[AusNOG] Graylog router messages
Paul Holmanskikh
ausnog at pkholm.com
Thu Mar 2 16:12:03 EST 2017
Hi, Steve.
Could you please post "sh ip interface brief" from that router? I have
suspicion that your 3G connection is NAT-ed by ISP.
---
NEXON - I.T. FOR THE DYNAMIC BUSINESS
Paul Holmanskikh
On 02/03/2017 15:59, Steve Hille wrote:
> Thanks Bill,
>
> Yes I'm certainly producing logs, and I've got the logging level set
> to debug just to get as much data as I can down to Graylog:
>
> KAL-ADM-RO01#show log
> Syslog logging: enabled (0 messages dropped, 3 messages rate-limited,
> 0 flushes, 0 overruns, xml disabled, filtering disabled)
>
> No Active Message Discriminator.
>
>
>
> No Inactive Message Discriminator.
>
>
> Console logging: level debugging, 156 messages logged, xml
> disabled,
> filtering disabled
> Monitor logging: level debugging, 0 messages logged, xml disabled,
> filtering disabled
> Buffer logging: level debugging, 156 messages logged, xml
> disabled,
> filtering disabled
> Exception Logging: size (8192 bytes)
> Count and timestamp logging messages: disabled
> Persistent logging: disabled
>
> No active filter modules.
>
> Trap logging: level debugging, 157 message lines logged
> Logging to X.X.X.X (udp port 514, audit disabled,
> link down),
> 46 message lines logged,
> 0 message lines rate-limited,
> 0 message lines dropped-by-MD,
> xml disabled, sequence number disabled
> filtering disabled
> Logging Source-Interface: VRF Name:
> Dialer1
>
> Log Buffer (8192 bytes):
> Vlan1, changed state to up
> 000076: Feb 27 09:50:11 UTC: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface FastEthernet0, changed state to down
> 000077: Feb 27 09:50:11 UTC: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface Vlan1, changed state to down
> 000078: Feb 27 09:50:12 UTC: %LINK-3-UPDOWN: Interface FastEthernet0,
> changed state to up
> 000079: Feb 27 09:50:13 UTC: %LINEPROTO-5-UPDOWN: Line protocol on
> Interface FastEthernet0, changed state to up
>
> As a test I've been bouncing one of the unused ports, observing the
> log show up when I do "show log", then checking Graylog and seeing
> nothing. I have set the logging source to be dialer 1, when I run a
> ping toward the Graylog server I can reach it and it can reach me from
> that interface.
>
> My logging config is:
>
> service timestamps log datetime msec localtime
> logging trap debugging
> logging source-interface Dialer1
> logging x.x.x.x
>
> Cheers,
>
>
> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of
> ausnog-request at lists.ausnog.net
> Sent: Thursday, 2 March 2017 9:00 AM
> To: ausnog at lists.ausnog.net
> Subject: AusNOG Digest, Vol 61, Issue 8
>
> Send AusNOG mailing list submissions to
> ausnog at lists.ausnog.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.ausnog.net/mailman/listinfo/ausnog
> or, via email, send a message with subject or body 'help' to
> ausnog-request at lists.ausnog.net
>
> You can reach the person managing the list at
> ausnog-owner at lists.ausnog.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of AusNOG digest..."
>
>
> Today's Topics:
>
> 1. Re: Graylog router messages (Bill Walker)
> 2. Re: NAB IT Contact (Matt Walker)
> 3. Foxtel IT contact (David Bell)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 01 Mar 2017 20:22:04 +1300
> From: Bill Walker <bill at wjw.nz>
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] Graylog router messages
> Message-ID: <d3eb2455ec8a7b7591ae4de06df8d3be at wjw.nz>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> If you do a:
>
> "sh logging"
>
> What does it tell you?
>
> eg
>
> Trap logging: level informational, 419925 message lines logged
> Logging to 192.168.1.44 (tcp port 514, audit disabled,
> link up),
> 417454 message lines logged,
>
> config on this particular router is Cisco default other than:
>
> logging host 192.168.1.44 transport tcp port 514
>
>
>
> On 2017-03-01 18:25, Steve Hille wrote:
>> Thanks all for your comments so far.
>>
>> Yes so I'm using logging host x.x.x.x
>>
>> I've set it up so far to send warnings using "logging trap warnings"
>>
>> I just set one of the routers up with logging trap debug to see if I
>> can get something but nothing yet. Most of these routers are Cisco
>> 800's running 3G, I tried setting the logging source interface to be
>> the cellular interface on one of my routers but still nothing coming
>> in yet.
>>
>> The whole network runs off a particular NTP source, which the Graylog
>> server also runs off and can be seen below:
>>
>> Any other ideas?
>>
>> Cheers,
>>
>> Steve
>>
>> FROM: Michael Junek [mailto:michael at juneks.com.au]
>> SENT: Wednesday, 1 March 2017 10:26 AM
>> TO: Mister Pink <misterpink at gmail.com>; Paul Holm <ausnog at pkholm.com>
>> CC: ausnog at lists.ausnog.net; Steve Hille <steve at kararconsulting.com>
>> SUBJECT: Re: [AusNOG] Graylog router messages
>>
>> Further to Steve's comment, you can set the various levels of
>> information sent to Syslog.
>>
>> Use the logging trap command, with the level of alerts being sent, as
>> per below--
>>
>> router(config)#logging trap ?
>> <0-7> Logging severity level
>> alerts Immediate action needed (severity=1)
>> critical Critical conditions (severity=2)
>> debugging Debugging messages (severity=7)
>> emergencies System is unusable (severity=0)
>> errors Error conditions (severity=3)
>> informational Informational messages (severity=6)
>> notifications Normal but significant conditions (severity=5)
>> warnings Warning conditions (severity=4)
>> <cr>
>>
>> -------------------------
>>
>> FROM: AusNOG <ausnog-bounces at lists.ausnog.net> on behalf of Mister
>> Pink <misterpink at gmail.com>
>> SENT: Wednesday, 1 March 2017 13:13
>> TO: Paul Holm
>> CC: ausnog at lists.ausnog.net; Steve Hille
>> SUBJECT: Re: [AusNOG] Graylog router messages
>>
>> IMHO It's pretty straightforward - the source interface command may be
>> key here - ie it's originating from an address that you are expecting,
>> and perhaps being blocked or not classified correctly as a result.
>>
>> http://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3
>>
>> Also bear in mind that a router is typically a lot less chatty than a
>> F/W or a switch so it may be that under the current level of logging
>> you are not seeing logs because nothing deemed 'interesting' enough to
>> send is happening.
>>
>> On 1 March 2017 at 08:54, Paul Holm <ausnog at pkholm.com> wrote:
>>
>>> Hi Steve,
>>>
>>> Could yo please share "not working config" from your routers?
>>> usually it is only one line
>>>
>>> logging host 1.1.1.1
>>>
>>> May be with
>>>
>>> logging source-interface xxx
>>>
>>> On 01/03/2017 02:01, Steve Hille wrote:
>>>
>>>> Hi all, I've got Graylog running and am collecting data on all of
>>>> our Cisco switches and ASA's, also getting data from riverbeds and
>>>> some other gear. Unfortunately I can't get any messages coming in
>>>> from our Cisco routers and I can't figure out why. Has anyone got
>>>> any experience with the config on the router side to get data in? On
>>>> the other hand if anyone needs some guidance getting it setup, I'll
>>>> happily share my notes so far, getting some incredibly good data out
>>>> of it.
>>>>
>>>> Cheers,
>>>>
>>>> Steve
>>>>
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 1 Mar 2017 09:25:20 +0000
> From: Matt Walker <matt.g.walker at outlook.com>
> To: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
> Subject: Re: [AusNOG] NAB IT Contact
> Message-ID:
> <SYXPR01MB0608219F3A48A4E2CBACB5DDB1290 at SYXPR01MB0608.ausprd01.prod.outlook.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hey Noggers,
>
> Thank you to those who wrote back!
>
> Getting the problem sorted between the organisations :)
>
> Thanks Again,
> Matt Walker
>
>> On 23 Feb 2017, at 7:12 pm, Matt Walker <matt.g.walker at outlook.com>
>> wrote:
>>
>> Hey Noggers,
>>
>> Looking for an off list reply with anyone who may have a contact for
>> the NAB IT,
>>
>> We are having serious problems with their SPF record not encompassing
>> all of their email gateways.
>>
>> Thanks in Advance
>> Matt Walker
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 2 Mar 2017 10:01:56 +1100
> From: David Bell <davidb at mailguard.com.au>
> To: AusNOG at lists.ausnog.net
> Subject: [AusNOG] Foxtel IT contact
> Message-ID: <c4b93cb9-5f86-fada-11c6-3c100a51e48b at mailguard.com.au>
> Content-Type: text/plain; charset=utf-8
>
> Hi All,
>
> Is there any one from, or with contacts at, Foxtel who can help me (off
> list) with an issue with their website?
>
> Thanks,
> David
> --
> David Bell
> Linux System Administrator
> MailGuard.com.aup.+ 61 3 9694 4444e.davidb at mailguard.com.au
>
> Message protected by MailGuard: e-mail anti-virus, anti-spam and
> content filtering.http://www.mailguard.com.au/mg
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> ------------------------------
>
> End of AusNOG Digest, Vol 61, Issue 8
> *************************************
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list