[AusNOG] AusNOG Digest, Vol 61, Issue 8

Steve Hille steve at kararconsulting.com
Thu Mar 2 15:59:40 EST 2017 

Thanks Bill,

Yes I'm certainly producing logs, and I've got the logging level set to debug just to get as much data as I can down to Graylog:

KAL-ADM-RO01#show log
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level debugging, 156 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 156 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (8192 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level debugging, 157 message lines logged
        Logging to X.X.X.X  (udp port 514, audit disabled,
              link down),
              46 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging Source-Interface:       VRF Name:
        Dialer1

Log Buffer (8192 bytes):
Vlan1, changed state to up
000076: Feb 27 09:50:11 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
000077: Feb 27 09:50:11 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
000078: Feb 27 09:50:12 UTC: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
000079: Feb 27 09:50:13 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up

As a test I've been bouncing one of the unused ports, observing the log show up when I do "show log", then checking Graylog and seeing nothing. I have set the logging source to be dialer 1, when I run a ping toward the Graylog server I can reach it and it can reach me from that interface.

My logging config is:

service timestamps log datetime msec localtime
logging trap debugging
logging source-interface Dialer1
logging x.x.x.x

Cheers,


-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of ausnog-request at lists.ausnog.net
Sent: Thursday, 2 March 2017 9:00 AM
To: ausnog at lists.ausnog.net
Subject: AusNOG Digest, Vol 61, Issue 8

Send AusNOG mailing list submissions to
	ausnog at lists.ausnog.net

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.ausnog.net/mailman/listinfo/ausnog
or, via email, send a message with subject or body 'help' to
	ausnog-request at lists.ausnog.net

You can reach the person managing the list at
	ausnog-owner at lists.ausnog.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of AusNOG digest..."


Today's Topics:

   1. Re: Graylog router messages (Bill Walker)
   2. Re: NAB IT Contact (Matt Walker)
   3. Foxtel IT contact (David Bell)


----------------------------------------------------------------------

Message: 1
Date: Wed, 01 Mar 2017 20:22:04 +1300
From: Bill Walker <bill at wjw.nz>
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Graylog router messages
Message-ID: <d3eb2455ec8a7b7591ae4de06df8d3be at wjw.nz>
Content-Type: text/plain; charset=US-ASCII; format=flowed

If you do a:

  "sh logging"

What does it tell you?

eg

     Trap logging: level informational, 419925 message lines logged
         Logging to 192.168.1.44  (tcp port 514, audit disabled,
               link up),
               417454 message lines logged,

config on this particular router is Cisco default other than:

logging host 192.168.1.44 transport tcp port 514



On 2017-03-01 18:25, Steve Hille wrote:
> Thanks all for your comments so far.
> 
> Yes so I'm using logging host x.x.x.x
> 
> I've set it up so far to send warnings using "logging trap warnings"
> 
> I just set one of the routers up with logging trap debug to see if I 
> can get something but nothing yet. Most of these routers are Cisco 
> 800's running 3G, I tried setting the logging source interface to be 
> the cellular interface on one of my routers but still nothing coming 
> in yet.
> 
> The whole network runs off a particular NTP source, which the Graylog 
> server also runs off and can be seen below:
> 
> Any other ideas?
> 
> Cheers,
> 
> Steve
> 
> FROM: Michael Junek [mailto:michael at juneks.com.au]
> SENT: Wednesday, 1 March 2017 10:26 AM
> TO: Mister Pink <misterpink at gmail.com>; Paul Holm <ausnog at pkholm.com>
> CC: ausnog at lists.ausnog.net; Steve Hille <steve at kararconsulting.com>
> SUBJECT: Re: [AusNOG] Graylog router messages
> 
> Further to Steve's comment, you can set the various levels of 
> information sent to Syslog.
> 
> Use the logging trap command, with the level of alerts being sent, as 
> per below--
> 
> router(config)#logging trap ?
>   <0-7>          Logging severity level
>   alerts         Immediate action needed           (severity=1)
>   critical       Critical conditions               (severity=2)
>   debugging      Debugging messages                (severity=7)
>   emergencies    System is unusable                (severity=0)
>   errors         Error conditions                  (severity=3)
>   informational  Informational messages            (severity=6)
>   notifications  Normal but significant conditions (severity=5)
>   warnings       Warning conditions                (severity=4)
>   <cr>
> 
> -------------------------
> 
> FROM: AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Mister 
> Pink <misterpink at gmail.com>
> SENT: Wednesday, 1 March 2017 13:13
> TO: Paul Holm
> CC: ausnog at lists.ausnog.net; Steve Hille
> SUBJECT: Re: [AusNOG] Graylog router messages
> 
> IMHO It's pretty straightforward - the source interface command may be 
> key here - ie it's originating from an address that you are expecting, 
> and perhaps being blocked or not classified correctly as a result.
> 
> http://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3
> 
> Also bear in mind that a router is typically a lot less chatty than a 
> F/W or a switch so it may be that under the current level of logging 
> you are not seeing logs because nothing deemed 'interesting' enough to 
> send is happening.
> 
> On 1 March 2017 at 08:54, Paul Holm <ausnog at pkholm.com> wrote:
> 
>> Hi Steve,
>> 
>> Could yo please share "not working config" from your routers?
>> usually it is only one line
>> 
>> logging host 1.1.1.1
>> 
>> May be with
>> 
>> logging source-interface xxx
>> 
>> On 01/03/2017 02:01, Steve Hille wrote:
>> 
>>> Hi all, I've got Graylog running and am collecting data on all of 
>>> our Cisco switches and ASA's, also getting data from riverbeds and 
>>> some other gear. Unfortunately I can't get any messages coming in 
>>> from our Cisco routers and I can't figure out why. Has anyone got 
>>> any experience with the config on the router side to get data in? On 
>>> the other hand if anyone needs some guidance getting it setup, I'll 
>>> happily share my notes so far, getting some incredibly good data out 
>>> of it.
>>> 
>>> Cheers,
>>> 
>>> Steve
>>> 
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> 
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog


------------------------------

Message: 2
Date: Wed, 1 Mar 2017 09:25:20 +0000
From: Matt Walker <matt.g.walker at outlook.com>
To: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] NAB IT Contact
Message-ID:
	<SYXPR01MB0608219F3A48A4E2CBACB5DDB1290 at SYXPR01MB0608.ausprd01.prod.outlook.com>
	
Content-Type: text/plain; charset="us-ascii"

Hey Noggers,

Thank you to those who wrote back!

Getting the problem sorted between the organisations :)

Thanks Again,
Matt Walker

> On 23 Feb 2017, at 7:12 pm, Matt Walker <matt.g.walker at outlook.com> wrote:
> 
> Hey Noggers,
> 
> Looking for an off list reply with anyone who may have a contact for 
> the NAB IT,
> 
> We are having serious problems with their SPF record not encompassing all of their email gateways. 
> 
> Thanks in Advance
> Matt Walker


------------------------------

Message: 3
Date: Thu, 2 Mar 2017 10:01:56 +1100
From: David Bell <davidb at mailguard.com.au>
To: AusNOG at lists.ausnog.net
Subject: [AusNOG] Foxtel IT contact
Message-ID: <c4b93cb9-5f86-fada-11c6-3c100a51e48b at mailguard.com.au>
Content-Type: text/plain; charset=utf-8

Hi All,

Is there any one from, or with contacts at, Foxtel who can help me (off
list) with an issue with their website?

Thanks,
David
--
David Bell
Linux System Administrator
MailGuard.com.aup.+ 61 3 9694 4444e.davidb at mailguard.com.au

Message  protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg



------------------------------

Subject: Digest Footer

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


------------------------------

End of AusNOG Digest, Vol 61, Issue 8
*************************************

More information about the AusNOG mailing list