Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
0
Helpful
4
Replies

Linux Box is not logging CISCO messages

tomaszpopik
Level 1
Level 1

‎12-29-2008 03:09 AM

I have Router 3800 series and Linux box, and cant write CISCO logging to syslog-ng. Can you help me?

I am sure that Cisco is sending messages, look at it:

extranet:/etc/syslog-ng # tcpdump -nn host 192.168.6.5

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

11:53:28.002868 IP 192.168.6.5.56121 > 192.168.1.141.514: SYSLOG local6.notice, length: 79

my Router config is:

logging buffered 128000

no logging rate-limit

no logging console

no logging monitor

logging trap debugging

logging facility local6

logging source-interface Loopback0

logging 192.168.1.141

and my linux box is:

extranet:/etc/syslog-ng # cat syslog-ng.conf

options {

long_hostnames(off);

sync(0);

perm(0640);

stats(3600);

};

source src {

internal();

udp(ip("0.0.0.0") port(514));

};

filter f_router { facility(local6);};

filter f_ROUTER01 { host("192.168.6.5"); };

destination ROUTER01 {

file("/var/log/router");

};

log {

source(src);

filter(f_router);

filter(f_ROUTER01);

destination(ROUTER01);

};

Labels:
0 Helpful
4 Replies 4

Joe Clarke
Cisco Employee
Cisco Employee

‎12-29-2008 09:59 AM

Make sure syslog-ng is running, and that lsof shows that it is the process bound to udp/514. If so, try restarting it. If the inode of /var/log/router changed since syslog-ng was last started, no further messages will be seen.

0 Helpful

tomaszpopik
Level 1
Level 1
In response to Joe Clarke

‎12-30-2008 01:37 AM

I am 100% sure that syslog-ng is runing.

extranet:/etc/syslog-ng # ps aux | grep syslog

root 17031 0.0 0.0 1992 484 ? Ss 10:35 0:00 /sbin/syslog-ng

root 17037 0.0 0.1 1956 656 pts/2 R+ 10:35 0:00 grep syslog

extranet:/etc/syslog-ng #

I have restarted it several times over and over, after each config changes.

extranet:/etc/syslog-ng # lsof | grep syslog

bash 16964 root cwd DIR 8,2 4096 231842 /etc/syslog-ng

syslog-ng 17031 root cwd DIR 8,2 4096 2 /

syslog-ng 17031 root rtd DIR 8,2 4096 2 /

syslog-ng 17031 root txt REG 8,2 141936 685506 /sbin/syslog-ng

syslog-ng 17031 root mem REG 0,0 0 [heap] (stat: No such file or directory)

syslog-ng 17031 root mem REG 8,2 121246 97964 /lib/libpthread-2.5.so

syslog-ng 17031 root mem REG 8,2 1491141 97938 /lib/libc-2.5.so

syslog-ng 17031 root mem REG 8,2 74840 97966 /lib/libresolv-2.5.so

syslog-ng 17031 root mem REG 8,2 94097 97949 /lib/libnsl-2.5.so

syslog-ng 17031 root mem REG 8,2 41349 97968 /lib/librt-2.5.so

syslog-ng 17031 root mem REG 8,2 129767 100968 /lib/ld-2.5.so

syslog-ng 17031 root 0u CHR 1,3 2907 /dev/null

syslog-ng 17031 root 1u CHR 1,3 2907 /dev/null

syslog-ng 17031 root 2u CHR 1,3 2907 /dev/null

syslog-ng 17031 root 3u IPv4 2915091 UDP *:syslog

lsof 17040 root cwd DIR 8,2 4096 231842 /etc/syslog-ng

grep 17041 root cwd DIR 8,2 4096 231842 /etc/syslog-ng

lsof 17042 root cwd DIR 8,2 4096 231842 /etc/syslog-ng

extranet:/etc/syslog-ng #

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to tomaszpopik

‎12-30-2008 09:31 AM

I see nothing wrong with the device config, and the syslog-ng config looks okay, too. Do you have a packet filter enabled on this box which could be dropping the packets before they make it to syslog-ng?

0 Helpful

tomaszpopik
Level 1
Level 1
In response to Joe Clarke

‎12-31-2008 01:23 AM

Thanx!! It works.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents