14 November, 2008

Cisco Syslog Parser – slides

by gorthx

Here are the slides from my talk this week. A link to the accompanying podcast will be along soon.

Other fun things we discussed at the meeting:

Thanks for the lively discussion!

[edit] podcast!

[edit] Clarification of two items from the podcast:
– multiline messages do indeed come in multiple packets. There is a message counter that increments for each message, so you could use the host name + message counter to match up multi-line messages. For what I’m doing, the important part is in that first line, so the payoff isn’t worth the investment.
– re hypens in the mnemonic field of the system message: I went back through and wasn’t able to find any examples of this, so I retract my statement. (I do have examples of system messages with hyphens in the facility field.)

10 November, 2008

Quick Guide: Ubuntu box as syslog server

by gorthx

You need:
root/sudo access to a statically-addressed Ubuntu machine.  (It will need to be on whenever your router is on in order to get anything good out of this.) This is your log host.
Enable access to your Cisco router.

Part 1: Set up your log host.

Step 1: before editing any of the files discussed below, be sure to back them up, e.g.:
cp /etc/syslog.conf /etc/syslog.conf.dontmessthisup

Step 2: edit /etc/syslog.conf to include this:
#router logging
local6.debug                    /var/log/cisco.log

This means “send all messages from facility local6, with a priority of debug or greater, to /var/log/cisco.log”.

(Note that the default facility for Cisco is local7; if you want/need to use the Cisco default, change the above accordingly.)

Step 3: create the log file I specified above:
sudo touch /var/log/cisco.log

