Quick Guide: Ubuntu box as syslog server

by gorthx

You need:
root/sudo access to a statically-addressed Ubuntu machine.  (It will need to be on whenever your router is on in order to get anything good out of this.) This is your log host.
Enable access to your Cisco router.

Part 1: Set up your log host.

Step 1: before editing any of the files discussed below, be sure to back them up, e.g.:
cp /etc/syslog.conf /etc/syslog.conf.dontmessthisup

Step 2: edit /etc/syslog.conf to include this:
#router logging
local6.debug                    /var/log/cisco.log

This means “send all messages from facility local6, with a priority of debug or greater, to /var/log/cisco.log”.

(Note that the default facility for Cisco is local7; if you want/need to use the Cisco default, change the above accordingly.)

Step 3: create the log file I specified above:
sudo touch /var/log/cisco.log

Step 4: make syslog listen to messages from remote machines:
edit /etc/default/syslogd to include the -r option:

Step 5: restart the syslog daemon:
sudo /etc/rc2.d/S10sysklogd restart
(or look up the process id using ps -ef, and kill -HUP it; or pkill -1 syslogd…  your choice.)

Step 6: test it:
logger -p local6.debug "is this working?"

cat /var/log/cisco.log, you should see the line above.

Now, we have a problem: we also see the message in some of the other log files in /etc/syslog.conf (such as /var/log/syslog, /var/log/messages, and /var/log/debug).
We don’t want the messages from the router mixed in with the system messages (pet peeve alert)!  Edit /etc/syslog.conf to include exceptions for local6 anywhere we have an *.[whatever], like so:

auth,authpriv.none        -/var/log/syslog

Restart the syslog daemon again.

Test it:
for each in debug info notice warn err crit alert emerg panic
logger -p local6.${each} "this should only go to cisco.log - ${each}"
echo done with ${each}

Check /var/log/cisco.log, /var/log/syslog, /var/log/debug, and /var/log/messages – messages should only be in cisco.log.

Part 2: Configure your router to send messages to the log host.
config t
logging [ip address of your ubuntu box]
logging facility local6
logging history [severity]
logging on

Your version of IOS may require different commands. Have fun with that.

<0-7>          Logging severity level
emergencies    System is unusable                (severity=0)
alerts         Immediate action needed           (severity=1)
critical       Critical conditions               (severity=2)
errors         Error conditions                  (severity=3)
warnings       Warning conditions                (severity=4)
notifications  Normal but significant conditions (severity=5)
informational  Informational messages            (severity=6)   <--
debugging      Debugging messages                (severity=7)

Normally I stick with informational (sev=6); debugging may spew a huge amount of info.

Compare the logging buffer on your router (“sh logging”) with the file on your log server;  messages since you made the change should also be going to the server.  If not, make sure you can reach the log server from the router, and that port 514 isn’t blocked anywhere.

Part 3: Rotation
Once that’s working, set up the log rotation on your log host.
Add this to /etc/logrotate.conf, below the “system-specific logs may be configured here”
/var/log/cisco.log {
rotate 7
size 500k

You may need to tinker around with these settings depending on how many messages you’re getting a day.


2 Responses to “Quick Guide: Ubuntu box as syslog server”

  1. This is really well explained clear and concise information.
    Thanks for the write up.


%d bloggers like this: