Remote Cisco logging

The following steps were used to log Cisco router messages to a Solaris 8 host via syslog. In this example, all Cisco router messages with a severity of "informational" or higher (i.e. more severe) are logged to /var/log/cisco.

Changes to the UNIX system:

1. Add the following line to /etc/syslog.conf:
local7.info /var/log/cisco

2. Create the log file:
touch /var/log/cisco

3. Send the syslogd process a HUP signal for syslog.conf changes to take effect.


Commands to execute on the Cisco router:

conf t
logging IP_address_of_UNIX_host
logging facility local7 (use local7 syslog facility)
logging trap level_of_debugging (default is "informational")
logging on

More information on relevant Cisco router commands:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios11/dbook/dintro.htm


Troubleshooting:

1. Was the log file created with "touch"? Syslog daemons generally do not create new files, but only append to existing files.

2. Does syslog.conf contain extra whitespace? A single space or tab character(s) may separate columns in syslog.conf. Run cat -vet /etc/syslog.conf to check for extra whitespace.

3. Is a wildcard used for a syslog severity? For example, Solaris syslog does not support local7.* as a facility/severity combination. Instead, use local7.debug.

4. Run logger -p facility.severity "Test message" and check the contents of the appropriate log file to test logging.

ex. Run logger -p local7.info "Test message" and check /var/log/cisco to see if "Test message" appears.

5. Is the syslog daemon listening for remote messages? Solaris' syslog daemon by default accepts remote syslog messages, although other Unices may not.

Syslog uses UDP port 514 to send messages, so UDP port 514 traffic must be able to get from the Cisco router to the UNIX host, in case a packet-filtering device separates the two.

Back to brandonhutchinson.com.
Last modified: 09/30/2003