[AusNOG] Graylog router messages

Bill Walker bill at wjw.nz
Wed Mar 1 18:22:04 EST 2017 

If you do a:

  "sh logging"

What does it tell you?

eg

     Trap logging: level informational, 419925 message lines logged
         Logging to 192.168.1.44  (tcp port 514, audit disabled,
               link up),
               417454 message lines logged,

config on this particular router is Cisco default other than:

logging host 192.168.1.44 transport tcp port 514



On 2017-03-01 18:25, Steve Hille wrote:
> Thanks all for your comments so far.
> 
> Yes so I'm using logging host x.x.x.x
> 
> I've set it up so far to send warnings using "logging trap warnings"
> 
> I just set one of the routers up with logging trap debug to see if I
> can get something but nothing yet. Most of these routers are Cisco
> 800's running 3G, I tried setting the logging source interface to be
> the cellular interface on one of my routers but still nothing coming
> in yet.
> 
> The whole network runs off a particular NTP source, which the Graylog
> server also runs off and can be seen below:
> 
> Any other ideas?
> 
> Cheers,
> 
> Steve
> 
> FROM: Michael Junek [mailto:michael at juneks.com.au]
> SENT: Wednesday, 1 March 2017 10:26 AM
> TO: Mister Pink <misterpink at gmail.com>; Paul Holm <ausnog at pkholm.com>
> CC: ausnog at lists.ausnog.net; Steve Hille <steve at kararconsulting.com>
> SUBJECT: Re: [AusNOG] Graylog router messages
> 
> Further to Steve's comment, you can set the various levels of
> information sent to Syslog.
> 
> Use the logging trap command, with the level of alerts being sent, as
> per below--
> 
> router(config)#logging trap ?
>   <0-7>          Logging severity level
>   alerts         Immediate action needed           (severity=1)
>   critical       Critical conditions               (severity=2)
>   debugging      Debugging messages                (severity=7)
>   emergencies    System is unusable                (severity=0)
>   errors         Error conditions                  (severity=3)
>   informational  Informational messages            (severity=6)
>   notifications  Normal but significant conditions (severity=5)
>   warnings       Warning conditions                (severity=4)
>   <cr>
> 
> -------------------------
> 
> FROM: AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Mister
> Pink <misterpink at gmail.com>
> SENT: Wednesday, 1 March 2017 13:13
> TO: Paul Holm
> CC: ausnog at lists.ausnog.net; Steve Hille
> SUBJECT: Re: [AusNOG] Graylog router messages
> 
> IMHO It's pretty straightforward - the source interface command may be
> key here - ie it's originating from an address that you are expecting,
> and perhaps being blocked or not classified correctly as a result.
> 
> http://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3
> 
> Also bear in mind that a router is typically a lot less chatty than a
> F/W or a switch so it may be that under the current level of logging
> you are not seeing logs because nothing deemed 'interesting' enough to
> send is happening.
> 
> On 1 March 2017 at 08:54, Paul Holm <ausnog at pkholm.com> wrote:
> 
>> Hi Steve,
>> 
>> Could yo please share "not working config" from your routers?
>> usually it is only one line
>> 
>> logging host 1.1.1.1
>> 
>> May be with
>> 
>> logging source-interface xxx
>> 
>> On 01/03/2017 02:01, Steve Hille wrote:
>> 
>>> Hi all, I've got Graylog running and am collecting data on all of
>>> our
>>> Cisco switches and ASA's, also getting data from riverbeds and
>>> some
>>> other gear. Unfortunately I can't get any messages coming in from
>>> our
>>> Cisco routers and I can't figure out why. Has anyone got any
>>> experience with the config on the router side to get data in? On
>>> the
>>> other hand if anyone needs some guidance getting it setup, I'll
>>> happily share my notes so far, getting some incredibly good data
>>> out
>>> of it.
>>> 
>>> Cheers,
>>> 
>>> Steve
>>> 
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> 
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list