Skip to main content

Configure Debian Rsyslog for Cisco Switches and Routers


Quite often Network Administrators are obligated to keep logs from their cisco devices, either for troubleshooting or due to be compliant with IT Security Policy. In this article I will describe fast and easy way to setup saving logs from your Cisco devices to rsyslog server on Debian Linux.

The first step is to edit rsyslog configuration file. Open /etc/rsyslogd.conf and add following line
# # Logging for Cisco router 192.168.1.1 # local7.* /var/log/cisco
local7 is the default name under which cisco devices logs their messages. /var/log/cisco specifies the file to which messages will be written. You also have to uncomment / add below lines which will enable rsyslogd to listen on UDP port 514.
# provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
The last change you have to make to rsyslog.conf is to allow your cisco device to write to it, that is done using below entry in rsyslog.conf
$AllowedSender UDP, 127.0.0.1, 192.168.1.1
Then we create the log file by utilizing the touch command
linq:/etc# cd /var/log linq:/var/log# touch cisco
After we made all changes we just have to restart rsyslogd service to implement them.
linq:/var/log# /etc/init.d/rsyslog restart Stopping enhanced syslogd: rsyslogd. Starting enhanced syslogd: rsyslogd.
To start writing messages from our router to syslog server we need to configure logging. First we configure our syslog server ip by using logging host command. We can filter the number of messages being logged by using logging trap command. All available options are summarized in the table below.
Login to the router: z-acte#conf t Enter configuration commands, one per line. End with CNTL/Z. z-acte(config)#logging host 192.168.1.19 sequence-num-session z-acte(config)#logging trap 7
logging trap 7 will set logging to debug level
Sometimes we may additionally need to log all nat translations, which can be enabled by using the ip nat log translations command.
z-acte(config)#ip nat log translations syslog
Table with logging levels
LevelKeywordDescription
0emergenciesSystem is unusable.
1alertsImmediate action is needed.
2criticalCritical conditions exist.
3errorsError conditions exist.
4warningsWarning conditions exist.
5notificationNormal, but significant, conditions exist.
6informationalInformational messages.
7debuggingDebugging messages.
To check that everything works correctly issue below commands
z-acte#debug ip packet
In your log on Linux you should see entry similar to the below one:
Feb 24 03:40:45 192.168.1.1 187368786: [syslog@9 s_sn="186126345"]: 188251944: *Feb 24 03:34:30.023 PCTime: IP: tableid=0, s=192.168.1.1 (local), d=192.168.1.19 (Vlan1), routed via FIB
To disable packet debugging use below commad
z-acte#no debug ip packet
To check that NAT translations are being logged correctly issue ping command from any host on your network to a remote host, which should generate entry similar to below
Feb 24 03:43:16 192.168.1.1 187368860: [syslog@9 s_sn="186126419"]: 188252014: *Feb 24 03:36:59.631 PCTime: %IPNAT-6-CREATED: icmp 192.168.1.2:4 62.89.67.179:4 212.77.100.101:4 212.77.100.101:4
The last step is to save our router configuration.
z-acte#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK]

Popular posts from this blog

How to Login to AWS using CLI with AzureSSO through Azure Active Directory

Testing on Windows 10 Release 1909  Prerequisite (Install Visual Studio Code and the AWS CLI if you don't have it already installed and your Azure Active Directory is already configured and processing authentication) 1. Install Node.Js https://nodejs.org/en/ (Use the LTS Edition/Version) 2. Check the node version in PowerShell or Windows Terminal: node --version && npm --version 3. npm install -g aws-azure-login *install will take about 15-20 minutes. Be patient and let it finish.  4. Configure your profile aws-azure-login --configure --profile=<<Name of your profile>> Example:  aws-azure-login --configure --profile=migrationking Pro Tip: It installs the profile on your machine under ~/.aws/config . You can edit the file with Visual Studio Code or Notepad++ #This will prompt to Enter the Azure AD details *** Azure Tenant ID: << Enter the Azure AD Tenant ID from the Azure AD application configuration for the AWS Account to be accessed>> Azure Tenant I

How to Setup CAC/PIV Cards on Ubuntu Linux 20.04LTS

NOTE: Verified to work with PIV/CAC Cards NOTE: Do not use a Regular USB if you are traveling. Only use a Military Grade FIPS 140-2, Level 3 Certified Device. Do Not use that Fingerprint reader garbage. What if your finger got chopped off? Use a Pin you can easily remember because if you forget it, your VM and data on the USB will be toast and not recoverable.  NOTE: This tutorial is for a bare-metal Ubuntu Linux 20.04 LTS laptop, not a virtual machine. Make sure you encrypt your laptop during OS installation. Do NOT be an idiot and use the same encryption password as the OS login. https://www.amazon.com/iStorage-datAshur-PRO2-Secure-Encrypted/dp/B07VK7JTQT/ref=sr_1_1?dchild=1&keywords=istorage+datashur&qid=1625886216&sr=8-1 1. Purchase an ACS Smart Card reader (Manufacturer Code: ACR39U-N1) https://www.amazon.com/ACS-ACR39U-N1-Pocketmate-II/dp/B0758TS5JR https://www.acs.com.hk/en/products/426/acr39u-n1-pocketmate-ii-smart-card-reader-usb-type-a/ (PS/SC Drivers are located

How to Fix /storage/core filesystem Out of Disk Space Error on VCSA 6.0U1

How to fix the error of " The /storage/core filesystem is out of disk space or inodes" Step 1: Login to the new VCSA 6.0U1 HTML5 web client. https://ip address:5480 Step 2: Enable SSH and Bash Shell Step 3: Login as root and type "shell" at Command> shell Step 4: df -h (Check if it's out of space) /dev/mapper/core_vg-core               50G   50G     0 100% /storage/core Step 5: Stop the services of VCSA:  hostname: # service vmware-vpxd stop hostname: # service vmware-vpxd status (make sure it is stopped) Step 6:  cd /storage/core Step 7: rm -rf *.tgz ( be CAREFUL ...do this in the wrong directory and you will be retrieving from a backup .) If you need help. Go to Cybercity ( http://www.cyberciti.biz/faq/delete-all-files-folder-linux/ )  Step 8: service vmware-vpxd restart Step 9: history -c Step 10:  Refresh the browser (https://ip address:5480). Now it's all green VMware KB