Collecting Logs from Cisco Switches
Upload logs from network devices like routers, switches, firewalls, and more to manage them using Site24x7 AppLogs. A centralized server forwards logs outside your network, and you can manage all your logs by just installing the AppLogs agent in the centralized server.
To facilitate this, you can set up a simple configuration in Site24x7, and it will do the rest for you. Site24x7 presents you with indexed data organized in the form of charts and dashboards. You can also generate alerts and reports for your Cisco switch logs.
Configuring the central syslog receiver
Follow the steps below to configure the central syslog receiver:
- The machine on which the Site24x7 Linux Server Monitoring agent is installed acts as the central syslog receiver, so the Linux Server Monitoring agent needs to be installed before proceeding.
- Then, configure the Rsyslog server to receive logs from the remote network device.
- Next, you must enable the UDP module in Rsyslog. By default, the UDP module is commented in the rsyslog.conf file. Add the line below to the /etc/rsyslog.conf file.
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514" ruleset="devicelogs")
ruleset(name="devicelogs") {
action(type="omfile" file="/tmp/devicelogs")
}Also, change the file path (/tmp/devicelogs) to one of your choice. If you have a firewall enabled on this machine, you must allow UDP port 514 in the firewall using the command below.
firewall-cmd --add-port=514/udp --permanent
firewall-cmd --reloadNow, restart the Rsyslog service with the following command:
sudo service rsyslog restart
Next, to avoid using up disk space, follow the instructions below to rotate the log files regularly:
Create a file called /etc/logrotate.d/devicelogs and add the content below with the username and group name:/tmp/devicelogs
{
su <username> <groupname>
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
Now the Rsyslog configured server is ready to receive the logs from the remote device.
Configuring syslog in a Cisco switch
Follow the steps below and configure the Cisco switch to send syslog messages to the designated port on the computer where the Site24x7 Linux Server Monitoring agent is installed.
- Open the command line interface on your Cisco switch and begin a session.
- Verify if privileged EXEC mode is enabled. If not, enter privileged EXEC mode by typing the following command:
enable
- Switch to global configuration mode by typing the following command:
configure terminal
- Verify if logging is enabled. If not, enable it using the following command:
logging enable
- Configure the Cisco switch to send log messages to the server in which the Site24x7 Linux Server Monitoring agent is installed by typing the following command:
Here,logging host
host is the name or IP address of the device in which the Site24x7 Linux Server Monitoring agent is installed. - Based on the priority level, you can limit the messages sent. For this, use the following command:
Here,logging trap level
the level can be emergencies, alerts, errors, warnings, notifications, informational (default level), and debugging. - Return to privileged EXEC mode by typing the command:
end
The default UDP port is 514. The default TCP port is 1470.
After performing the steps above, you can see the syslog messages in the log file configured in the rsyslog.conf file.
Next, create a log type in Site24x7 using the sample log available in the log file. Then, create a log profile and map the Rsyslog-installed host to view the logs in AppLogs.
Troubleshooting log collection
If the logs are not written in the file configured in Rsyslog, then follow the steps below to check where log receiving is failing.
- Make sure syslog is enabled in your network device and configured to use the UDP port (514), and that the host IP is an Rsyslog-installed machine.
- Make sure the Rsyslog-installed machine is reachable from the network device by using the following command:
ping <host_ip>
- Run the tcpdump command to check for any network packets coming to the UDP 514 port. If tcpdump is not installed, then install and run the following command:
tcpdump udp port 515 -XAvvv