Настройка Syslog server

Устройства Cisco имеют широкие возможности логирования (logging).
Практически любое событие можно запротоколировать с на нужным уровне подробностей.
Подробнее по настройке логирования см. Настройка логирования

Хранить логи устройство может в своей оперативной памяти либо на Fleash и понятно, что много тут не сохранишь, а оперативная память при перезагрузке ещё и затирается.
Особенно это касается аварийных случаев, когда на устройство заглянуть возможности нет или нет времени, и оно в панике ребутается с потерей всех логов.

Альтернативным хорошим способом логирования есть логирование на внешний сервер, который называется Syslog server.
Существует ПО Syslog server от разных производителей, мы же рассмотрим самого известного с версией: Kiwi Syslog Server 9.4.1.

Установка Kiwi Syslog Server

В установке ничего особо сложного нет — просто запускаем Kiwi_Syslog_Server_9.4.1.Eval.setup.exe, всё делаем стандартно и со всем соглашаемся.
Единственное, нужно запомнить админскую учётку для Web Access.
Установка потребует перезагрузки. Также сразу после установки нужно поставить лицензию.

Проверка/Настройка

Статус сервиса можно проверить здесь:
Administrative tools > Services > Siwi Syslog server
Понятно, что у него должно быть состояние Started.

Статус сервера можно проверить запустив Kiwi Syslog Server Console.
Отсюда можно проверить следующее:

• File > Send test message
• Manage > Show syslogd service state

Настройка устройства cisco

! Настройка отображения текущего времени
service timestamps log datetime localtime
!
! Включение логирования
logging on
!
!
! Отключения логов на консоль
logging console critical
logging monitor debugging
!
! Настройка логирования в буфер
logging buffered informational
logging buffered 16386
logging rate-limit 100 except 4
!
! Настройка сообщений на сервер syslog
logging 192.168.1.10
logging trap debugging

Для того чтобы посмотреть что упало в буфер:
router#show logging

Включение отображения monitor logging:
terminal monitor

В результате сообщения должны начать валиться в syslog server:

Web access

Web access позволяет не только получить доступ к логам удалённо, но по сути является основным рабочим инструментом по работе с syslog, и предлагает широкие возможности по фильтрованию сообщений, разделению прав и т.д.

Тут работа интуитивно понятна, и комментировать пожалуй нечего

Kiwi Syslog Server и tftpd32.exe

После установки syslog server может перестать запускаться tftpd32.exe, из-за конфликта портов.
Это связано с тем, что tftpd32.exe по умолчанию также прослушивает и syslog: это можно выключить в его настройках(settings).

Steinkäfer

вторник, 16 января 2018 г.

Логирование в Cisco

Способы логирования

Метки времени

(config)#service timestamps log uptime

(config)#service timestamps log datetime localtime

(config)#service timestamps debug datetime localtime

Console logging

R7(config)# logging console informational

Buffered logging

R7(config)# logging buffered 52000
R7(config)# logging buffered informational

Terminal logging

R7(config)# logging monitor warning
R7# terminal monitor

Syslog

R7(config)#logging facility local2
R7(config)#logging trap notifications
R7(config)#logging source-interface Loopback1
R7(config)#logging host 10.10.10.1

R7(config)logging origin-id hostname

Безопасность syslog сервера

Ограничение количества лог сообщений

R7(config)#logging rate-limit 15 except warnings

AAA Accounting

Полезные команды связанные с логированием

ip access-list extended acl-CiscoAccess
permit 10.10.10.0 0.0.0.63
deny any log-input
.
line vty 0 15
access-class acl-CiscoAccess in

На устройство могут заходить только админы из сети 10.10.10.0/26, все остальные попытки будут отклоняться и логироваться.

(config)# login on-failure log
(config)# login on-success log

archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys

Syslog Server Configuration on Wireless LAN Controllers

Available Languages

Download Options

Contents

Introduction

This document explains how to configure the Wireless LAN Controller for syslog servers.

Contributed by Tiago Antunes, Cisco TAC Engineer.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Knowledge of how to configure the Wireless LAN Controller (WLC) and Lightweight Access Point (LAP) for basic operation.

Basic knowledge of Control And Provisioning of Wireless Access Point (CAPWAP) protocol.

Components Used

The information in this document is based on these software and hardware versions:

Wireless LAN Controllers running AireOS 8.8.111.0 Software.

Wave 1 APs: 3500,1600/2600/3600 (these will be limited to 8.5 software version and may miss some of the below features that were added afterwards),1700/2700/3700.

Wave 2 APs: 1800/2800/3800/4800, 1540 and 1560.

The information in this document was created from the devices in a specific lab environment.

All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Information About Syslog on WLCs

Message logging allows system messages to be logged to the controller buffer or console.

Syslog on APs

As from AireOS 8.4 you have the ability to disable syslog server per AP and/or global via the WLC CLI.

On version 8.8 it was introduced the support for syslog facility on Wave 2 APs.

Configure

You can enable and configure the controller to log system events to up to three remote syslog servers. The controller sends a copy of each syslog message as it is logged to each syslog server configured on the controller. Because it is able to send the syslog messages to multiple servers, it ensures that the messages are not lost due to the temporary unavailability of one syslog server.

This type of configuration helps in these situations:

• One of the configured syslog servers is not available.
• Multiple administrator groups can monitor different message types.
• Large deployments can want syslog messages sent to servers across different time-zones for extended visibility.

Note: Syslog messages are sent on UDP Port 514; additional server configuration can require a proper configuration of firewall rules.

Note: When a primary WLC port link goes down, messages may get logged internally only and not be posted to a syslog server. It may take up to 40 seconds to restore logging to the syslog server.

Configurations of Syslog on WLC (GUI)

Step 1. Go to Management > Logs > Config. The Syslog Configuration page appears:

Step 2. Enter the Syslog Server IP Address and click Add. You can add up to three syslog servers to the controller. The list of syslog servers that have already been added to the controller appears below this text box. If you want to remove a syslog server from the controller, click Remove to the right of the desired server.

Step 3. To set the Syslog Level (severity) for filtering syslog messages to the syslog servers, choose one of the following options from the Syslog Level drop-down list:

• Emergencies= Severity level 0
• Alerts= Severity level 1 (default value)
• Critical= Severity level 2
• Errors= Severity level 3
• Warnings= Severity level 4
• Notifications= Severity level 5
• Informational= Severity level 6
• Debugging= Severity level 7

If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Notifications (severity level 5), only those messages whose severity is betwen 0 and 5 are sent to the syslog servers.

Note: If you have enabled logging of Debugging messages to the logging buffer, some messages from application debug could be listed in message log with severity that is more than the level set. For example, if you execute the debug client mac-addr command, the client event log could be listed in message log even though the message severity level is set to Errors.

Step 4. To set the Syslog Facility for outgoing syslog messages to the syslog servers, choose one of the following options from the Syslog Facility drop-down list:

• Kernel= Facility level 0
• User Process= Facility level 1
• Mail= Facility level 2
• System Daemons= Facility level 3
• Authorization= Facility level 4
• Syslog = Facility level 5 (default value)
• Line Printer= Facility level 6
• USENET= Facility level 7
• Unix-to-Unix Copy= Facility level 8
• Cron= Facility level 9
• FTP Daemon= Facility level 11
• System Use 1= Facility level 12
• System Use 2= Facility level 13
• System Use 3= Facility level 14
• System Use 4= Facility level 15
• Local Use 0= Facility level 16
• Local Use 2= Facility level 17
• Local Use 3= Facility level 18
• Local Use 4= Facility level 19
• Local Use 5= Facility level 20
• Local Use 5= Facility level 21
• Local Use 5= Facility level 22
• Local Use 5 = Facility level 23

For example, selecting Kernel makes only kernel related messages to be sent. Authorization, makes only AAA related messages to be sent, etc.

Step 5. Click Apply.

Configuring Syslog on WLC (CLI)

Step 1. Enable system logging and set the IP address of the syslog server to which to send the syslog messages by entering this command:

Step 2. To remove a syslog server from the controller by entering this command:

Step 3. Set the severity level for filtering syslog messages to the syslog server by entering this command:

Note: As severity_level you can enter the word or number. For example: debugging or 7.

Sending WLC CLI Debugs to Syslog Server

Using the command below the WLC will log the debug output to the syslog server. However, if the CLI session is terminiated, the debug ends and there is no more output sent to the syslog server.

Configuring Syslog for APs From the WLC (CLI only)

Step 1.To configure the syslog server ip address, you must use the CLI. You can set the ip address globaly for all APs or for a specific AP.

Step 2. Via the CLI we can also set the syslog and severity level for filtering syslog messages for a particular access point or for all access points by entering these commands:

Note: As severity_level you can enter the word or number. For example: debugging or 7.

Step 3. Set the facility for outgoing syslog messages to the syslog server by entering this command:

where facility-code is one of the following:

ap = AP related traps.

authorization = Authorization system. Facility level = 4.

auth-private = Authorization system (private). Facility level = 10.

cron = Cron/at facility. Facility level = 9.

daemon = System daemons. Facility level = 3.

ftp = FTP daemon. Facility level = 11.

kern = Kernel. Facility level = 0.

local0 = Local use. Facility level = 16.

local1 = Local use. Facility level = 17.

local2 = Local use. Facility level = 18.

local3 = Local use. Facility level = 19.

local4 = Local use. Facility level = 20.

local5 = Local use. Facility level = 21.

local6 = Local use. Facility level = 22.

local7 = Local use. Facility level = 23.

lpr = Line printer system. Facility level = 6.

mail = Mail system. Facility level = 2.

news = USENET news. Facility level = 7.

sys12 = System use. Facility level = 12.

sys13 = System use. Facility level = 13.

sys14 = System use. Facility level = 14.

sys15 = System use. Facility level = 15.

syslog = The syslog itself. Facility level = 5.

user = User process. Facility level = 1.

uucp = Unix-to-Unix copy system. Facility level = 8.

Step 3. Configure the syslog facility for AP using the following command:

where AP can be:

• associate = Associated syslog for AP.
• disassociate = Disassociate syslog for AP.

Step 4. Configure the syslog facility for an AP or all APs by entering this command:

where facility-level is one of the following:

• auth = Authorization system
• cron = Cron/at facility
• daemon = System daemons
• kern = Kernel
• local0 = Local use
• local1 = Local use
• local2 = Local use
• local3 = Local use
• local4 = Local use
• local5 = Local use
• local6 = Local use
• local7 = Local use
• lpr = Line printer system
• mail = Mail system
• news = USENET news
• sys10 = System use
• sys11 = System use
• sys12 = System use
• sys13 = System use
• sys14 = System use
• sys9 = System use
• syslog = Syslog itself
• user = User process
• uucp = Unix-to-Unix copy system

Configuring Syslog on FlexConnect Access Points

Note: The AP driver debugs are not enabled on the WLC. If you have access to the AP console, the driver debugs can be enabled .

Following are the debugging commands on the WLC CLI:

The debugging commands that can be entered on the AP console are listed below. These commands are applicable for debugging the client AP console when it is accessible. If you enter these commands on the AP console, the commands are not communicated to the WLC.

Restrictions

• AP configuration is not saved across reboots.
• Adding an AP to and deleting an AP from a FlexConnectGroup impacts the AP’s FlexConnect debug state.

Verify

To see the global syslog server settings for all access points that join the controller by entering this command: show ap config global .

Information similar to the following appears:

To display the AP-specific syslog server settings for an AP use the command show ap config general ap-name .