SNMP: Queuing packet to PublicIPServer
*Jun 14 21:19:52.713: SNMP: V1 Trap, ent ciscoSyslogMIB.2, addr PublicIP, gentrap 6, spectrap 1
 clogHistoryEntry.2.175 = SYS
 clogHistoryEntry.3.175 = 6
 clogHistoryEntry.4.175 = CONFIG_I
 clogHistoryEntry.5.175 = Configured from console by key on vty0 (PublicIPServer)
 clogHistoryEntry.6.175 = 32851331
*Jun 14 21:19:52.837: SNMP: Packet sent via UDP to PublicIPServer
*Jun 14 21:19:53.089: SNMP: Packet sent via UDP to PublicIPServer
*Jun 14 21:19:53.341: SNMP: Packet sent via UDP to PublicIPServer
*Jun 14 21:19:53.593: SNMP: Packet sent via UDP to PublicIPServer

snmp is separate from syslog , shouldn't be required , i send all my syslogs to splunk and i have some on debugging with what you have setup

https://slaptijack.com/networking/send-cisco-debug-messages-to-syslog/

could it be that there is no SNMP service Feauture Installed on the server but only SNMP Trap Enabled on Services?

maybe im wrong here but my understanding of snmp and syslog is there 2 independent trapping features but syslog can be a lot more granular and they did not require each other to work , i am starting to think though it could be something on server side as the config is in place and you know both can talk to each other as some logs are appearing but you could try just set the logging without the udp and transport too , try slim config down


This is all you really need

logging trap debugging
logging source-interface Vlan1
logging host x.x.x.x

excellent I ll try it! if not I will try another syslog server to see its behavior. I too am guessing its on the server side :)

from tests I made, server is listening for some reason only to 161 port and not 514(syslog) so once I configure logging host ***** transport udp 514, it is going to sent the Parsel msgs and the linkdown / linkup but no debug. it must be something to do with the software that I am using.

Well least its narrowed down now you know what it is , there is a few free ones online , i have heard PRTG is very good but takes a bit to setup , we use splunk but its not cheap

 

is there no way to force the server to listen to 514 for syslog or what about make it listen on say another port 600 and then set the router as logging host x.x.x.x transport udp 600

 

https://www.ittsystems.com/best-free-syslog-server-windows/

thats funny! I have that problem with PRTG ! It gets only the messages of what users are typing and not particular Debugs such as Crypto isakmp. I go to the settings on the sensor and I can change the port there.
It works only for what users are typing. I am using PRTG in a remote location so I did Port Forwarding through the router on all snmp and sylog ports.
Review Cisco Networking for a $25 gift card