Configuring your syslog server to accept logging output from your Cisco routers and switches requires a few basic steps. We'll assume that you are using a new server and haven't made any previous changes to the syslog configuration. I use
<acronym title="Red Hat Enterprise Linux">RHEL
</acronym> 5 most of the time, so some of these steps (especially the first) may be RHEL specific. Adapt them to your flavor of Linux if there's a difference.
Enable logging from remote machines.
Most versions of Linux do not allow remote logging by default. In RHEL-based systems, you need to make a change to
/etc/sysconfig/syslogto allow syslog to accept messages from remote machines. Simply add
block SYSLOGD_OPTIONS="-m 0 -r"
Redirect the logging facility to a file.
We'll need to tell syslog which logging facility we're using and which file to save the output in. I typically use local2 for my routers and store the output in
/var/log/cisco. Therefore, you need to add the following line to
block local2.* /var/log/cisco
Restart the syslog daemon.
The method for restarting syslog will vary from depending on your distribution. The proper way to do this on RHEL-based systems is
service syslog restartas root (or via sudo).
Check your log files.
Now is a good time to make sure everything worked OK. Check your log files to make sure there are no errors. Also, the
/var/log/ciscofile should have been created.
Open firewall holes, if necessary.
If you run a firewall on your server or have a firewall between your servers and network equipment, make sure you open 514/
<acronym title="User Datagram Protocol">UDP
</acronym>. I use iptables on my RHEL server, so I have to add the following line to
block -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
This line can go anywhere before the final reject statement. iptables will need to be restarted after the file is edited.
Logging changes on your routers and switches.
The final step is to add the configuration lines to your Cisco routers and switches that copy logging output to your syslog server.
block logging on logging facility local2 logging 10.8.0.8
In the above example, 10.8.0.8 is the
<acronym title="Internet Protocol">IP
</acronym>address of the new syslog server. There are a lot of other options available with the
loggingcommand that might be useful. For example, you can use
logging trapto control what kind of messages are sent to the syslog server. Check the Cisco IOS Network Management Command Reference for more information. My Cisco ASA / PIX facility chart can help you determine which number to use on your Cisco ASA or PIX.