Setting up a remote syslog server in GNU/Linux with Rsyslog

Intro

I recently needed to set up a syslog server in order to centralize the logs of my Cisco switches.

I will share here everything I did to set it up.

Network diagram

All switches will send their logs to the Debian Linux server.

By default Cisco Switches logs are sent via UDP protocol on port 514.

GNU/Linux | Remote syslog diagram

Configuring Cisco Switches

  • Set up the network configuration of the Cisco Switches :

Note : I also configure the gateway and the dns so that the switch is properly configure to collect proper time from any NTP server.

Switch# conf t
Switch (config)# ip name-server 80.67.169.12
Switch (config)# ip domain lookup
Switch (config)# interface vlan1
Switch (config-if)# ip address 10.0.0.1 255.255.255.0
Switch (config-if)# no ip address dhcp
Switch (config-if)# ip default-gateway 10.0.0.254
  • Configure remote syslog server :
Switch (config)# logging host 10.0.0.200

Debian Server

First we need to install a brand new GNU/Linux Debian 10 server.

/etc/rsyslog.conf

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
#input(type="imudp" port="514")
$UDPServerRun 514

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
#$InputTCPServerRun 514


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$AllowedSender UDP, 127.0.0.1, 10.0.0.0/24

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

#template
$template Incoming-logs,"/var/log/%HOSTNAME%/logging.log"

###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog
#cron.*				/var/log/cron.log
daemon.*			-/var/log/daemon.log
kern.*				-/var/log/kern.log
lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
user.*				-/var/log/user.log
local7.*				-/var/log/cisco.log #all logs will go into the next file
*.*  ?Incoming-logs	#1 log per IP address

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info			-/var/log/mail.info
mail.warn			-/var/log/mail.warn
mail.err			/var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;\
	auth,authpriv.none;\
	news.none;mail.none	-/var/log/debug
*.=info;*.=notice;*.=warn;\
	auth,authpriv.none;\
	cron,daemon.none;\
	mail,news.none		-/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg				:omusrmsg:*
  • Restart the rsyslog service :
root@host:~# systemctl restart rsyslog.service

Logs

  • After couple of seconds you should see the logs appear :
root@host:~# cat /var/log/cisco.log
Dec 25 16:25:03 10.0.0.2 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected  
Dec 25 16:25:06 10.0.0.2 %PNPAGENT-I-RESPSUCCESS: PnP Response Success  
Dec 25 16:25:22 10.0.0.2 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected  
Dec 25 16:25:23 10.0.0.1 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected
root@host:~# cat /var/log/10.0.0.1/logging.log
Dec 25 16:25:23 10.0.0.1 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :