Configuring Syslog by Octavio
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Configuring Syslog by Octavio

Uploaded on

A powerpoint presentation from San Diego Cisco User Group created and presented by Octavio.

A powerpoint presentation from San Diego Cisco User Group created and presented by Octavio.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 301 253 45 2 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Introduction to Syslog Octavio Alvarez alvarezp@alvarezp.ods.orgSan Diego Cisco User Group July 19th, 2012
  • 2. Overview● Problems to solve● The Syslog protocol● Technicalities – Protocol content, RFCs, etc.● Example of topologies – A simple one and one a bit more complex.● Simple demonstration Feel free to interrupt me at any time!
  • 3. Problems to solve● Having to look in each device separately for information collection.● Having the clocks not exactly synchronized.● Hard to search in devices without search support (like "include" or "grep").● Having to look for past events (more than N-bytes ago).
  • 4. Introducing Syslog● A protocol.● A de-facto standard...● ... a documented de-facto standard (RFC 3164)● ... and is being standardized (RFC 5424, obsoletes RFC 3164).
  • 5. The simplest possible logging implementation with Syslog
  • 6. Content (obsolete, RFC 3164)● Priority = 8 * Facility + Severity – Severity (0-7) – Facility (0-23)● Header – Timestamp (RFC3339 with restrictions) – Hostname (a.k.a. Ciscos "origin") (FQDN, IP, hostname)● Message
  • 7. Content (new, RFC 5424)● Version● Application● Process ID● Message ID● Structured data (Element, ID, Param) – Elements: timeQuality, origin, meta
  • 8. Severities● 0: Emergency: system is unusable● 1: Alert: action must be taken immediately● 2: Critical: critical conditions● 3: Error: error conditions● 4: Warning: warning conditions● 5: Notice: normal but significant condition● 6: Informational: informational messages● 7: Debug: debug-level messages
  • 9. Facilities (part 1)● 0: kernel messages● 1: user-level messages● 2: mail system● 3: system daemons● 4: security/authorization messages● 5: messages generated internally by syslogd● 6: line printer subsystem● 7: network news subsystem (maybe: RSS, Google group...)
  • 10. Facilities (part 2)● 8: UUCP subsystem (maybe: backup, rsync...)● 9: clock daemon● 10: security/authorization messages● 11: FTP daemon● 12: NTP subsystem● 13: log audit● 14: log alert● 15: clock daemon● 16-23: local use 0-7 (local0-7)
  • 11. A slightly more complex Syslog usage
  • 12. Syslog application-layer "components" (as per the RFC)● Originator (application-layer) – Cisco router, Apache Server● Collector (application-layer) – rsyslog, dsyslog, syslog-ng – Solarwinds Kiwi Syslog Server● Relay (application-layer)
  • 13. Syslog application-layer "components" (as per the RFC)
  • 14. An extra component: the front-end● Depends on the storage method.● Text processors: grep, gawk● FOSS: php-syslog-ng, Adiscons Log Analyzer (PhpLogCon), Logzilla, logtool, petit...● Gratis: Kiwi (basic), WhatsUp Golds Syslog Server● Commercial: Splunk, LogRhythm, LogClarity, Logalot, Kiwi (full), XLog-Server, SyslogAppliance, WinSyslog
  • 15. Simple demo: configuring a Cisco router as an originator● Some IOS versions: – logging host A.B.C.D <level> – logging origin <origin-type> – logging on● Some other IOS versions: – logging host A.B.C.D – logging on – logging trap <level>
  • 16. Simple demo: configuring an Ubuntu box as a text collector● rsyslog already installed● Edition of /etc/rsyslog.conf
  • 17. Thanks! Any questions? a /categorias/por-idioma/english @alvarezp2000 The only legal wayto burn a Windows disc