syslog server for Cisco logging

[patrckb]

I want to set up a syslog server to receive logging messages from my Cisco routers and switches. Easy task I thought. Wrong. I must be missing one piece. Could someone tell me what it is?

Cisco switches are 4006 with the following config:
---
version 12.1
!
hostname Sussex-2-Sw
!
boot system bootflash:cat4000-is-mz.121-8a.EW1.bin
logging trap debugging
logging facility local6
logging 10.1.7.10
---

The server is Red Hat 8 running kernel 2.4.18-27.8.0

syslogd is running with config:
--- /etc/syslog.conf ---
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* /var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

# Using Local5 for routers and Local6 for switches
local5.* /var/log/router.log
local6.* /var/log/switch.log
---

I added port 514 to iptables:

--- iptables -L output ---
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- anywhere anywhere udp spt:ntp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere udp spt:snmp
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:syslog
ACCEPT tcp -- anywhere anywhere tcp dpt:10113
ACCEPT udp -- anywhere anywhere udp dpt:10113
ACCEPT udp -- anywhere anywhere udp dpt:10115
ACCEPT tcp -- anywhere anywhere tcp dpt:10115
ACCEPT udp -- linuxdhcp1.private.gdol anywhere udp spt:domain
ACCEPT udp -- linuxdhcp2.private.gdol anywhere udp spt:domain
REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable
--- end iptables -L output ---

In /var/log I see:
gandalf$ ls -l rou*
-rw------- 1 root root 0 May 2 13:22 router.log
gandalf$ ls -l sw*
-rw------- 1 root root 0 May 2 13:22 switch.log
gandalf$

When I ran a packet capture I see the logging packet coming from the switch but the server sends a ICMP Port Unreachable response.

What have I left out?

Patrick
What am I missing?

 

[Morsing]

Check that your syslogd is enabled for remote logging. Does it startup with any command line flags like -r??

Check 'man syslogd' for how to enable this.

Cheers

Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[patrckb]

Ureka!

Henrik, you're a genius!

That fixed me right up. Thanks!

Patrick