Re: Need help with Syslog logging from Cisco 1602 Router

viviotech · ‎03-03-2006

Hello All,

I'm having some issues setting up a syslog server for our old router, which is not currently in use. I'm just testing it out, trying to learn how to do syslog stuff before we go ahead and do it on our main one. So as it is now, the rouer is connected to our network and has an IP address 66.29.152.xx while our syslog server has an IP address of 66.29.152.xx as well. I've set everything up as per the Cisco documentation and still the syslog server does not appear to be retrieving any messages. I've tried power cycling the router to see if I could do anything that would generate some messages but still the syslog server picks up nothing. Logging is turned on in the Cisco configuration and configured as per below:

logging trap debugging

logging facility local3

logging 66.29.152.XX

And a quick check to see if it is indeed logging shows:

1602router#show logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)

Console logging: level debugging, 7 messages logged

Monitor logging: level debugging, 0 messages logged

Buffer logging: disabled

Trap logging: level debugging, 11 message lines logged

Logging to 66.29.152.xx, 11 message lines logged

Is this telling me that messages are being logged that SHOULD be sent to the syslog server?

/etc/hosts on the syslog server contains the line:

66.29.152.xx ( <-- the machine's IP, not the router's IP, yes?) fred fred.domain.net loghost

and /etc/syslog.conf contains the line:

local3.debug (5 tabs here) /var/log/cisco.log

The router is set to broadcast messages to server facililty local3 as shown above in the running-config.

Syslog is running (rebooted it after making changes)

/var/log/cisco.log exists and is writeable.

Still, no matter how long I wait or how many times I reboot the router, /var/log/cisco.log remains an empty file. Is this normal for a router not actually "routing"?. I would think debug messages would be happening even if its not really doing anything (messages in the router's boot sequence, for example).

Anyway, if anyone has some insight on this I'd greatly appreciate the input! Thanks a bunch.

By the way the router IOS is 12.0 and the syslog is running on a Fedora 3 box.

nhabib · ‎03-03-2006

Try using snoop on the Solaris box to see if the syslog messages are making it. The following message indicates that the router sent 11 messages to your server:

Logging to 66.29.152.xx, 11 message lines logged

viviotech · ‎03-03-2006

Thanks for the quick reply. The Fedora machine doesnt seem to have snoop by default...is there a place I can download it? Or is there another way to accomplish the same thing?

thanks again,

Andrew

Edit: It appears that TCP dump accomplishes the same thing. I'm going to check that out.

nhabib · ‎03-03-2006

Sorry, I thought you were on a Solaris server.

Yes, TCP dump would be equivalent to snoop.

viviotech · ‎03-03-2006

No problem. Sounds like something is happening. Here's what I get when I run tcpdump on the Fedora box. (sweetgum is the domain associated with our router's IP)

[root@spruce ~]# tcpdump host 66.29.152.XX

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

10:32:27.948283 arp reply sweetgum.viviotech.net is-at 00:10:7b:f2:1c:7d

10:33:33.433584 arp reply sweetgum.viviotech.net is-at 00:10:7b:f2:1c:7d

10:33:37.382467 arp reply sweetgum.viviotech.net is-at 00:10:7b:f2:1c:7d

10:33:37.638199 arp reply sweetgum.viviotech.net is-at 00:10:7b:f2:1c:7d

10:33:37.725663 arp who-has spruce tell sweetgum.viviotech.net

10:33:37.725715 arp reply spruce is-at 00:80:1e:17:35:bc

10:33:38.725516 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 74

10:33:38.725644 IP spruce > sweetgum.viviotech.net: icmp 110: spruce udp port syslog unreachable

10:33:38.727998 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 74

10:33:38.728054 IP spruce > sweetgum.viviotech.net: icmp 110: spruce udp port syslog unreachable

10:33:38.733835 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 104

10:33:38.733909 IP spruce > sweetgum.viviotech.net: icmp 140: spruce udp port syslog unreachable

10:33:38.736419 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 104

10:33:38.736474 IP spruce > sweetgum.viviotech.net: icmp 140: spruce udp port syslog unreachable

10:33:38.738774 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 76

10:33:38.738831 IP spruce > sweetgum.viviotech.net: icmp 112: spruce udp port syslog unreachable

10:33:38.741118 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 61

10:33:38.741175 IP spruce > sweetgum.viviotech.net: icmp 97: spruce udp port syslog unreachable

10:33:38.743356 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 53

10:33:38.745531 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 89

10:33:38.747446 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 54

10:33:38.749445 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 45

10:33:38.751614 IP sweetgum.viviotech.net.58584 > spruce.syslog: UDP, length 101

10:33:40.842456 IP sweetgum.viviotech.net.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:10:7b:f2:1c:7d, length: 576

10:33:43.724156 arp who-has sweetgum.viviotech.net tell spruce

10:33:43.726220 arp reply sweetgum.viviotech.net is-at 00:10:7b:f2:1c:7d

10:33:55.722709 IP sweetgum.viviotech.net.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:10:7b:f2:1c:7d, length: 576

10:34:10.602929 IP sweetgum.viviotech.net.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:10:7b:f2:1c:7d, length: 576

10:34:25.483241 IP sweetgum.viviotech.net.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:10:7b:f2:1c:7d, length: 576

I'm assuming this is good...so where would I go from here?

thanks again!

Andrew

nhabib · ‎03-03-2006

This is good, it proves there is traffic between the router and server.

Try to specify port 514 in the tcpdump command, that would display only syslog traffic.

Richard Burts · ‎03-03-2006

It looks to me like tcpdump confirms that the router is sending syslog to the server. I notice many of these messages:

spruce > sweetgum.viviotech.net: icmp 97: spruce udp port syslog unreachable

and it looks to me as if server spruce is not listening on the syslog port. I think that points to some configuration issue on spruce.

HTH

Rick

HTH

Rick

viviotech · ‎03-06-2006

Hey guys,

I just wanted to write in to let those of you who helped know that I got it working. Thank you all for your help. I did a few things, just for the record:

1) added syslog (514/udp) to my services file.

2) opened up udp 514 in my iptables file (firewall)

3) added source net { udp(ip(IP.OF.CISCO.ROUTER) port(514)); }; to the top of my syslog.conf file.

4) rebooted syslog with the -r command, which tells it to listen on the network (this is off by default, a security measure)

5) then used tcpdump again to check for errors...and they were gone! Sure enough, /var/log/cisco.log had some messages in there that I was able to generate by rebooting the router.

thanks all for the help.

Andrew