[sdnog] Common problem in sudan | Duplex mismatch
Scott Weeks
surfer at mauigateway.com
Wed Jan 28 20:59:29 SAST 2015
--- higba6 at gmail.com wrote:
From: Hiba Eltigani <higba6 at gmail.com>
Please give us more information about the syslog setup.
-------------------------------------------------
Good morning,
I am on the other side of the planet, so my responses
are delayed. Also, this is a little long.
I use a unix server to gather the logs. I'm not sure how
far to go into detail, but I will try to find some level
without going into too much detail right now. I am happy
to go into whatever level of detail folks on the list would
like in later emails.
Network devices send syslog messages to a defined server
with a priority and a facility. For example, cisco uses
"facility local7" as a default. When the syslog server
receives that syslog message, it uses the facility to
decide where to put the message. I like to separate
firewall and IDS/IPS messages into one log file and all
routers and switches into another. So, all firewalls/IPSs
we have configured to send with a facility of "local4"
and all switches/routers are configured send with facility
"local7". The cisco command to send to a syslog server that
has an IP address of 172.16.0.1 is:
conf t
logging 172.16.0.1
exit
wr mem
exit
If you want to change the default facility from "local7 to
"local2" for some reason, the command is this:
conf t
logging facility local2
exit
wr mem
exit
On the unix server there is a file called syslog.conf. It
is most always /etc/syslog.conf. For example, in there, I
put this for the routers and switches:
local7.* /var/log/router.log
This means all switch/router log entries will be in
/var/log/router.log.
Then, if I want to watch what's happening on all routers
and switches on the network, I do this:
tail -f /var/log/router.log
What you'll see is every entry added to /var/log/router.log
as it's sent to the server from the switches and routers.
However, there're usually too many entries for one person to
watch. So, I remove those entries I don't want to see and
watch what is left.
Say, for example, I don't want to see the ACL entries from a
couple of routers, but I want to see everything else. I do
this:
tail -f /var/log/router.log | egrep -v 'router1.*acl|router2.*acl'
This says I want to see every entry as they're added to
router.log, except those lines that have the terms router1
and acl (the ".*" is a regular expression term that means any
number of characters between the words "router1" and "acl")
or router2 and acl. Everything else will be shown. Using the
egrep command you can add as many terms as you like. They
just have to be separated by a "|" character as you see above.
Please feel free to ask anything I didn't explain clearly.
I am still in early morning here and may not be as clear as
I would like... :-)
scott
>
>
>
> _______________________________________________
> Sdnog mailing list
> Sdnog at sdnog.sd
> http://lists.sdnog.sd/mailman/listinfo/sdnog
>
>
> _______________________________________________
> Sdnog mailing list
> Sdnog at sdnog.sd
> http://lists.sdnog.sd/mailman/listinfo/sdnog
>
>
> _______________________________________________
> Sdnog mailing list
> Sdnog at sdnog.sd
> http://lists.sdnog.sd/mailman/listinfo/sdnog
>
More information about the sdnog
mailing list