Can not receive Cisco logs


#1

Hello everyone !! I deceided to use graylog in the enterprise i’m working because of its powerful functions.
I configured a cisco router to send its logs to my graylog server. I tested both the Raw/Plaintext and the Syslog udp input but i am not receiving any logs. I checked the in/out msg/s but there is no traffic.
Even when i direct the logs to rsyslog it does not work.

I use graylog 2.2.3 and it is running on CentOS 7. The rsyslog version is 7.4.7

I hope to have a solution.


#2

Check firewall-cmd and semanage so that the port you use for receiving rsyslog input is open. When you are certain the port is open, try tcpdump on the interface to see if anything comes to the graylog server at all.


(Jochen) #3

How did you install Graylog?
How did you configure the Syslog UDP and the Raw/Plaintext UDP inputs?
How did you configure the Cisco appliances?
How did you configure rsyslog? Make sure to read https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md.


(bubba198) #4

Hi @jjfotso I can confirm that the overall solution works as I’m collecting syslog from ton of Cisco gear so the question is whether there’s a fundamental issue with rsyslog accepting anything at all. Did you inject a test syslog message into Graylog to see whether it will show up?

Here’s my template for syslog on IOS:

no logg cons
no logg mon
no logg buff
no logging rate-limit
logg trap debug
service timestamps log datetime localtime show-timezone msec
service timestamps debug datetime localtime show-timezone msec
service timestamps log uptime
logging trap warning
logging 192.168.248.6
ntp logging
ntp server 172.30.141.4
clock timezone PST -8
clock summer-time PDT recurring


#5

Hello jtkarvo

I checked the firewall and it’s disabled. The SELinux is also disabled.
I used tcpdump to listen to the interface and i’m able to see a traffic coming from my router which name is RCISCOLOG.
But i’m not receiving anything in my rsyslog file. I do receive something in my graylog input but those logs are coming from my localhost not my router.


(Jochen) #6

#7

Hello jochen

I installed graylog as it’s stipulated in the documentation.
Here is how i configured the Syslog UDP


Here is how i configured my router

logging trap debugging
logging facility local5
logging source-interface FastEthernet0/0
logging 192.168.60.1

Here is how i configured rsyslog:
*.* @127.0.0.1:5140


#8

Hello guys !!
I did the test of receiving logs on a virtual environnment (VMware and GNS3) before implementing that on a real network.
The test was successfull. I was able to receive logs from a Cisco router into graylog and in a file on CentOS.
In graylog i used that Syslog UDP input that i sent previously.
In the configuration file of rsyslog, i used this: local7.* @127.0.0.1:5140
In the router (C7200-ADVENTERPRISEK9_SNA-M), Version 15.0(1)M) i entered these configurations:

service timestamps log datetime localtime show-timezone msec
logging trap debugging
logging 192.168.60.1

Thanks @bubba198 for these logs configurations

But when i entered those logs configurations on a real swich (2960), and did show logging and i got this message:

%SYS-6-LOGGINGHOST_STARSTOP: Logging to host 192.168.240.161 port 514 stopped - CLI triggered

instead of:

%SYS-6-LOGGINGHOST_STARSTOP: Logging to host 192.168.240.161 port 514 started - CLI initiated

Can someone help me to resolve this, thanks !!


#9

hi,

your configuration of rsyslog tells that the port number is 5140 but according t the switch log line it tries to sen to port 514. Seems you have a mismatch in port numbers.


(bubba198) #10

@jjfotso oops I might have missed a line which doesn’t show up in show run for some reason. In global config mode enter “logging on”; I think it might be that simple :slight_smile:


#11

I finally succeeded.
The problem was the firewall and i disabled it by entering these commands:
systemctl disable firewalld
systemctl stop firewalld


(Jochen) #12

A post was split to a new topic: Support for Cisco ASA