How to capture logging mssgs on a 2821 router?

Answered Question
May 2nd, 2008
User Badges:

How do I direct logging data from the 2821 router to be stored on a workstation? I have downloaded Kiwi Syslog Daemon on to the workstation, however, logging is not captured. The command for the syslog server was configured on the router. Thanks


Correct Answer by Jon Marshall about 8 years 11 months ago

Said


As a bare minimum you need to configure on the router


logging host

logging trap


where level is a value between 1 & 7. 7 is debugging and will send the most messages to your syslog server and 1 is alerts.


To test you could set it up as informational (6) and save the config on your router. This should generate a syslog message to your syslog server.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 05/02/2008 - 08:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Said


As a bare minimum you need to configure on the router


logging host

logging trap


where level is a value between 1 & 7. 7 is debugging and will send the most messages to your syslog server and 1 is alerts.


To test you could set it up as informational (6) and save the config on your router. This should generate a syslog message to your syslog server.


Jon

saidfrh Fri, 05/02/2008 - 08:57
User Badges:

Jon,

Does logging Informational (6) include all logging messages from severity 1-6?

Thanks.

Said

Jon Marshall Fri, 05/02/2008 - 08:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Said


Yes it does. Each level includes level 1 to that level.


Once you have got it working generally level 4 (warnings) or level 3 (errors) is a good one to use.


Jon

saidfrh Fri, 05/02/2008 - 09:12
User Badges:

Jon,

On the Kiwi Syslog Setup> Listen for UDP Syslog messages>Data Encoding, there is drop down menu: System, Other, ANSI, UTF-8, Shift-JIS, EUC-JP, BIG5 and Chinese. System is default-is this ok?

Still have not received any logging messages on the Kiwi Syslog daemon.

Jon Marshall Fri, 05/02/2008 - 09:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Said


Haven't used kiwi for long time but i don't remember having to do anything special with the encoding.


You can ping your syslog server from the router ?


If you have a packet sniffer eg. ethereall you can run this on the same machine as kiwi syslog and see if the machines is receiving packets from the router.


Jon

saidfrh Fri, 05/02/2008 - 09:32
User Badges:

I must have deactivated the echo feature on the router. Ping (Syslog server's IP results in "% Unrecognized host or address, or protocol not running." The config of the production router was copied to a 2621 lab router with modifications. Do you know how enable echo on the lab router?

Jon Marshall Fri, 05/02/2008 - 09:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Said


What are you actually typing in when you try to ping. Can you post the full command line you are using.


Jon

saidfrh Fri, 05/02/2008 - 09:57
User Badges:

how do you set the set the con 0 password to the enable secret password?


sorry to deviate.

Jon Marshall Fri, 05/02/2008 - 10:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Presuming you know the enable secret password


router(config)# line con 0

router(config-line)# password 0


Jon

saidfrh Fri, 05/02/2008 - 11:25
User Badges:

Jon,

The following command still reverts to the type 7 password.


router(config)# line con 0

router(config-line)# password 0

saidfrh Fri, 05/02/2008 - 09:44
User Badges:

Jon,

I set up the lab router today, forgot to copy the run config to start, turned off the router. I give the fa0/0 int on the lab router an address on same subnet on our LAN. A straight through cable connects the lab router to the LAN. I can ping the lab router from a workstation, yet I can not ping the workstation from the router. So on a lab router replicating the production router requires its own separate network, yes?

Jon Marshall Fri, 05/02/2008 - 09:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

As long as your lab router is using a unique IP address out of the LAN range you should be fine.


Perhaps you could post the addressing etc. Can you also check if you have an access-list applied to the fa0/0 interface.


Jon

saidfrh Fri, 05/02/2008 - 10:13
User Badges:

Jon,

Thanks for your help. I have to read up on Kiwi Syslog Daemon to know how to use it.

Regards.

Said

Jon Marshall Fri, 05/02/2008 - 10:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Said


No problem. If i get the time i will have a look as well to make sure there isn't something obvious we are missing.


Appreciate the rating.


Jon

saidfrh Fri, 05/02/2008 - 10:07
User Badges:

Jon,

On the production router, provided the following commands. Still nothing displays on the syslog server.

logging host 192.168.1.180

logging trap 6

exit

copy run start


saidfrh Fri, 05/02/2008 - 13:16
User Badges:

I have included the folowing statements.


logging on

logging host 192.168.1.180 [workstation/syslog computer]

logging trap 6

exit

copy run start



saidfrh Fri, 05/02/2008 - 13:20
User Badges:

I prefer to send the router's logs to a separate computer to accept and store the logs. So far, I have not been successful in configuring Kiwi Syslog Daemon to accept the messages from the router.

saidfrh Fri, 05/02/2008 - 14:15
User Badges:

Yes, Windows firewall is running on the syslog host.

saidfrh Fri, 05/02/2008 - 14:29
User Badges:

UDP/514 was added to exceptions, still no messages. Are you familiar with setting Kiwi Syslog?

saidfrh Fri, 05/02/2008 - 14:30
User Badges:

I can ping from the Syslog computer to the router.

saidfrh Sun, 05/11/2008 - 16:47
User Badges:

Hi Jon,

I got Kiwi Syslog working. The following are from syslogs on ASA5510 firewall. Do the two mssgs look right to you?


07:40:25: %ASA-4-419002: Duplicate TCP SYN from Inside: 192.168.1.170/3229 to outside:82.42.69.140/4219 with different initial sequence number


(I can not find who has IP 192.168.1.170. Trend Micro shows no one on the LAN .170


ASA-4-313005 : No matching connection for ICMP error message: icmp src outside: 76.189.113.82 dst inside: 207.105.y.x (type 3, code 1) on outside interface: Original payload: udp src 207.105.y.x/3919 dst 192.168.1.100/49593


Thanks.

Said

Actions

This Discussion