[sdnog] Common problem in sudan | Duplex mismatch

Scott Weeks surfer at mauigateway.com
Wed Jan 28 20:59:29 SAST 2015 


--- higba6 at gmail.com wrote:
From: Hiba Eltigani <higba6 at gmail.com>
 
Please give us more information about the syslog setup.
-------------------------------------------------

Good morning,

I am on the other side of the planet, so my responses 
are delayed.  Also, this is a little long.

I use a unix server to gather the logs.  I'm not sure how
far to go into detail, but I will try to find some level
without going into too much detail right now.  I am happy
to go into whatever level of detail folks on the list would 
like in later emails.

Network devices send syslog messages to a defined server
with a priority and a facility.  For example, cisco uses 
"facility local7" as a default.  When the syslog server
receives that syslog message, it uses the facility to 
decide where to put the message.  I like to separate 
firewall and IDS/IPS messages into one log file and all 
routers and switches into another.  So, all firewalls/IPSs
we have configured to send with a facility of "local4" 
and all switches/routers are configured send with facility 
"local7".  The cisco command to send to a syslog server that
has an IP address of 172.16.0.1 is:

conf t
logging 172.16.0.1  
exit
wr mem
exit

If you want to change the default facility from "local7 to 
"local2" for some reason, the command is this:

conf t
logging facility local2
exit
wr mem
exit

On the unix server there is a file called syslog.conf.  It 
is most always /etc/syslog.conf.  For example, in there, I 
put this for the routers and switches:

local7.*             /var/log/router.log

This means all switch/router log entries will be in 
/var/log/router.log.

Then, if I want to watch what's happening on all routers
and switches on the network, I do this:

tail -f /var/log/router.log 

What you'll see is every entry added to /var/log/router.log 
as it's sent to the server from the switches and routers.  
However, there're usually too many entries for one person to 
watch.  So, I remove those entries I don't want to see and 
watch what is left.

Say, for example, I don't want to see the ACL entries from a 
couple of routers, but I want to see everything else.  I do 
this:

tail -f /var/log/router.log | egrep -v 'router1.*acl|router2.*acl'

This says I want to see every entry as they're added to 
router.log, except those lines that have the terms router1 
and acl (the ".*" is a regular expression term that means any
number of characters between the words "router1" and "acl") 
or router2 and acl. Everything else will be shown.  Using the 
egrep command you can add as many terms as you like.  They 
just have to be separated by a "|" character as you see above.

Please feel free to ask anything I didn't explain clearly.
I am still in early morning here and may not be as clear as 
I would like...  :-)


scott














>
>
>
> _______________________________________________
> Sdnog mailing list
> Sdnog at sdnog.sd
> http://lists.sdnog.sd/mailman/listinfo/sdnog
>
>
> _______________________________________________
> Sdnog mailing list
> Sdnog at sdnog.sd
> http://lists.sdnog.sd/mailman/listinfo/sdnog
>
>
> _______________________________________________
> Sdnog mailing list
> Sdnog at sdnog.sd
> http://lists.sdnog.sd/mailman/listinfo/sdnog
>

More information about the sdnog mailing list