03-03-2006 09:57 AM
Hello All,
I'm having some issues setting up a syslog server for our old router, which is not currently in use. I'm just testing it out, trying to learn how to do syslog stuff before we go ahead and do it on our main one. So as it is now, the rouer is connected to our network and has an IP address 66.29.152.xx while our syslog server has an IP address of 66.29.152.xx as well. I've set everything up as per the Cisco documentation and still the syslog server does not appear to be retrieving any messages. I've tried power cycling the router to see if I could do anything that would generate some messages but still the syslog server picks up nothing. Logging is turned on in the Cisco configuration and configured as per below:
logging trap debugging
logging facility local3
logging 66.29.152.XX
And a quick check to see if it is indeed logging shows:
1602router#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 7 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: disabled
Trap logging: level debugging, 11 message lines logged
Logging to 66.29.152.xx, 11 message lines logged
Is this telling me that messages are being logged that SHOULD be sent to the syslog server?
/etc/hosts on the syslog server contains the line:
66.29.152.xx ( <-- the machine's IP, not the router's IP, yes?) fred fred.domain.net loghost
and /etc/syslog.conf contains the line:
local3.debug (5 tabs here) /var/log/cisco.log
The router is set to broadcast messages to server facililty local3 as shown above in the running-config.
Syslog is running (rebooted it after making changes)
/var/log/cisco.log exists and is writeable.
Still, no matter how long I wait or how many times I reboot the router, /var/log/cisco.log remains an empty file. Is this normal for a router not actually "routing"?. I would think debug messages would be happening even if its not really doing anything (messages in the router's boot sequence, for example).
Anyway, if anyone has some insight on this I'd greatly appreciate the input! Thanks a bunch.
By the way the router IOS is 12.0 and the syslog is running on a Fedora 3 box.
03-03-2006 10:10 AM
Try using snoop on the Solaris box to see if the syslog messages are making it. The following message indicates that the router sent 11 messages to your server:
Logging to 66.29.152.xx, 11 message lines logged
03-03-2006 10:17 AM
Thanks for the quick reply. The Fedora machine doesnt seem to have snoop by default...is there a place I can download it? Or is there another way to accomplish the same thing?
thanks again,
Andrew
Edit: It appears that TCP dump accomplishes the same thing. I'm going to check that out.
03-03-2006 10:28 AM
Sorry, I thought you were on a Solaris server.
Yes, TCP dump would be equivalent to snoop.
03-03-2006 10:35 AM
No problem. Sounds like something is happening. Here's what I get when I run tcpdump on the Fedora box. (sweetgum is the domain associated with our router's IP)
[root@spruce ~]# tcpdump host 66.29.152.XX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:32:27.948283 arp reply sweetgum.viviotech.net is-at 00:10:7b:f2:1c:7d
10:33:33.433584 arp reply sweetgum.viviotech.net is-at 00:10:7b:f2:1c:7d
10:33:37.382467 arp reply sweetgum.viviotech.net is-at 00:10:7b:f2:1c:7d
10:33:37.638199 arp reply sweetgum.viviotech.net is-at 00:10:7b:f2:1c:7d
10:33:37.725663 arp who-has spruce tell sweetgum.viviotech.net
10:33:37.725715 arp reply spruce is-at 00:80:1e:17:35:bc
10:33:38.725516 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 74
10:33:38.725644 IP spruce > sweetgum.viviotech.net: icmp 110: spruce udp port syslog unreachable
10:33:38.727998 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 74
10:33:38.728054 IP spruce > sweetgum.viviotech.net: icmp 110: spruce udp port syslog unreachable
10:33:38.733835 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 104
10:33:38.733909 IP spruce > sweetgum.viviotech.net: icmp 140: spruce udp port syslog unreachable
10:33:38.736419 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 104
10:33:38.736474 IP spruce > sweetgum.viviotech.net: icmp 140: spruce udp port syslog unreachable
10:33:38.738774 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 76
10:33:38.738831 IP spruce > sweetgum.viviotech.net: icmp 112: spruce udp port syslog unreachable
10:33:38.741118 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 61
10:33:38.741175 IP spruce > sweetgum.viviotech.net: icmp 97: spruce udp port syslog unreachable
10:33:38.743356 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 53
10:33:38.745531 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 89
10:33:38.747446 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 54
10:33:38.749445 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 45
10:33:38.751614 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 101
10:33:40.842456 IP sweetgum.viviotech.net.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:10:7b:f2:1c:7d, length: 576
10:33:43.724156 arp who-has sweetgum.viviotech.net tell spruce
10:33:43.726220 arp reply sweetgum.viviotech.net is-at 00:10:7b:f2:1c:7d
10:33:55.722709 IP sweetgum.viviotech.net.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:10:7b:f2:1c:7d, length: 576
10:34:10.602929 IP sweetgum.viviotech.net.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:10:7b:f2:1c:7d, length: 576
10:34:25.483241 IP sweetgum.viviotech.net.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:10:7b:f2:1c:7d, length: 576
I'm assuming this is good...so where would I go from here?
thanks again!
Andrew
03-03-2006 10:45 AM
This is good, it proves there is traffic between the router and server.
Try to specify port 514 in the tcpdump command, that would display only syslog traffic.
03-03-2006 01:40 PM
It looks to me like tcpdump confirms that the router is sending syslog to the server. I notice many of these messages:
spruce > sweetgum.viviotech.net: icmp 97: spruce udp port syslog unreachable
and it looks to me as if server spruce is not listening on the syslog port. I think that points to some configuration issue on spruce.
HTH
Rick
03-06-2006 05:02 PM
Hey guys,
I just wanted to write in to let those of you who helped know that I got it working. Thank you all for your help. I did a few things, just for the record:
1) added syslog (514/udp) to my services file.
2) opened up udp 514 in my iptables file (firewall)
3) added source net { udp(ip(IP.OF.CISCO.ROUTER) port(514)); }; to the top of my syslog.conf file.
4) rebooted syslog with the -r command, which tells it to listen on the network (this is off by default, a security measure)
5) then used tcpdump again to check for errors...and they were gone! Sure enough, /var/log/cisco.log had some messages in there that I was able to generate by rebooting the router.
thanks all for the help.
Andrew
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: