Cisco Devices (syslog)
For additional information, see Configuring Cisco Devices to Use a Syslog Server.
LogRhythm uses the standard newline character - '\n' - to parse TCP syslog messages. If you need to support the '\r\n', '\r', or '\0' delimiters, you must enable SyslogUseEnhancedTCPDelimiters in the Advanced Agent Properties.
Syslog Configuration
Syslog reserves facilities local0 through local7 for log messages received from remote servers and network devices. Routers, switches, firewalls, and load balancers each logging with a different facility can each have its own log files for easy troubleshooting. The following examples will show how to have a different log file for each class of device.
If you have a large data center, then you may also want to switch off all logging to /var/log/messages. In all the network device configuration examples below, we are logging to the remote Linux logging server 192.168.1.100.
Cisco Routers
By default Cisco routers send syslog messages to their logging server with a default facility of local7. We do not set the facility in this case, but we can tell the router to timestamp the messages and make the messages have the source IP address of the loopback interface.
service timestamps log datetime localtime
no logging console
no logging monitor
logging 192.168.1.100
Catalyst CAT Switches running CATOS
set logging server enable
set logging server 192.168.1.100
set logging level all 5
set logging server severity 6
Cisco Local Director
By default Cisco switches also send syslog messages to their logging server with a default facility of local7. We will not change this facility either, therefore making routers and switches log to the same file.
Local Directors use the "syslog output" command to set their logging facility and severity. The value provided must be in the format FF.SS (facility.severity) using the numbering scheme below:
| Facility | FF Value | Severity | SS Value |
|---|---|---|---|
| local 0 | 16 | System unusable | 0 |
| local 1 | 17 | Immediate action required | 1 |
| local 2 | 18 | Critical condition | 2 |
| local 3 | 19 | Error conditions | 3 |
| local 4 | 20 | Warning conditions | 4 |
| local 5 | 21 | Normal but significant conditions | 5 |
| local 6 | 22 | Informational messages | 6 |
| local 7 | 23 | Debugging messages | 7 |
Here we using facility LOCAL4 and logging debugging messages and above.
syslog output 20.7
no syslog console
syslog host 192.168.1.100
Cisco PIX Firewalls
PIX firewalls use the following numbering scheme to determine their logging facilities.
| Facility | Logging Facility Command Value |
|---|---|
| local 0 | 16 |
| local 1 | 17 |
| local 2 | 18 |
| local 3 | 19 |
| local 4 | 20 |
| local 5 | 21 |
| local 6 | 22 |
| local 7 | 23 |
This configuration example assumes that the logging server is connected on the side of the "inside" protected interface. We're sending log messages to facility LOCAL3 with a severity level of 5 (Notification) set by the "logging trap" command.
logging on
logging standby
logging timestamp
logging trap notifications
logging facility 19
logging host inside 192.168.1.100
Cisco CSS11000 (Arrowpoints)
The configuration for this is more straight forward. You specify the facility with an intuitive number using the "logging host" command and set the severity with the "logging subsystem" command. This example shows the CSS11000 logging facility LOCAL 6 and severity level 6 (Informational)
logging host 192.168.1.100 facility 6
set logging subsystem all info-6
logging commands enable
Sample Cisco syslog.conf File
#
# All LOCAL3 messages (debug and above) go to the firewall file ciscofw
#local3.debug /
var/log/cisco/ciscofw
## All LOCAL4 messages (debug and above) go to the Local Director file ciscold
#
local4.debug /var/log/cisco/ciscold## All LOCAL6 messages (debug and above) go to the CSS file ciscocss
#
local6.debug /var/log/cisco/ciscocss
#
# All LOCAL7 messages (debug and above) go to the ciscoacl
# This includes ACL logs which are logged at severity debug#
local7.debug /var/log/cisco/ciscoacl#
# LOCAL7 messages (notice and above) go to the ciscoinfo
# This excludes ACL logs which are logged at severity debug
#
local7.notice /var/log/cisco/ciscoinfo