Syslog-NG

From Braindisconnect
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

I typically use Debian for network management, so if you are using anything else, then adapt the packages and file locations.

Syslog-NG Server

For setting up an all in one file for your devices by manufacturer: 

apt-get install syslog-ng
nano /etc/syslog-ng/conf.d/netdevice.conf

Create your logging config to support Cisco, Juniper and HP. You can add in additional NEMs if needed.

I have an NFS mount where I send these logs to. You can put them on your local disk in say /var/logs/. I would keep them separate from your system logs which are in /var/log/. 

source s_net { udp( port(514)); };

filter f_cisco { facility(local7); };
filter f_juniper { facility(local6); };
filter f_hp { facility(local5); };

destination d_cisco { \
        file("/mnt/mini-me/logs/cisco.log" \
        owner(root) \
        group(root) \
        perm(0644) \
        dir_perm(0700) \
        create_dirs(yes) \
        template("$FULLDATE $TIME $HOST: $MESSAGE\n"));
};
destination d_juniper { \
        file("/mnt/mini-me/logs/juniper.log" \
        owner(root) \
        group(root) \
        perm(0644) \
        dir_perm(0700) \
        create_dirs(yes) \
        template("$FULLDATE $TIME $HOST: $MESSAGE\n"));
};
destination d_hp { \
        file("/mnt/mini-me/logs/hp.log" \
        owner(root) \
        group(root) \
        perm(0644) \
        dir_perm(0700) \
        create_dirs(yes) \
        template("$FULLDATE $TIME $HOST: $MESSAGE\n"));
};

log {source(s_net); filter(f_cisco); destination(d_cisco); };
log {source(s_net); filter(f_juniper); destination(d_juniper); };
log {source(s_net); filter(f_hp); destination(d_hp); };

Logrotate

/etc/logrotate.d/netdevice 

/mnt/mini-me/logs/*.log {
  rotate 90
  daily
  compress
  missingok
  notifempty
}

Cisco

IOS

service timestamps log datetime localtime
logging buffered 4096 debugging
logging <syslog server IP>
logging source-interface GigabitEthernet0/0

Nexus

logging server 10.3.75.250

Juniper JunOS

[edit system syslog]
root@switch# show 
host <syslog server IP> {
    any notice;
    facility-override local6;
    source-address <source IP address>;
}

Or 

set system syslog host <syslog server IP> facility-override local6 source-address <source IP address> any notice

HP

logging facility local5
logging <syslog server IP>
Retrieved from "https://www.braindisconnect.com/wiki/index.php?title=Syslog-NG&oldid=15"