[AusNOG] Graylog router messages
Steve Hille
steve at kararconsulting.com
Wed Mar 1 16:25:48 EST 2017
Thanks all for your comments so far.
Yes so I'm using logging host x.x.x.x
I've set it up so far to send warnings using "logging trap warnings"
I just set one of the routers up with logging trap debug to see if I can get something but nothing yet. Most of these routers are Cisco 800's running 3G, I tried setting the logging source interface to be the cellular interface on one of my routers but still nothing coming in yet.
The whole network runs off a particular NTP source, which the Graylog server also runs off and can be seen below:
[cid:image001.png at 01D2928F.5499A620]
Any other ideas?
Cheers,
Steve
From: Michael Junek [mailto:michael at juneks.com.au]
Sent: Wednesday, 1 March 2017 10:26 AM
To: Mister Pink <misterpink at gmail.com>; Paul Holm <ausnog at pkholm.com>
Cc: ausnog at lists.ausnog.net; Steve Hille <steve at kararconsulting.com>
Subject: Re: [AusNOG] Graylog router messages
Further to Steve's comment, you can set the various levels of information sent to Syslog.
Use the logging trap command, with the level of alerts being sent, as per below--
router(config)#logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
<cr>
________________________________
From: AusNOG <ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>> on behalf of Mister Pink <misterpink at gmail.com<mailto:misterpink at gmail.com>>
Sent: Wednesday, 1 March 2017 13:13
To: Paul Holm
Cc: ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>; Steve Hille
Subject: Re: [AusNOG] Graylog router messages
IMHO It's pretty straightforward - the source interface command may be key here - ie it's originating from an address that you are expecting, and perhaps being blocked or not classified correctly as a result.
http://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3
Also bear in mind that a router is typically a lot less chatty than a F/W or a switch so it may be that under the current level of logging you are not seeing logs because nothing deemed 'interesting' enough to send is happening.
On 1 March 2017 at 08:54, Paul Holm <ausnog at pkholm.com<mailto:ausnog at pkholm.com>> wrote:
Hi Steve,
Could yo please share "not working config" from your routers?
usually it is only one line
logging host 1.1.1.1
May be with
logging source-interface xxx
On 01/03/2017 02:01, Steve Hille wrote:
Hi all, I've got Graylog running and am collecting data on all of our
Cisco switches and ASA's, also getting data from riverbeds and some
other gear. Unfortunately I can't get any messages coming in from our
Cisco routers and I can't figure out why. Has anyone got any
experience with the config on the router side to get data in? On the
other hand if anyone needs some guidance getting it setup, I'll
happily share my notes so far, getting some incredibly good data out
of it.
Cheers,
Steve
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170301/ab6d4285/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 13008 bytes
Desc: image001.png
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170301/ab6d4285/attachment.png>
More information about the AusNOG
mailing list