Receive messages from Cisco 3750 Version 12.2(35)SE5


#1

I recently set up Graylog 2.4.3 on Ubuntu 17.10. I have been able to receive messages on an input created for our Dell Sonic wall 3600 as well as some new Cisco switches (3850 Cisco ISO-XE). I have having troubles setting up our older 3750’s as I am unable to change the default port number. The command "logging host [syslog svr ip] " exists but the “logging host [syslog svr ip] transport udp port [syslog port#]” does not exist as it dose on the newer switches. I have tried adding the following line to the rsyslod.conf file to foward the messages with out any sucesss . @127.0.0.1:514;RSYSLOG_SyslogProtocol23Format (I may be missing something here).

The biggest issue is I am currently running into is I am unable to create an input to listen for messages on port 514. I have read the this is not allowed as it is a reserved port. What confuses me is the documentation for Graylog shows inputs created and running on 514. Every time i create one it fails to start. I am wondering if I am missing something during the initial set up of the Graylog server that allows me to see messages received on port 514.

Any assistance would be greatly appreciated.


(Jan Doberstein) #2

How you can make Graylog using Port 514 is described in the faq - you can use auth bind to have the ability to run it on port 514.

I did not know how you need to configure your Cisco devices and from what you describe it is not clear how messages flow in your setup - maybe you can describe that, if the above did not solve your issue.

regards
jan


#3

Dell Sonicwall NSA 3600

I have set the sonic wall to syslog messages to [syslog server IP] port 12202 and set up and input on graylog to receive messages on 12202. (This was actaully auto created by the Sonicwall content pack that I downloaded from the Graylog Marketplace). (This works)

Cisco 3850 Switch
Set a trap to send to [syslog server IP] port 12203 and and input to receive messages from the 3850 switch on port 12203. (This works)

I am going to try the authbind and see if that works


#4

Is upgrading the switch IOS version an option? I know setting the port on IOS 12.2(58)se2 works. Should upgrade to the current golden version of 15 though which also works.

Here is an excerpt of my config. I used this with the raw input I believe from here

no service timestamps log uptime
no logging message-counter syslog
logging buffered 100000 informational
no logging console
login on-failure log every 2
login on-success log
logging origin-id hostname
logging facility syslog
logging source-interface Vlan1
logging host 10.10.10.110 transport tcp port 12209


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.