Syslog-NG

From Braindisconnect
Jump to navigationJump to search

I typically use Debian for network management, so if you are using anything else, then adapt the packages and file locations.

Syslog-NG Server

For setting up an all in one file for your devices by manufacturer: 

apt-get install syslog-ng
nano /etc/syslog-ng/conf.d/netdevice.conf

Create your logging config to support Cisco, Juniper and HP. You can add in additional NEMs if needed.

I have an NFS mount where I send these logs to. You can put them on your local disk in say /var/logs/. I would keep them separate from your system logs which are in /var/log/. 

source s_net { udp( port(514)); };

filter f_cisco { facility(local7); };
filter f_juniper { facility(local6); };
filter f_hp { facility(local5); };

destination d_cisco { \
        file("/mnt/mini-me/logs/cisco.log" \
        owner(root) \
        group(root) \
        perm(0644) \
        dir_perm(0700) \
        create_dirs(yes) \
        template("$FULLDATE $TIME $HOST: $MESSAGE\n"));
};
destination d_juniper { \
        file("/mnt/mini-me/logs/juniper.log" \
        owner(root) \
        group(root) \
        perm(0644) \
        dir_perm(0700) \
        create_dirs(yes) \
        template("$FULLDATE $TIME $HOST: $MESSAGE\n"));
};
destination d_hp { \
        file("/mnt/mini-me/logs/hp.log" \
        owner(root) \
        group(root) \
        perm(0644) \
        dir_perm(0700) \
        create_dirs(yes) \
        template("$FULLDATE $TIME $HOST: $MESSAGE\n"));
};

log {source(s_net); filter(f_cisco); destination(d_cisco); };
log {source(s_net); filter(f_juniper); destination(d_juniper); };
log {source(s_net); filter(f_hp); destination(d_hp); };

Logrotate

/etc/logrotate.d/netdevice 

/mnt/mini-me/logs/*.log {
  rotate 90
  daily
  compress
  missingok
  notifempty
}

Cisco

IOS

service timestamps log datetime localtime
logging buffered 4096 debugging
logging <syslog server IP>
logging source-interface GigabitEthernet0/0

Nexus

logging server 10.3.75.250

Juniper JunOS

[edit system syslog]
root@switch# show 
host <syslog server IP> {
    any notice;
    facility-override local6;
    source-address <source IP address>;
}

Or 

set system syslog host <syslog server IP> facility-override local6 source-address <source IP address> any notice

HP

logging facility local5
logging <syslog server IP>
Retrieved from "https://www.braindisconnect.com/wiki/index.php?title=Syslog-NG&oldid=15"