Log Cisco Messages

Hi, I’m new in Graylog and i’m trying to setup a syslog for several cisco switchs (Old switchs with old IOS).

I’ve tried everything tha i’ve read in this forum and on the documentation, but I can’t get the logs that come from the switch to work.
Input Configuration:

On the Switch side I have no option to set a port. It only let me set the host IP.

On the firewall i’ve created a rule to redirect port 514 to port 1514.
“sudo firewall-cmd --permanent --add-forward-port=port=514:proto=udp:toport=1514”

I’ve tried the Syslog UDP input and the Raw/PlainText UDP input but unsuccessfully.

Can anyone help me set this?

Thanks,
Nuno

Are you sure the messages are being sent? Are you sure they are making it to the Graylog server? The screenshot shows the port you are listening on as 1510, but your firewall forwarding is to port 1514?

Hi,

How can i tell if the messages are making it to the Graylog Server?
The screenshot has been corrected and is on port 1514.

image597×762 30.2 KB

run tcpdump on the graylog server…

tcpdump host “sourceIP”

should tell you everything the server sees from/to “sourceIP”

just remember to sudo it if you need to and specify the interface. Also can use:

tcpdump src “sourceIP” which will tell you only traffic from the “sourceIP” good for noisy environs.

Hi cawfehman,

First of all, I appreciate all the help you have given so far.

I am setting up this software as a project to start moving more on Linux systems and it is being challenging.

About the initial issue, I can see messages coming to the server, but they aren’t showing up on Graylog inputs.

The command i’ve executed on the server, as you mentioned, was "tcpdump -i ens192 host “Switch ip”
Here is the Output:

image790×364 95.3 KB

Do i need to configure anything else?

Thanks in advance.

If you use selinux check if selinux doesn’t block something, so try to temporary stop it (change to permissive mode) and restart graylog service:

sudo setenforce 0
sudo systemctl restart graylog.service

Check also your timezone settings in /etc/graylog/server/server.conf, parameter root_timezone = if you use correct timezone:
https://docs.graylog.org/en/3.1/pages/configuration/server.conf.html#general

Next also try to change time from Relative to Absolute in Search page and change to wide scale for example from today to tomorrow.

Hi,

I tried everything suggested, but still no message appears in Graylog.

Also i have change one parameter on the Firewall:

After this the tcpdump result is showing results:

image1271×467 207 KB

Even so, no messages are appearing on Graylog Server. Now i’m trying with an Syslog UDP. Is the input misconfigured?

Thanks again for all the help so far.

Check if graylog process is listening on udp port 1514:
sudo ss -ulpn|grep 1514

Here is the result:

image1212×46 9.02 KB

Your listening port 1514 seems ok.

Your firewall rule toaddr= should be local ip of graylog server, not source device ip:

Try to rather use this firewall commands:
sudo firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=udp:toport=1514
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports
sudo firewall-cmd --list-forward-ports

Hi shoothub,

nice call, the ip in the toaddr was of another server. I’ve changed to the graylog server.

I have tried that configuration before. The output is on my screenshot on my response earlier this morning.

Another question: The switch needs to be configured with snmp in order to graylog to see the messages?

Thanks,

You can use SNMP to send traps for certain conditions on a cisco switch, but that is not what we’ve been configuring… configuring a syslog server with Cisco for logging varies from platform to platform, and often software version to software version within a platform. Generally it takes the form of creating a syslog server/host and then setting a logging level 0-7 (emergencies - debug). It’s best to check cisco documentation for the correct config, but try this.

from the (config)# prompt

logging host “GraylogIP”
logging trap 5

Hi cawfehman,

I did what you suggested, but still no messages appear on Graylog. I also configured another switch, but still no luck.

This is the configuration that i have on the input:

image595×945 45.3 KB

Do i need to configure in an diffent way, or do i need to configure something else different?

Thanks again for all your help.

please post your cisco config for sending logs and version of IOS …

Hi,

Here is the configuration:

IOS version:

Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(25)SEE1, RELEASE SOFTWARE (fc1)

Thanks,

also, are your time settings correct on the switch? are you logging stuff to buffer on the switch? are you generating events that are “notifications”? try changing the logging trap setting to Informational instead of notifications… it’ll generate more traffic. you can tune after.

Hi cawfehman,

The time settings are correct and i’m generating stuff (I do a shut and no shut on a port). I’ve change to logging informational as you suggested, but, so far, no messages arrived at graylog.

Also i have configured another syslog server to test if the messages were arriving and the other system sees the messages without a problem.

Thanks

Hi all,

Finally I managed to solve the problem. I followed the suggestion given in the initial descriptions to foward the traffic from the 514 udp port to 5140 port.

image1234×184 11.3 KB

I deleted the inputs I had created and created a new one with 5140 port configured.

image598×978 47.3 KB

Then I deleted the rules on the firewall and created a new one:

After that the graylog started receiving messages right away.

I leave my feedback here so I can help others if they have the same problem I had.

Once again, thank you all for your availability and help.

you might find this post helpful:

Hi Jan,

Thanks for the tip. I’ll see and then say something.

Thanks for all. You are all the best.