[AusNOG] Graylog router messages

Paul Holmanskikh ausnog at pkholm.com
Thu Mar 2 16:12:03 EST 2017


Hi, Steve.


Could you please post "sh ip interface brief" from that router? I have 
suspicion that your 3G connection is NAT-ed by ISP.

---
NEXON - I.T. FOR THE DYNAMIC BUSINESS
Paul Holmanskikh



On 02/03/2017 15:59, Steve Hille wrote:
> Thanks Bill,
> 
> Yes I'm certainly producing logs, and I've got the logging level set
> to debug just to get as much data as I can down to Graylog:
> 
> KAL-ADM-RO01#show log
> Syslog logging: enabled (0 messages dropped, 3 messages rate-limited,
> 0 flushes, 0 overruns, xml disabled, filtering disabled)
> 
> No Active Message Discriminator.
> 
> 
> 
> No Inactive Message Discriminator.
> 
> 
>     Console logging: level debugging, 156 messages logged, xml 
> disabled,
>                      filtering disabled
>     Monitor logging: level debugging, 0 messages logged, xml disabled,
>                      filtering disabled
>     Buffer logging:  level debugging, 156 messages logged, xml 
> disabled,
>                     filtering disabled
>     Exception Logging: size (8192 bytes)
>     Count and timestamp logging messages: disabled
>     Persistent logging: disabled
> 
> No active filter modules.
> 
>     Trap logging: level debugging, 157 message lines logged
>         Logging to X.X.X.X  (udp port 514, audit disabled,
>               link down),
>               46 message lines logged,
>               0 message lines rate-limited,
>               0 message lines dropped-by-MD,
>               xml disabled, sequence number disabled
>               filtering disabled
>         Logging Source-Interface:       VRF Name:
>         Dialer1
> 
> Log Buffer (8192 bytes):
> Vlan1, changed state to up
> 000076: Feb 27 09:50:11 UTC: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface FastEthernet0, changed state to down
> 000077: Feb 27 09:50:11 UTC: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface Vlan1, changed state to down
> 000078: Feb 27 09:50:12 UTC: %LINK-3-UPDOWN: Interface FastEthernet0,
> changed state to up
> 000079: Feb 27 09:50:13 UTC: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface FastEthernet0, changed state to up
> 
> As a test I've been bouncing one of the unused ports, observing the
> log show up when I do "show log", then checking Graylog and seeing
> nothing. I have set the logging source to be dialer 1, when I run a
> ping toward the Graylog server I can reach it and it can reach me from
> that interface.
> 
> My logging config is:
> 
> service timestamps log datetime msec localtime
> logging trap debugging
> logging source-interface Dialer1
> logging x.x.x.x
> 
> Cheers,
> 
> 
> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of
> ausnog-request at lists.ausnog.net
> Sent: Thursday, 2 March 2017 9:00 AM
> To: ausnog at lists.ausnog.net
> Subject: AusNOG Digest, Vol 61, Issue 8
> 
> Send AusNOG mailing list submissions to
> 	ausnog at lists.ausnog.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.ausnog.net/mailman/listinfo/ausnog
> or, via email, send a message with subject or body 'help' to
> 	ausnog-request at lists.ausnog.net
> 
> You can reach the person managing the list at
> 	ausnog-owner at lists.ausnog.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of AusNOG digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: Graylog router messages (Bill Walker)
>    2. Re: NAB IT Contact (Matt Walker)
>    3. Foxtel IT contact (David Bell)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 01 Mar 2017 20:22:04 +1300
> From: Bill Walker <bill at wjw.nz>
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] Graylog router messages
> Message-ID: <d3eb2455ec8a7b7591ae4de06df8d3be at wjw.nz>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
> 
> If you do a:
> 
>   "sh logging"
> 
> What does it tell you?
> 
> eg
> 
>      Trap logging: level informational, 419925 message lines logged
>          Logging to 192.168.1.44  (tcp port 514, audit disabled,
>                link up),
>                417454 message lines logged,
> 
> config on this particular router is Cisco default other than:
> 
> logging host 192.168.1.44 transport tcp port 514
> 
> 
> 
> On 2017-03-01 18:25, Steve Hille wrote:
>> Thanks all for your comments so far.
>> 
>> Yes so I'm using logging host x.x.x.x
>> 
>> I've set it up so far to send warnings using "logging trap warnings"
>> 
>> I just set one of the routers up with logging trap debug to see if I
>> can get something but nothing yet. Most of these routers are Cisco
>> 800's running 3G, I tried setting the logging source interface to be
>> the cellular interface on one of my routers but still nothing coming
>> in yet.
>> 
>> The whole network runs off a particular NTP source, which the Graylog
>> server also runs off and can be seen below:
>> 
>> Any other ideas?
>> 
>> Cheers,
>> 
>> Steve
>> 
>> FROM: Michael Junek [mailto:michael at juneks.com.au]
>> SENT: Wednesday, 1 March 2017 10:26 AM
>> TO: Mister Pink <misterpink at gmail.com>; Paul Holm <ausnog at pkholm.com>
>> CC: ausnog at lists.ausnog.net; Steve Hille <steve at kararconsulting.com>
>> SUBJECT: Re: [AusNOG] Graylog router messages
>> 
>> Further to Steve's comment, you can set the various levels of
>> information sent to Syslog.
>> 
>> Use the logging trap command, with the level of alerts being sent, as
>> per below--
>> 
>> router(config)#logging trap ?
>>   <0-7>          Logging severity level
>>   alerts         Immediate action needed           (severity=1)
>>   critical       Critical conditions               (severity=2)
>>   debugging      Debugging messages                (severity=7)
>>   emergencies    System is unusable                (severity=0)
>>   errors         Error conditions                  (severity=3)
>>   informational  Informational messages            (severity=6)
>>   notifications  Normal but significant conditions (severity=5)
>>   warnings       Warning conditions                (severity=4)
>>   <cr>
>> 
>> -------------------------
>> 
>> FROM: AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Mister
>> Pink <misterpink at gmail.com>
>> SENT: Wednesday, 1 March 2017 13:13
>> TO: Paul Holm
>> CC: ausnog at lists.ausnog.net; Steve Hille
>> SUBJECT: Re: [AusNOG] Graylog router messages
>> 
>> IMHO It's pretty straightforward - the source interface command may be
>> key here - ie it's originating from an address that you are expecting,
>> and perhaps being blocked or not classified correctly as a result.
>> 
>> http://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3
>> 
>> Also bear in mind that a router is typically a lot less chatty than a
>> F/W or a switch so it may be that under the current level of logging
>> you are not seeing logs because nothing deemed 'interesting' enough to
>> send is happening.
>> 
>> On 1 March 2017 at 08:54, Paul Holm <ausnog at pkholm.com> wrote:
>> 
>>> Hi Steve,
>>> 
>>> Could yo please share "not working config" from your routers?
>>> usually it is only one line
>>> 
>>> logging host 1.1.1.1
>>> 
>>> May be with
>>> 
>>> logging source-interface xxx
>>> 
>>> On 01/03/2017 02:01, Steve Hille wrote:
>>> 
>>>> Hi all, I've got Graylog running and am collecting data on all of
>>>> our Cisco switches and ASA's, also getting data from riverbeds and
>>>> some other gear. Unfortunately I can't get any messages coming in
>>>> from our Cisco routers and I can't figure out why. Has anyone got
>>>> any experience with the config on the router side to get data in? On
>>>> the other hand if anyone needs some guidance getting it setup, I'll
>>>> happily share my notes so far, getting some incredibly good data out
>>>> of it.
>>>> 
>>>> Cheers,
>>>> 
>>>> Steve
>>>> 
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>> 
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 1 Mar 2017 09:25:20 +0000
> From: Matt Walker <matt.g.walker at outlook.com>
> To: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
> Subject: Re: [AusNOG] NAB IT Contact
> Message-ID:
> 	<SYXPR01MB0608219F3A48A4E2CBACB5DDB1290 at SYXPR01MB0608.ausprd01.prod.outlook.com>
> 
> Content-Type: text/plain; charset="us-ascii"
> 
> Hey Noggers,
> 
> Thank you to those who wrote back!
> 
> Getting the problem sorted between the organisations :)
> 
> Thanks Again,
> Matt Walker
> 
>> On 23 Feb 2017, at 7:12 pm, Matt Walker <matt.g.walker at outlook.com> 
>> wrote:
>> 
>> Hey Noggers,
>> 
>> Looking for an off list reply with anyone who may have a contact for
>> the NAB IT,
>> 
>> We are having serious problems with their SPF record not encompassing 
>> all of their email gateways.
>> 
>> Thanks in Advance
>> Matt Walker
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 2 Mar 2017 10:01:56 +1100
> From: David Bell <davidb at mailguard.com.au>
> To: AusNOG at lists.ausnog.net
> Subject: [AusNOG] Foxtel IT contact
> Message-ID: <c4b93cb9-5f86-fada-11c6-3c100a51e48b at mailguard.com.au>
> Content-Type: text/plain; charset=utf-8
> 
> Hi All,
> 
> Is there any one from, or with contacts at, Foxtel who can help me (off
> list) with an issue with their website?
> 
> Thanks,
> David
> --
> David Bell
> Linux System Administrator
> MailGuard.com.aup.+ 61 3 9694 4444e.davidb at mailguard.com.au
> 
> Message  protected by MailGuard: e-mail anti-virus, anti-spam and
> content filtering.http://www.mailguard.com.au/mg
> 
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> ------------------------------
> 
> End of AusNOG Digest, Vol 61, Issue 8
> *************************************
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list