Get Mozilla Firefox
J'ai récemment eu besoin de mettre en place un serveur syslog dans le but de centraliser les évènements de Switchs Cisco.
Je vais partager ici les différentes étapes à suivre pour la mise en place.
L'ensemble des switchs enverront leurs logs vers le serveur Debian Linux.
Par défaut les logs des Switchs Cisco sont envoyés via le protocole UDP et sur le port 514.
Note : J'ai également configuré la passerelle et le dns afin que les switchs puissent se mettre à l'heure via un serveur NTP.
Switch# conf t
Switch(config)# ip name-server 80.67.169.12
Switch(config)# ip domain lookup
Switch(config)# interface vlan1
Switch(config-if)# ip address 10.0.0.1 255.255.255.0
Switch(config-if)# no ip address dhcp
Switch(config-if)# ip default-gateway 10.0.0.254
Switch(config)# logging host 10.0.0.200
La première chose à faire est d'installer un tout nouveau serveur GNU/Linux Debian. Puis de paramètrer le service rsyslog en éditant le fichier /etc/rsyslog.conf.
root@host:~# apt update && apt install rsyslog
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
#input(type="imudp" port="514")
$UDPServerRun 514
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
#$InputTCPServerRun 514
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$AllowedSender UDP, 127.0.0.1, 10.0.0.0/24
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
#template
$template Incoming-logs,"/var/log/%HOSTNAME%/logging.log"
###############
#### RULES ####
###############
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
local7.* -/var/log/cisco.log #all logs will go into the next file
*.* ?Incoming-logs #1 log per IP address
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
root@host:~# systemctl restart rsyslog.service
root@host:~# cat /var/log/cisco.log
Dec 25 16:25:03 10.0.0.2 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected
Dec 25 16:25:06 10.0.0.2 %PNPAGENT-I-RESPSUCCESS: PnP Response Success
Dec 25 16:25:22 10.0.0.2 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected
Dec 25 16:25:23 10.0.0.1 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected
root@host:~# cat /var/log/10.0.0.1/logging.log
Dec 25 16:25:23 10.0.0.1 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected
Contact :
