Skip to main content

Configure rsyslog on Red Hat Enterprise Linux 6 (RHEL6) for Cisco Switches

One of the problems that you can face during configuration of cisco switches for Red Hat Enterprise Linux 6 is the correct formatting. I had to go through this and make sure it is working for Sonicwall and Cisco Switches so here you go! Also, if I were you, I would add a disclaimer to let someone else know about or not to change the configurations.

1. create your file under /var/log/
2. [username@servername log] touch cisco-example
3. Next you have to Edit rsyslog
4. [username@servername log] vi /etc/rsyslog.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  /var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# Cisco Switch Logging
:fromhost-ip, isequal, "192.xxx.xxx.xxx""    /var/log/cisco-example1
& ~
# Cisco Switch Logging
:fromhost-ip, isequal, "192.xxx.xxx.xxx""    /var/log/cisco-example2
& ~
# Cisco Switch Logging
:fromhost-ip, isequal, "192.xxx.xxx.xxx"    /var/log/cisco-example3
& ~
# Cisco Switch Logging
:fromhost-ip, isequal, "192.xxx.xxx.xxx"   /var/log/cisco-example4
& ~
# Sonicwall Firewall Logging
:fromhost-ip, isequal, "192.xxx.xxx.xxx"      /var/log/sonicwall
& ~

5. Make sure your UDP Port is open in /etc/sysconfig/iptables
6. Add the following lines to your /etc/sysconfig/iptables
7. [username@servername log] vi /etc/sysconfig/iptables
# Port for Syslog Communciations on UDP Port 514
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

8. service iptables restart
9. service rsyslog restart
10. tail -f /var/log/cisco-example or whatever you are logging to make sure it is writing to your logs.
11. Install Splunk on a VM or another server and start generating some super reports from the logs for your management so that they will love you!

NOTE: If you can't tell what "&" is, it is the ampersan symbol above #7 on the keyboard. =)

Red Hat Reference Article: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Viewing_and_Managing_Log_Files.html

Popular posts from this blog

How to Configure HP ILO 4 for Active Directory Login

1. Make sure that your Windows Active Directory Domain Controller has an SSL Certificate to support port 636 (HP's authentication doesn't like 389)

2. Use Softerra LDAP Administrator (or whatever is your preferred tool to get the OU path) if you don't know how to do it by heart (which...um...sometimes its better to verify).

3. Make sure that you have a way to authenticate users by adding in the OU where your restricted accounts are located. You don't want anyone in the domain to be able to login to the server.

ILO Login > Administration > User Administration - Click New and Add the Group DN Only:



Click Add Group and then you will see your group added. (*Make sure it's a security group)


4. Add in your Windows Active Directory DC to authenticate against (Verified against 2008R2):

ILO Login > Administration > Security - Directory (*Make sure it's the OU where the security group is)


5. Sign Out (Log off) and then Log Back in (If you don't see Direct…

How to Fix /storage/core filesystem Out of Disk Space Error on VCSA 6.0U1

How to fix the error of "The /storage/core filesystem is out of disk space or inodes"


Step 1: Login to the new VCSA 6.0U1 HTML5 web client. https://ip address:5480



Step 2: Enable SSH and Bash Shell
Step 3: Login as root and type "shell" at Command> shell
Step 4: df -h (Check if it's out of space)
/dev/mapper/core_vg-core               50G   50G     0 100% /storage/core
Step 5: Stop the services of VCSA: 
hostname: # service vmware-vpxd stop hostname: # service vmware-vpxd status (make sure it is stopped)
Step 6:  cd /storage/core
Step 7: rm -rf *.tgz (be CAREFUL...do this in the wrong directory and you will be retrieving from a backup.)


If you need help. Go to Cybercity (http://www.cyberciti.biz/faq/delete-all-files-folder-linux/
Step 8: service vmware-vpxd restart

Step 9: history -c
Step 10: Refresh the browser (https://ip address:5480). Now it's all green


VMware KB: (

VCSA vmware-vpxd Service Won't Restart After Upgrading to 6.0 U2

You navigate to the VMware Web Client and you get this 503 Error:
503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x7fe4a805cc90] _serverNamespace = / _isRedirect = false _pipeName =/var/run/vmware/vpxd-webserver-pipe)
Cause:(SSL Certificates wouldn’t issue automatically after reboot for service vmware-vpxd
Compounded Problem:(Clearing logs under ~/.* **root**) – Specifically, clearing ~/.pgpass 
(Lesson Learned: NEVER EVER CLEAR FILES UNDER ~/. Except .bash_history on templates creation only!!!)
Fix: Kill all the services running vpxd
1. ps -ef | grep vpxd 2. kill ### 3. Re-add the ~/.pgpass file with the PostGreSQL password 4. vi /et c/vmware-vpx/embedded_db.cfg 5. Copy the password you see between PGUSER_PASSWORD=’password here‘ 6. Put the password back in ~/.pgpass
localhost:5432:VCDB:postgres: password here localhost:5432:postgres:postgres: password here localhost:5432:VCDB:vc: password here
7. Check /etc/hosts and make sure config is there. 10.…