Cisco Catalyst 3500 XL syslog server

Answered Question
Mar 4th, 2008
User Badges:

Hi!


I need some help with how to config a 3500 catalyst switch to logg everything (logging trap 6) to a syslog server. This switch has some commands and vlans configured since earlier (not by me).


Please explain the following lines for me:

logging facility syslog (what does this line do?)

logging source-interface VlanXX (is this the only vlan logged for traffic?)

logging 192.168.30.40 (this i do get. Ip of the syslog server :)


I tried to make an access-list but the switch converted 192.168.30.250 to 0.0.0.250 after saving config. How come?


access-list 103 permit tcp 0.0.0.250 255.255.255.0 0.0.0.40 255.255.255.0 eq cmd


How should this look if it should only be port 514 (default syslog port)to be allowed from switch ip 192.168.30.250 to syslog server 192.168.30.40?

Both are on vlan30.


interface Vlan30

ip address 192.168.30.250 255.255.255.0

ip access-group 103 in


I hope i got everything cleared out...if not please say so!


Cheers!


Mattias




Correct Answer by lamav about 9 years 4 months ago

Mattias:


"I still have som issues. When i run sh logging command i only see old events like interfaces going up and down."


This is normal. Clear the log with the clear log command to get rid of the old messages.


"But since i started to conf the switch i only se changes made by console."


As mentioned in my previous post, logging to the console is on by default. So, if you make a configuration change or an event occurs, a logging message will be sent to the console automatically. If your terminal is directly connected to the device's console port, you will see them. If you are Telnet'ed into the device, you will have to enter the term mon command to see the messages for that session. Once you log out of the device, the effect of the term mon command ends.


"I still dont get any syslogs sent to my GFI eventsmanager (windows application) (UDP 514)"


Do you have any filtering device between your switch and the syslog server?


Are you able to PING the syslog server from your switch?


Also, enable logging with the logging on command, as shown above.


HTH


Victor

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
Loading.
lamav Tue, 03/04/2008 - 06:48
User Badges:
  • Blue, 1500 points or more

Mattias:


Cisco routers have the ability to log event messages to a console port, a local buffer stored in NVRAM, a syslog server, or to an SNMP server running on a remote NMS station.


Console logging is automatically enabled, but logging messages can only be viewed by a terminal that is directly connected to the console port, unless the terminal monitor command is issued at the Router# prompt during a telnet session.


To enable logging on a router you can use the following commands or customize them for your purposes:


Router(config)# logging on

(enables logging to non-console connections)



Router(config)# logging source-interface loopback0

(sources logging traffic to the loopback interface)


Router(config)# logging buffered 16000

(enables logging to local NVRAM and sets log size to 16K bytes)


Router(config)# logging host

(Repeat for multiple syslog servers)


Router(config)# logging origin-id hostname

(Tells router to include its hostname when sending log messages to a syslog server)


Then you ask:


Please explain the following lines for me:


logging facility syslog


This is a command that is typically used with UNIX-based syslog servers. Most UNIX servers expect syslog messages to arrive with a facility id of 20.

logging source-interface VlanXX


This command tells the network device to place a particular interface's IP address in the source-address field of the IP datagram. Remember that the logging traffic is created by the router itself, so it has to select a source IP address. If you don't specify which source address to use, it will automatically select the interface address of the interface from which the logging traffic exits.


"I tried to make an access-list but the switch converted 192.168.30.250 to 0.0.0.250 after saving config. How come?


access-list 103 permit tcp 0.0.0.250 255.255.255.0 0.0.0.40 255.255.255.0 eq cmd"


Why do you want to create an access-list? You dont need it at all. By default, an interface allows all traffic in and out. Once you apply an access-list to an interface, it will permit or deny traffic according to its rules.


The reason the router changed the structure of the access list in the way it did was that you configured it incorrectly. What I bet you did was use a subnet mask instead of a wildcard mask.


This is the correct syntax for an IP access list:


access-list access-list-number [dynamic dynamic-name [timeout minutes]]

{deny | permit} protocol source source-wildcard

destination destination-wildcard [precedence precedence]

[tos tos] [log | log-input] [time-range time-range-name]


HTH


If so, please rate my post.


Victor

mattias@netbin.se Wed, 03/05/2008 - 04:46
User Badges:

Thanks for quick reply Viktor!


I still have som issues. When i run sh logging command i only see old events like interfaces going up and down. This is normal i guess?! But since i started to conf the switch i only se changes made by console.


(023439: .Feb 19 11:40:59: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/23, chang

ed state to down

023440: .Feb 19 11:41:01: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, chang

ed state to up

023441: .Feb 19 11:41:01: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/23, chang

ed state to up

023442: .Feb 19 11:41:02: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gigabi

tEthernet1/0/23, changed state to up

023443: .Feb 19 11:41:02: %LINEPROTO)


I still dont get any syslogs sent to my GFI eventsmanager (windows application) (UDP 514) I have a firewall that sents syslogs so the server is working. Attached is running config.


Thanks in advance!







Attachment: 
Correct Answer
lamav Wed, 03/05/2008 - 08:31
User Badges:
  • Blue, 1500 points or more

Mattias:


"I still have som issues. When i run sh logging command i only see old events like interfaces going up and down."


This is normal. Clear the log with the clear log command to get rid of the old messages.


"But since i started to conf the switch i only se changes made by console."


As mentioned in my previous post, logging to the console is on by default. So, if you make a configuration change or an event occurs, a logging message will be sent to the console automatically. If your terminal is directly connected to the device's console port, you will see them. If you are Telnet'ed into the device, you will have to enter the term mon command to see the messages for that session. Once you log out of the device, the effect of the term mon command ends.


"I still dont get any syslogs sent to my GFI eventsmanager (windows application) (UDP 514)"


Do you have any filtering device between your switch and the syslog server?


Are you able to PING the syslog server from your switch?


Also, enable logging with the logging on command, as shown above.


HTH


Victor

mattias@netbin.se Thu, 03/06/2008 - 00:04
User Badges:

Hi!


I can ping from switch to logging host. "Logging on" was the first thing i set after specifying "logging host". Hmm feels like i've done it right....could you find something fishy in my supplied config-file?


KR


Mattias

mattias@netbin.se Thu, 03/06/2008 - 00:24
User Badges:

Hi again...


Should i see logging level when i show running config? I know i have it set to logging trap 6 but i can't see it in config....


This is what is sent to syslog server now:


Raw message: <45>32741: 023483: .Mar 6 08:06:57: %SYS-5-CONFIG_I: Configured from console by console


Message Origin Details:

Date: 2008-03-06

Time: 09:14:26

Source computer: 192.168.xxx.xxx

Facility: Messages generated internally by syslogd

Severity: Notice

Rule Name: N/A

Internal Event ID: 529FC609F386416DBC92FC1912A1E404

-------------------


Looks like it workes fine now but there is almost nothing to see in the logs. If i remember correct (?!) interfaces are going up and down almost all the time (or is that mostly common on firewalls?).


Thanks again for professional help!


Cheers!

Actions

This Discussion