Tuesday, March 1, 2011

Setup Syslog-ng Server for Cisco Device

1. Install EPEL on CentOS
http://download.fedora.redhat.com/pub/epel/5/i386/repoview/epel-release.html
2. Yum install syslog-ng
3. vi /etc/syslog-ng/syslog-ng.conf
4. Remark default log settings (keep using syslog for system, syslog-ng for cisco device only)
5.  Add
source s_sys {
        udp(ip(0.0.0.0) port(514));
};
filter f_router  { facility(local3); };
 ###ROUTER IP###
filter f_A { host("1.1.1.1"); };
filter f_B { host("2.2.2.2"); };
filter f_C { host("3.3.3.3"); };
###UNKNOWN ROUTER###
filter f_unknown { not ( filter(f_A)
                        or filter(f_B)
                        or filter(f_C) ); };
###LOG FILE LOCATIOM###
destination A { file("/var/www/netlog/A.log"  perm(0644) sync(10) ); };
destination B { file("/var/www/netlog/B.log" perm(0644) sync(20) ); };
destination C { file("/var/www/netlog/C.log" perm(0644) sync(20) ); };
destination unknown { file("/var/www/netlog/unknown.log" perm(0644) sync(10) ); };
###LOG SETTING###
log { source(s_sys); filter(f_router); filter(f_A); destination(A); };
log { source(s_sys); filter(f_router); filter(f_B); destination(B); };
log { source(s_sys); filter(f_router); filter(f_C); destination(C); };
log { source(s_sys); filter(f_router); filter(f_unknown); destination(unknown); };

6. Edit /etc/sysconfig/iptables and Add
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
7. Edit /etc/httpd/conf.d/netlog.conf
Alias /netlog /var/www/netlog
<Location /netlog>
    Options Indexes Includes FollowSymLinks SymLinksifOwnerMatch MultiViews
    Order deny,allow
    Deny from all
    Allow from 163.50
    Allow from 172
    Allow from 192
</Location>

8. mkdir /var/www/netlog
9. service iptables restart & service syslog-ng restart & service httpd restart
10. chkconfig --level 3456 syslog-ng on
11. Edit /etc/logrotate.d/syslog-ng

/var/www/netlog/*.log {
    daily
    notifempty
    missingok
    copytruncate
    postrotate
        /sbin/service syslog-ng reload > /dev/null 2>/dev/null || true
    endscript
    compress
}
12. Configure your Cisco Router

logging facility local3
logging <server ip>

No comments:

Post a Comment