Alert on Logging Failure

tearl42 · ‎04-08-2009

Greetings to all,

I'm in a situation that I need to know when syslog fails on a device. Since this is a UDP message I'm not sure how to "monitor" this...

Anyone have any ideas?

Thanks,

Tom

mchin345 · ‎04-14-2009

Link between the syslog server & device fails then syslog message fails. Syslog: If the router is set up to send logs to a syslog server, you will see some information on what happened before the crash on the syslog server. However, when the router is crashing, it may not be able to send the most useful information to this syslog server. So most of the time, syslog output is not very useful for troubleshooting crashes.

tearl42 · ‎04-14-2009

Yep, totally agree and understand, but most or less I have customer that part of their security requirement is if a device stops logging they want to know about it.

The only thing that I can think of is writing a script to sent a syslog message back to the syslog server and if it receives it then great. If not then alarm or try again then alarm... I was hoping that someone else might have this requirement too.

Thanks for responding...

Tom

yjdabear · ‎04-14-2009

Pre-12.4T, set up an IP SLA monitor performing ICMP path echo (ping) against the syslog server, then have an EEM policy fire off heartbeat syslog (action_syslog) loosely according that. With 12.4T, send the same heartbeat syslog from IOS tclsh using the opaque write-only file system. Then it's up to the log-watcher software on the syslog server to "monitor" who's checked in and who's not.

scott.lorenzen · ‎09-23-2009

What kind of device? Windows Server or Linux appliance? With windows you can setup a script to notify you if the service stops and I bet there is cron job that could also be scripted for Linux