J'ai récemment eu besoin de mettre en place un serveur syslog dans le but de centraliser les évènements de Switchs Cisco.
Je vais partager ici les différentes étapes à suivre pour la mise en place.
L'ensemble des switchs enverront leurs logs vers le serveur Debian Linux.
Par défaut les logs des Switchs Cisco sont envoyés via le protocole UDP et sur le port 514.
Note : J'ai également configuré la passerelle et le dns afin que les switchs puissent se mettre à l'heure via un serveur NTP.
Switch# conf t Switch (config)# ip name-server 80.67.169.12 Switch (config)# ip domain lookup Switch (config)# interface vlan1 Switch (config-if)# ip address 10.0.0.1 255.255.255.0 Switch (config-if)# no ip address dhcp Switch (config-if)# ip default-gateway 10.0.0.254
Switch (config)# logging host 10.0.0.200
La première chose à faire est d'installer a tout nouveau serveur GNU/Linux Debian 10.
# /etc/rsyslog.conf configuration file for rsyslog # # For more information install rsyslog-doc and see # /usr/share/doc/rsyslog-doc/html/configuration/index.html ################# #### MODULES #### ################# module(load="imuxsock") # provides support for local system logging module(load="imklog") # provides kernel logging support #module(load="immark") # provides --MARK-- message capability # provides UDP syslog reception module(load="imudp") #input(type="imudp" port="514") $UDPServerRun 514 # provides TCP syslog reception #module(load="imtcp") #input(type="imtcp" port="514") #$InputTCPServerRun 514 ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Set the default permissions for all log files. # $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 $AllowedSender UDP, 127.0.0.1, 10.0.0.0/24 # # Where to place spool and state files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf #template $template Incoming-logs,"/var/log/%HOSTNAME%/logging.log" ############### #### RULES #### ############### # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log local7.* -/var/log/cisco.log #all logs will go into the next file *.* ?Incoming-logs #1 log per IP address # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # # Some "catch-all" log files. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg :omusrmsg:*
root@host:~# systemctl restart rsyslog.service
root@host:~# cat /var/log/cisco.log Dec 25 16:25:03 10.0.0.2 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected Dec 25 16:25:06 10.0.0.2 %PNPAGENT-I-RESPSUCCESS: PnP Response Success Dec 25 16:25:22 10.0.0.2 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected Dec 25 16:25:23 10.0.0.1 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected
root@host:~# cat /var/log/10.0.0.1/logging.log Dec 25 16:25:23 10.0.0.1 %PNPAGENT-I-PNPSRVRDETECT: PnP Server devicehelper.cisco.com was detected
Contact :
En