Syslog server for Monitoring Cisco devices
I am looking for Syslog server to log all logs from Cisco devices. We have more than 800 cisco devices. Can anyone tell me what syslog server should i use to log these files.
Thank you.
Has anyone used the Cisco recommendation of Buliding Scalable Syslog Solutions?
http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000318
I used this in another organaztion and we were very successful, we currenlty use Netcool that feeds from a syslog and we get several non-actionable alarms and it's very time consuming for 13,000 devices. I would only like to alert on 0-5 Cisco Syslog messages. Below is the response from my Netcool Administrator (What are your thoughts?):
From my Netcool Administrator:
Regarding, using the Cisco syslog severity for alert control, I feel that is not the best way to control the work in Netcool.
1. -- Cisco is not consistent with the use of this value.
Examples:
In this case the important message is the lower severity alert: I would consider the BGP-3-NOTIFICATION of a 6 level of Informational
Aug 4 03:10:01 rtgara02r01m04-lb0.us.bank-dns.com 001458: Aug 4 03:10:01: %BGP-5-ADJCHANGE: neighbor 10.93.69.106 Down BGP Notification sent
Aug 4 03:10:02 rtgara02r01m04-lb0.us.bank-dns.com 001459: Aug 4 03:10:01: %BGP-3-NOTIFICATION: sent to neighbor 10.93.69.106 4/0 (hold time expired) 0 bytes
This one is near the top level of serverity per Cisco but not all that severe in reality, further this syslog has a bug where the threshold is not even exceeded
%ENVMON-1-CPU_WARNING_OVERTEMP: Critical Warning: CPU temperature 107C exceeds threshold 110C. Please resolve system cooling immediately to prevent system damage
This one is reporting a standard condition:
%ILPOWER-5-POWER_GRANTED: Interface Fa0/24: Power granted
Here is an example of a 1 where the voice group says that nothing is wrong:
Aug 4 13:08:42 rtgcaa75u01-01.sw.us.bank-dns.com 047489: Aug 4 11:08:41: %IVR-1-APP_PARALLEL_INVALID_LIST: Call terminated. Huntgroup \'1\' does not contain enough valid SIP end-points to proceed with a parallel call.
Similar Messages
-
Adding JBoss Application Server for Monitoring
How do you add a JBoss Application Server for monitoring? Is there a way to add it silently like silent install of the host target?
It is a manual process, you need to launch Jboss discover UI using Targets > Middlware page.
Also, please use JVMD for more detailed analysis.
You need to specify JARs based on the version of the JBoss -
Note - Please check the support site for exact certified versions of JBoss.
JBoss 4:
dom4j.jar jboss-management.jar jnp-client.jar
jbossall-client.jar jboss-client.jar
JBoss 5:
concurrent.jar jboss-javaee.jar jboss-serialization.jar
dom4j.jar jboss-jsr77-client.jar jbosssx-as-client.jar
jbossall-client.jar jboss-logging-spi.jar jbosssx-client.jar
jboss-client.jar jboss-management.jar jnp-client.jar
jboss-common-core.jar jboss-remoting.jar jboss-integration.jar jboss-security-spi.jar
JBoss 6:
concurrent.jar jboss-management.jar
dom4j.jar jboss-remoting.jar
jbossall-client.jar jboss-security-spi.jar
jboss-client.jar jboss-serialization.jar
jboss-common-core.jar jbosssx-as-client.jar
jboss-ejb-api_3.1_spec.jar jbosssx-client.jar
jboss-integration.jar jboss-transaction-api_1.1_spec.jar
jboss-jsr77-client.jar jnp-client.jar
jboss-logging.jar
If you plan to use JVMD then you should select Remote Agent for discovery/monitoring.
JNDI service should be configured and Naming Service port should be open.
Agent should be able to communicate with the host and JNDI port.
Above list of JARs to be copied on the agent machine (location provided as library path during discovery)
Could you please share customer details and usecases. -
Syslog server for access points
Hello,
On the controller, when you look at an access points config. There is the syslog server for the access point with the default ip address of 255.255.255.255. I was wondering if there was any way to disable the syslog server for the access points. The only thing I've found so far is that the ip address of the syslog server can be changed.
Thanks,i am not sure if "no" command works.
but on 5.2 ver
config logging trap disable global
disbale/ enable is the key to set the ip address for syslog server -
CiscoWorks LMS 4.1, syslog analyzer parsing non-Cisco device.
Hello.
Can Syslog Analyzer parse syslog messages coming from a Non-Cisco device?
I'm trying to parse message from a HP Virtual Connect module without success.
Thanks.
AndreaHi Andrea,
You could use syslog-ng to write a generic mnemonic into the message and forward it to LMS.
Something like:
syslog-ng->add fac-sev-mne: message->lms
However, I would also caution you that LMS is *not* meant to be a "syslog" manager - there are usually way to many syslog messages in most environments for it to handle that many - which is why most syslog managers are standalone servers.
In order to make sure that the NMS systems that syslog-ng forward messages to receive the correct source, syslog-ng needs to be compiled with the source spoof option. This will allow messages received on other NMS’s (such as LMS) to appear to come from the original devices rather than from the syslog-ng server.
Compiling from source:
Install the syslog-ng prerequisites from Balabit
You must configure syslog-ng with --enable-spoof-source in order to enable the spoof source feature (which is disabled by default).
./configure --enable-spoof-source
make && make install
If you run into any issues during the installation, you can refer to the syslog-ng forum or you can refer to the syslog-ng knowledge base
Lastly, here's a great paper on syslog management:
Building Scalable Syslog Management Solutions -
How can I use my MAC OS X as syslog server ??
Hi Team,
Can you please help me in configuring my MAC machine as syslog server for my Cisco routers ?? I have the devices on same network and would like to forward all syslog messages to my MAC machine for analysing them.
Thanks,Crocosmia wrote:
Thank you for advise, will try apple store another thing how can I increase my ramm and memory
Check your machine's actual specifications here.
It looks like you can support up to 3 MByte in a 17" iMac and up to 4 Mbyte in a 20" iMac, if your cache size coordinates with the specs on the linked page.
OWC says you should be able to put 4 Gbyte into your machine here. Wherever you get the memory, it would be a good addition. This is the Apple Store listing for your machine, as near as I can figure it. -
Cisco Devices Syslog monitoring and user monitoring tools
Can anyone help me how to monitoring syslog and users log (which command use specific user). if any software or hardware need for this purpose we will purchace it. note that our network running all cisco devices (router, switch, ASA etc) and more then 200 devices are in our network.
thanks.Configuring Cisco Devices to Use a Syslog Server
Most Cisco devices use the syslog protocol to manage system logs and alerts. But unlike their PC and server counterparts, Cisco devices lack large internal storage space for storing these logs. To overcome this limitation, Cisco devices offer the following two options:
Internal buffer— The device's operating system allocates a small part of memory buffers to log the most recent messages. The buffer size is limited to few kilobytes. This option is enabled by default. However, when the device reboots, these syslog messages are lost.
Syslog— Use a UNIX-style SYSLOG protocol to send messages to an external device for storing. The storage size does not depend on the router's resources and is limited only by the available disk space on the external syslog server. This option is not enabled by default.
TIP
Before configuring a Cisco device to send syslog messages, make sure that it is configured with the right date, time, and time zone. Syslog data would be useless for troubleshooting if it shows the wrong date and time. You should configure all network devices to use NTP. Using NTP ensures a correct and synchronized system clock on all devices within the network. Setting the devices with the accurate time is helpful for event correlation.
To enable syslog functionality in a Cisco network, you must configure the built-in syslog client within the Cisco devices.
Cisco devices use a severity level of warnings through emergencies to generate error messages about software or hardware malfunctions. The debugging level displays the output of debug commands. The Notice level displays interface up or down transitions and system restart messages. The informational level reloads requests and low-process stack messages.
Configuring Cisco Routers for Syslog
To configure a Cisco IOS-based router for sending syslog messages to an external syslog server, follow the steps in Table 4-11 using privileged EXEC mode.
Table 4-11. Configuring Cisco Routers for Syslog
Step
Command
Purpose
1
Router# configure terminal
Enters global configuration mode.
2
Router(config)# service timestamps type datetime [msec] [localtime] [show-timezone]
Instructs the system to timestamp syslog messages; the options for the type keyword are debug and log.
3
Router(config)#logging host
Specifies the syslog server by IP address or host name; you can specify multiple servers.
4
Router(config)# logging trap level
Specifies the kind of messages, by severity level, to be sent to the syslog server. The default is informational and lower. The possible values for level are as follows:
Emergency: 0
Alert: 1
Critical: 2
Error: 3
Warning: 4
Notice: 5
Informational: 6
Debug: 7
Use the debug level with caution, because it can generate a large amount of syslog traffic in a busy network.
5
Router(config)# logging facility facility-type
Specifies the facility level used by the syslog messages; the default is local7. Possible values are local0, local1, local2, local3, local4, local5, local6, and local7.
6
Router(config)# End
Returns to privileged EXEC mode.
7
Router# show logging
Displays logging configuration.
Note
When a level is specified in the logging trap level command, the router is configured to send messages with lower severity levels as well. For example, the logging trap warning command configures the router to send all messages with the severity warning, error, critical, and emergency. Similarly, the logging trap debug command causes the router to send all messages to the syslog server. Exercise caution while enabling the debug level. Because the debug process is assigned a high CPU priority, using it in a busy network can cause the router to crash.
Example 4-12 prepares a Cisco router to send syslog messages at facility local3. Also, the router will only send messages with a severity of warning or higher. The syslog server is on a machine with an IP address of 192.168.0.30.
Example 4-12. Router Configuration for Syslog
Router-Dallas#
Router-Dallas#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router-Dallas(config)#logging 192.168.0.30
Router-Dallas(config)#service timestamps debug datetime localtime show-timezone
msec
Router-Dallas(config)#service timestamps log datetime localtime show-timezone msec
Router-Dallas(config)#logging facility local3
Router-Dallas(config)#logging trap warning
Router-Dallas(config)#end
Router-Dallas#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 79 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: disabled
Trap logging: level warnings, 80 message lines logged
Logging to 192.168.0.30, 57 message lines logged
Configuring a Cisco Switch for Syslog
To configure a Cisco CatOS-based switch for sending syslog messages to an external syslog server, use the privileged EXEC mode commands shown in Table 4-12.
Table 4-12. Configuring a Cisco Switch for Syslog
Step
Command
Purpose
1
Switch>(enable) set logging timestamp {enable | disable}
Configures the system to timestamp messages.
2
Switch>(enable) set logging server ip-address
Specifies the IP address of the syslog server; a maximum of three servers can be specified.
3
Switch>(enable) set logging server severity server_severity_level
Limits messages that are logged to the syslog servers by severity level.
4
Switch>(enable) set logging server facility server_facility_parameter
Specifies the facility level that would be used in the message. The default is local7. Apart from the standard facility names listed in Table 4-1, Cisco Catalyst switches use facility names that are specific to the switch. The following facility levels generate syslog messages with fixed severity levels:
5: System, Dynamic-Trunking-Protocol, Port-Aggregation-Protocol, Management, Multilayer Switching
4: CDP, UDLD
2: Other facilities
5
Switch>(enable) set logging server enable
Enables the switch to send syslog messages to the syslog servers.
6
Switch>(enable) Show logging
Displays the logging configuration.
Example 4-13 prepares a CatOS-based switch to send syslog messages at facility local4. Also, the switch will only send messages with a severity of warning or higher. The syslog server is on a machine with an IP address of 192.168.0.30.
Example 4-13. CatOS-Based Switch Configuration for Syslog
Console> (enable) set logging timestamp enable
System logging messages timestamp will be enabled.
Console> (enable) set logging server 192.168.0.30
192.168.0.30 added to System logging server table.
Console> (enable) set logging server facility local4
System logging server facility set to
Console> (enable) set logging server severity 4
System logging server severity set to <4>
Console> (enable) set logging server enable
System logging messages will be sent to the configured syslog servers.
Console> (enable) show logging
Logging buffered size: 500
timestamp option: enabled
Logging history size: 1
Logging console: enabled
Logging server: enabled
{192.168.0.30}
server facility: LOCAL4
server severity: warnings(4
Current Logging Session: enabled
Facility Default Severity Current Session Severity
cdp 3 4
drip 2 4
dtp 5 4
dvlan 2 4
earl 2 4
fddi 2 4
filesys 2 4
gvrp 2 4
ip 2 4
kernel 2 4
mcast 2 4
mgmt 5 4
mls 5 4
pagp 5 4
protfilt 2 4
pruning 2 4
radius 2 4
security 2 4
snmp 2 4
spantree 2 4
sys 5 4
tac 2 4
tcp 2 4
telnet 2 4
tftp 2 4
udld 4 4
vmps 2 4
vtp 2 4
0(emergencies) 1(alerts) 2(critical)
3(errors) 4(warnings) 5(notifications)
6(information) 7(debugging)
Console> (enable)
Configuring a Cisco ASA for Syslog >
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html
You can get a free copy of Syslog server from here
http://www.kiwisyslog.com/free-edition.aspx
Hope it helps!!
Regards -
I am looking for step by step instructions to configure my mac mini server to support the following:
1. Central itunes server for all my devices (ipad, ipod, iphone, etc.)
2. Central file server so that my windows devices can save and retrieve data from the central system (the mac does not show up in the network for the windows systems - all running windows XP or 7)
Thanks,
KeithYou will need to enable file sharing in System Preferences
as well as setting up sharing and permissions for the
directories that you want shared. You may also want to
setup a non-administrative user or allow limited guest
access. The user would require entering a user name and
password to make the connection, but would allow remotes
to change files, if set up tat way.
As for serving iTunes media, better to post in the iTunes forum. -
Configuring Cisco Router for use with Syslog Server
Configuring Cisco Router for use with Syslog Server:
Does anyone know of a good doc for this?
-AshleyStart with that one: http://security-planet.de/wp-content/uploads/2008/12/logging-ios.pdf
And if you need more informations, just ask what you want to achieve.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Where are syslogs stored, if I point my devices to Cisco Prime acting as my syslog server? I am running 2.0
thanks, JerryHi ,
As of now , this feature is not available , I mean PI will not work as syslog server.
Syslog messages received by PI from managed devices are found under Monitor > Alarms and Events > Syslogs
as you are using PI 2.2 , you will be able to see all device syslog messages (0-7 severity)
That display will show you up to 200,000 messages at a time.
Check the below link for other related details proved by Marvin :
https://supportforums.cisco.com/discussion/12486126/cisco-prime-syslog-functionality#sthash.Wbj2a3lj.dpuf
Thanks-
Afroz
***Ratings Encourages Contributors **** -
Cisco ISE and external syslog server
Hi Security Experts,
We are starting with deploying cisco ISE (Identity Services Engine) in our network. We have allocated 250GB space for (Admin+Monitor) ISE node.
I want to know if we can send the logs from monitoring node to external syslog server after a defined time interval.
For example, logs which are more than 10 days old should be sent to external syslog server. So basically our monitoring node will have logs which are at the max 9 days old. Is it possible? Could you point me to some doc which explains configuration of the same?
Thanks,
KashishNo this isnt possible via syslog. What you are looking for is database purging, so that the monitoring database is purged after a specific time interval. Here is a guide that will help shed some light on this:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_mnt.html#wp1054328
Tarik Admani
*Please rate helpful posts* -
Alarms for Third party devices on Cisco PI v 2.1
Is it possible to receive alarms for third party devices in Cisco Prime Infrastructure 2.1? If so how do i configure PI to show the alarms?
Hi,
AFAIk, It is not possible to receive alarms for third party devices in Cisco Prime Infrastructure 2.1.
we have very limited support of 3rd party devices in PI. third party devices only snmp polling, snmp traps and syslog will work
Third-party support
● Ability to discover and monitor third-party (non-Cisco) switches that support RFC 1213 and wireless controllers/access points from Aruba Networks
Thanks-
Afroz
****Ratings Encourages Contributors **** -
Cisco PI syslog server configuration
Hi all,
I need to configure the PI as syslog server and get the log file from the PI to read it ??
how can I do it, please advice
thanks in advanceHi,
Which prime version are you using ?
Here is what Prime 2.1 user guide says
http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-1/user/guide/pi_ug/alarms.html#pgfId-1054572
Prime Infrastructure logs all emergency, alert, and critical messages generated by all devices that are managed by Prime Infrastructure.
Prime Infrastructure also logs all SNMP messages and syslogs it receives. To view syslogs, choose Operate > Alarms & Events , then click the Syslogs tab.
Syslog Predefined Filters
Prime Infrastructure uses the following syslog filters:
Severity 0 and 1
Severity 2
Environmental Monitor
Memory Allocation Failure
Catalyst Integrated Security Features
Cisco IOS Firewall Denial of Service
Read this thread as well, it talks about tweak this setting, but it could leads to fill up your prime disk space quickly.
https://supportforums.cisco.com/discussion/11645481/prime-infrastructure-12-syslog
HTH
Rasika
**** Pls rate all useful responses **** -
Configure Cisco Works as a Syslog Server ???
Hi Friends,
Is it possible to configure syslog server in Cisco Works,if possible please share the steps need to be configutreed..Syslog server in ciscoworks is pretty simple.
> Configure device to send syslog to ciscoworks
> Subscribe Syslog Collector in Ciscoworks
> Set correct filters and Generate report to see syslogs.
When Syslog is recived in Syslog.log(win)/Syslog_info(sol/lin) Syslog collector pics syslog message from that flat log/text file and send it to Syslog Db after filtering messages as per filter settings.
Subscribing Syslog Collector however differs with LMS version. Please see:
LMS 3.x :
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.3/user/guide/syslog.html#wp1123042
LMS 4.x:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/collection.html#wp1059476
Syslog Documents for Ciscoworks:
http://docwiki.cisco.com/wiki/Network_Management_Configuration_Example_for_Ciscoworks_LMS_Syslog_Configuration_via_GUI
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_tech_note09186a00800a7275.shtml
-Thanks -
Can Cisco Prime Infra 2.1 work as syslog server
Hello all,
Customer want Cisco Prime Infra 2.1 to work as syslog server. they want to query text in syslog and get raw log file from Cisco Prime Infra. but when i see in user interface. I think that it cannot query and search text in syslog. but i am not sure whether we can get raw log file per devices from Cisco Prime Infra. Can anyone know about this.?
thanks
sompojHi Sompoj,
In the prime infrastructure Syslogs are directly read from udp port 514 and then filtered
, the non SEV1 and SEV2 syslogs will be dropped and will not be entered into db . The
syslog messages will not be saved into log files .
Thanks-
Afroz
****Ratings Encourages Contributors **** -
Cisco devices configuration for CW-LMS
Hello,
I am new to CiscoWorks LMS. I am working with a LMS 3.2 fresh installation. I added all the devices (routers, switches and 3 ASAs) into the DCR. Now I need to know how to configure the devices to send relevant info to the CW LMS machine. I am looking for something similar to this:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap10.html#wp1056411
This is a deployment model for Cisco MARS, which shows what to configure on each device in the network to send the most relevant info (syslog, netflow) to the Cisco MARS.
Is there a best practice for CW LMS regarding this? For example, what syslog level should the routers send to the LMS?
Thank you!There is a deployment guide whitepaper for LMS at http://www.cisco.com/en/US/products/sw/cscowork/ps2425/prod_white_papers_list.html . As for what to do syslog-wise, you should configure your logging facility to be local7 (this is the default on IOS, but not on ASA OS), and send at least sev 5 or higher messages. You may want to bump that up to sev 6 (informational), but sev 5 for IOS devices will be sufficient to get things like configuration change messages. For CatOS, you definitely want sev 6.
Maybe you are looking for
-
Currency translation - not picking up currencies from master data
Hi, We have a currency translation defined for a key figure. We've defined a variable for users to select target currency. 0currency is set to pick up from master data, but the input help on the variable is only showing currencies from infoprovider.
-
Mobile Account Home Folder syn error
I have a macbook pro client syncing its home folder with a mac mini with lion osx server. if i have iTunes running on the client, i get a home folder sync error that there was a problem syncing the file "iTunes library.itl". There home folder syn wor
-
Problem in recover physical standby database(Data Guard) by rman
Hello to all I have created a physical standby database ,I want make backup of it by rman and when I lose it's datafile I can restore it ,making backup and restore is fine but in recovery I encounter some problem scenarios is follow 1- In rman I crea
-
DATAPROVIDER JAVA CREATOR 2.1
Good Afternoon, Well I'm having a problem with Java creator studio, every time I change a person for registration of a person in my system, it changes, but when I change the next person he picks up the name of the person that can be this? ? Below is
-
i finished editting an HD project on final cut pro 7. i'm using Compressor to then imported into DVD Studio Pro. the project is 32 minutes long and i'm using HD DVD: H264 60 Minutes. at this rate, the project will be compressed in 24 hours. i started