Logging traps

Fotiosmark · ‎02-26-2018

Hello,

If someone can assist with a question about logging server.

I managed to build a Server that Captures syslog from router (not in the same network)

What I am basically trying to do is to Capture the Debug information to sent to my server. Now it only sents if links are up and down, and all the commands the users are typing in the router.

Can someone assist?

I know that logs the keys on router

***************************

archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
***********************************

Also can I sent my IP SLA to my syslog server?

ip sla reaction-configuration 1 react timeout threshold-type immediate action-type trapAndTrigger
ip sla schedule 1 start-time now
logging history notifications
logging trap debugging
logging facility syslog
logging source-interface Vlan1
logging "publicIP"
logging host publicIP transport udp port 161

It won't sent the debug info to syslog server :( anyony?

Mark Malone · ‎02-26-2018

You have the correct commands in place , trap debugging and pointing to your external server , the server is reachable from the router yes ? nwhat debugging is enabled locally and do you see it in buffer too ? try logging on too in cli

Fotiosmark · ‎02-26-2018

Hi and thank you for the quick responce.

Well I assume it is working since I receive on my Remote Server messages from Syslog but only the commands the users are typing, and also link up/down.

I enabled debug crypto isakamp (only for test purposes) since ther are allot of new Syslog messages on tunnels, but nothing reach to server.

The only thing that reached on server are the %PARSER-5-CFGLOG_LOGGEDCMD:

I cant understand why the Parsers are reaching the server but not the Debugs.

Fotiosmark · ‎02-26-2018

maybe SNMP server needs to be enabled? This is were I am confused also, is Logging host ****

same as SNMP server?

snmp-server community key RW
snmp-server community key RO
snmp-server trap-source Dialer0
snmp-server contact ******** IT Services
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps syslog
snmp-server host PublicIP version 2c key
snmp-server host PublicIP key
!

Also I did a debug snmp packets and reachability seems to be on place.

*Jun 14 21:19:52.585: SNMP: Packet sent via UDP to PublicIPServer
*Jun 14 21:19:52.673: %SYS-5-CONFIG_I: Configured from console by mnemonic on vty0 (91.138.192.1)
*Jun 14 21:19:52.677: SNMP: Queuing packet to PublicIPServer
*Jun 14 21:19:52.677: SNMP: V2 Trap, reqid 257, errstat 0, erridx 0
sysUpTime.0 = 32851331
snmpTrapOID.0 = ciscoSyslogMIB.2.0.1
clogHistoryEntry.2.175 = SYS
clogHistoryEntry.3.175 = 6
clogHistoryEntry.4.175 = CONFIG_I
clogHistoryEntry.5.175 = Configured from console by mnemonic on vty0 (PublicIPSource)
clogHistoryEntry.6.175 = 32851331
*Jun 14 21:19:52.713: SNMP: Queuing packet to PublicIPServer
*Jun 14 21:19:52.713: SNMP: V1 Trap, ent ciscoSyslogMIB.2, addr PublicIP, gentrap 6, spectrap 1
clogHistoryEntry.2.175 = SYS
clogHistoryEntry.3.175 = 6
clogHistoryEntry.4.175 = CONFIG_I
clogHistoryEntry.5.175 = Configured from console by key on vty0 (PublicIPServer)
clogHistoryEntry.6.175 = 32851331
*Jun 14 21:19:52.837: SNMP: Packet sent via UDP to PublicIPServer
*Jun 14 21:19:53.089: SNMP: Packet sent via UDP to PublicIPServer
*Jun 14 21:19:53.341: SNMP: Packet sent via UDP to PublicIPServer
*Jun 14 21:19:53.593: SNMP: Packet sent via UDP to PublicIPServer

Mark Malone · ‎02-26-2018

snmp is separate from syslog , shouldn't be required , i send all my syslogs to splunk and i have some on debugging with what you have setup

https://slaptijack.com/networking/send-cisco-debug-messages-to-syslog/

Fotiosmark · ‎02-26-2018

could it be that there is no SNMP service Feauture Installed on the server but only SNMP Trap Enabled on Services?

Mark Malone · ‎02-26-2018

maybe im wrong here but my understanding of snmp and syslog is there 2 independent trapping features but syslog can be a lot more granular and they did not require each other to work , i am starting to think though it could be something on server side as the config is in place and you know both can talk to each other as some logs are appearing but you could try just set the logging without the udp and transport too , try slim config down

This is all you really need

logging trap debugging
logging source-interface Vlan1
logging host x.x.x.x

Fotiosmark · ‎02-26-2018

excellent I ll try it! if not I will try another syslog server to see its behavior. I too am guessing its on the server side :)

Fotiosmark · ‎02-26-2018

from tests I made, server is listening for some reason only to 161 port and not 514(syslog) so once I configure logging host ***** transport udp 514, it is going to sent the Parsel msgs and the linkdown / linkup but no debug. it must be something to do with the software that I am using.

Mark Malone · ‎02-26-2018

Well least its narrowed down now you know what it is , there is a few free ones online , i have heard PRTG is very good but takes a bit to setup , we use splunk but its not cheap

is there no way to force the server to listen to 514 for syslog or what about make it listen on say another port 600 and then set the router as logging host x.x.x.x transport udp 600

https://www.ittsystems.com/best-free-syslog-server-windows/

Fotiosmark · ‎02-28-2018

thats funny! I have that problem with PRTG ! It gets only the messages of what users are typing and not particular Debugs such as Crypto isakmp. I go to the settings on the sensor and I can change the port there.
It works only for what users are typing. I am using PRTG in a remote location so I did Port Forwarding through the router on all snmp and sylog ports.